diff options
Diffstat (limited to 'data')
56 files changed, 1355 insertions, 251 deletions
diff --git a/data/config-mode-dependencies.json b/data/config-mode-dependencies.json index 9e943ba2c..ccee359d1 100644 --- a/data/config-mode-dependencies.json +++ b/data/config-mode-dependencies.json @@ -8,5 +8,25 @@ "ipsec": ["vpn_ipsec"], "openconnect": ["vpn_openconnect"], "sstp": ["vpn_sstp"] + }, + "qos": { + "bonding": ["interfaces-bonding"], + "bridge": ["interfaces-bridge"], + "dummy": ["interfaces-dummy"], + "ethernet": ["interfaces-ethernet"], + "geneve": ["interfaces-geneve"], + "input": ["interfaces-input"], + "l2tpv3": ["interfaces-l2tpv3"], + "loopback": ["interfaces-loopback"], + "macsec": ["interfaces-macsec"], + "openvpn": ["interfaces-openvpn"], + "pppoe": ["interfaces-pppoe"], + "pseudo-ethernet": ["interfaces-pseudo-ethernet"], + "tunnel": ["interfaces-tunnel"], + "vti": ["interfaces-vti"], + "vxlan": ["interfaces-vxlan"], + "wireguard": ["interfaces-wireguard"], + "wireless": ["interfaces-wireless"], + "wwan": ["interfaces-wwan"] } } diff --git a/data/configd-include.json b/data/configd-include.json index 648655a8b..456211caa 100644 --- a/data/configd-include.json +++ b/data/configd-include.json @@ -74,6 +74,7 @@ "system-logs.py", "system-option.py", "system-proxy.py", +"system_sflow.py", "system_sysctl.py", "system-syslog.py", "system-timezone.py", diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json index a69cf55e9..c7c67198e 100644 --- a/data/op-mode-standardized.json +++ b/data/op-mode-standardized.json @@ -2,22 +2,28 @@ "accelppp.py", "bgp.py", "bridge.py", +"config_mgmt.py", "conntrack.py", "container.py", "cpu.py", "dhcp.py", "dns.py", +"interfaces.py", +"lldp.py", "log.py", "memory.py", "nat.py", "neighbor.py", +"nhrp.py", "openconnect.py", "openvpn.py", +"reset_vpn.py", "route.py", "system.py", "ipsec.py", "storage.py", "uptime.py", "version.py", -"vrf.py" +"vrf.py", +"zone.py" ] diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2 index 0bef4ad69..f7511e445 100644 --- a/data/templates/accel-ppp/config_ip_pool.j2 +++ b/data/templates/accel-ppp/config_ip_pool.j2 @@ -11,4 +11,14 @@ gw-ip-address={{ gateway_address }} {{ subnet }} {% endfor %} {% endif %} -{% endif %} +{% if client_ip_pool.name is vyos_defined %} +{% for pool, pool_config in client_ip_pool.name.items() %} +{% if pool_config.subnet is vyos_defined %} +{{ pool_config.subnet }},name={{ pool }} +{% endif %} +{% if pool_config.gateway_address is vyos_defined %} +gw-ip-address={{ pool_config.gateway_address }} +{% endif %} +{% endfor %} +{% endif %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/config_shaper_radius.j2 b/data/templates/accel-ppp/config_shaper_radius.j2 index 942cdf132..0cf6a6a92 100644 --- a/data/templates/accel-ppp/config_shaper_radius.j2 +++ b/data/templates/accel-ppp/config_shaper_radius.j2 @@ -1,7 +1,7 @@ -{% if authentication.mode is vyos_defined('radius') %} -{% if authentication.radius.rate_limit.enable is vyos_defined %} +{% if authentication.mode is vyos_defined('radius') or shaper is vyos_defined %} [shaper] verbose=1 +{% if authentication.radius.rate_limit.enable is vyos_defined %} attr={{ authentication.radius.rate_limit.attribute }} {% if authentication.radius.rate_limit.vendor is vyos_defined %} vendor={{ authentication.radius.rate_limit.vendor }} @@ -10,4 +10,10 @@ vendor={{ authentication.radius.rate_limit.vendor }} rate-multiplier={{ authentication.radius.rate_limit.multiplier }} {% endif %} {% endif %} -{% endif %} +{% if shaper is vyos_defined %} +{% if shaper.fwmark is vyos_defined %} +fwmark={{ shaper.fwmark }} +down-limiter=htb +{% endif %} +{% endif %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index 99227ea33..add3dc7e4 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -25,7 +25,7 @@ verbose=1 {% for iface, iface_config in interface.items() %} {% set tmp = 'interface=' %} {% if iface_config.vlan is vyos_defined %} -{% set tmp = tmp ~ 're:' ~ iface ~ '\.\d+' %} +{% set tmp = tmp ~ 're:^' ~ iface ~ '\.' ~ iface_config.vlan | range_to_regex ~ '$' %} {% else %} {% set tmp = tmp ~ iface %} {% endif %} @@ -35,38 +35,49 @@ verbose=1 {% elif iface_config.network is vyos_defined('vlan') %} {% set shared = 'shared=0,' %} {% endif %} -{{ tmp }},{{ shared }}mode={{ iface_config.mode | upper }},ifcfg=1,range={{ iface_config.client_subnet }},start=dhcpv4,ipv6=1 +{% set range = 'range=' ~ iface_config.client_subnet ~ ',' if iface_config.client_subnet is vyos_defined else '' %} +{{ tmp }},{{ shared }}mode={{ iface_config.mode | upper }},ifcfg=1,{{ range }}start=dhcpv4,ipv6=1 +{% if iface_config.vlan is vyos_defined %} +vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }} +{% endif %} {% endfor %} {% endif %} {% if authentication.mode is vyos_defined('noauth') %} noauth=1 -{% if client_ip_pool.name is vyos_defined %} +{% elif authentication.mode is vyos_defined('local') %} +username=ifname +password=csid +{% endif %} +{% if client_ip_pool.name is vyos_defined %} +{% if first_named_pool is vyos_defined %} +ip-pool={{ first_named_pool }} +{% else %} {% for pool, pool_options in client_ip_pool.name.items() %} -{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} +{% if pool_options.subnet is vyos_defined %} ip-pool={{ pool }} -gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} {% endif %} {% endfor %} {% endif %} -{% elif authentication.mode is vyos_defined('local') %} -username=ifname -password=csid +{% for pool, pool_options in client_ip_pool.name.items() %} +{% if pool_options.gateway_address is vyos_defined %} +gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} +{% endif %} +{% endfor %} {% endif %} proxy-arp=1 -{% for interface in interfaces %} -{% if (interface.shared == '0') and (interface.vlan_mon) %} -vlan-mon={{ interface.name }},{{ interface.vlan_mon | join(',') }} -{% endif %} -{% endfor %} - -{% if client_ip_pool.name is vyos_defined %} +{% if ordered_named_pools is vyos_defined %} [ip-pool] -{% for pool, pool_options in client_ip_pool.name.items() %} -{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} -{{ pool_options.subnet }},name={{ pool }} +{% for p in ordered_named_pools %} +{% for pool, pool_options in p.items() %} +{% set next_named_pool = ',next=' ~ pool_options.next_pool if pool_options.next_pool is vyos_defined else '' %} +{{ pool_options.subnet }},name={{ pool }}{{ next_named_pool }} +{% endfor %} +{% endfor %} +{% for p in ordered_named_pools %} +{% for pool, pool_options in p.items() %} gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} -{% endif %} +{% endfor %} {% endfor %} {% endif %} diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2 index 3d1e835a9..5914fd375 100644 --- a/data/templates/accel-ppp/l2tp.config.j2 +++ b/data/templates/accel-ppp/l2tp.config.j2 @@ -126,7 +126,13 @@ ipv6={{ ppp_ipv6 }} {% else %} {{ 'ipv6=allow' if client_ipv6_pool_configured else '' }} {% endif %} - +{% if ppp_ipv6_intf_id is vyos_defined %} +ipv6-intf-id={{ ppp_ipv6_intf_id }} +{% endif %} +{% if ppp_ipv6_peer_intf_id is vyos_defined %} +ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }} +{% endif %} +ipv6-accept-peer-intf-id={{ "1" if ppp_ipv6_accept_peer_intf_id else "0" }} {% if client_ipv6_pool %} [ipv6-pool] diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2 index f4129d3e2..dd53edd28 100644 --- a/data/templates/accel-ppp/pppoe.config.j2 +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -30,6 +30,11 @@ syslog=accel-pppoe,daemon copy=1 level=5 +{% if authentication.mode is vyos_defined("noauth") %} +[auth] +noauth=1 +{% endif %} + {% if snmp.master_agent is vyos_defined %} [snmp] master=1 @@ -69,8 +74,6 @@ ccp={{ "1" if ppp_options.ccp is vyos_defined else "0" }} unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }} {% if ppp_options.min_mtu is vyos_defined %} min-mtu={{ ppp_options.min_mtu }} -{% else %} -min-mtu={{ mtu }} {% endif %} {% if ppp_options.mru is vyos_defined %} mru={{ ppp_options.mru }} @@ -135,6 +138,22 @@ pado-delay={{ pado_delay_param.value }} called-sid={{ authentication.radius.called_sid_format }} {% endif %} +{% if authentication.mode is vyos_defined("local") or authentication.mode is vyos_defined("noauth") %} +{% if authentication.mode is vyos_defined("noauth") %} +noauth=1 +{% endif %} +{% if client_ip_pool.name is vyos_defined %} +{% for pool, pool_config in client_ip_pool.name.items() %} +{% if pool_config.subnet is vyos_defined %} +ip-pool={{ pool }} +{% endif %} +{% if pool_config.gateway_address is vyos_defined %} +gw-ip-address={{ pool_config.gateway_address }}/{{ pool_config.subnet.split('/')[1] }} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} + {% if limits is vyos_defined %} [connlimit] {% if limits.connection_limit is vyos_defined %} diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2 index 442830b6b..78a629d2d 100644 --- a/data/templates/accel-ppp/pptp.config.j2 +++ b/data/templates/accel-ppp/pptp.config.j2 @@ -93,10 +93,15 @@ bind={{ radius_source_address }} gw-ip-address={{ gw_ip }} {% endif %} -{% if radius_shaper_attr %} +{% if radius_shaper_enable %} [shaper] verbose=1 +{% if radius_shaper_attr %} attr={{ radius_shaper_attr }} +{% endif %} +{% if radius_shaper_multiplier %} +rate-multiplier={{ radius_shaper_multiplier }} +{% endif %} {% if radius_shaper_vendor %} vendor={{ radius_shaper_vendor }} {% endif %} diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2 new file mode 100644 index 000000000..7a36fe69d --- /dev/null +++ b/data/templates/chrony/chrony.conf.j2 @@ -0,0 +1,60 @@ +### Autogenerated by ntp.py ### + +# This would step the system clock if the adjustment is larger than 0.1 seconds, +# but only in the first three clock updates. +makestep 1.0 3 + +# The rtcsync directive enables a mode where the system time is periodically +# copied to the RTC and chronyd does not try to track its drift. This directive +# cannot be used with the rtcfile directive. On Linux, the RTC copy is performed +# by the kernel every 11 minutes. +rtcsync + +# This directive specifies the maximum amount of memory that chronyd is allowed +# to allocate for logging of client accesses and the state that chronyd as an +# NTP server needs to support the interleaved mode for its clients. +clientloglimit 1048576 + +driftfile /run/chrony/drift +dumpdir /run/chrony +ntsdumpdir /run/chrony +pidfile {{ config_file | replace('.conf', '.pid') }} + +# Determine when will the next leap second occur and what is the current offset +leapsectz right/UTC + +user {{ user }} + +# NTP servers to reach out to +{% if server is vyos_defined %} +{% for server, config in server.items() %} +{% set association = 'server' %} +{% if config.pool is vyos_defined %} +{% set association = 'pool' %} +{% endif %} +{{ association }} {{ server | replace('_', '-') }} iburst {{ 'nts' if config.nts is vyos_defined }} {{ 'noselect' if config.noselect is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }} +{% endfor %} +{% endif %} + +# Allowed clients configuration +{% if allow_client.address is vyos_defined %} +{% for address in allow_client.address %} +allow {{ address }} +{% endfor %} +{% else %} +deny all +{% endif %} + +{% if listen_address is vyos_defined or interface is vyos_defined %} +# NTP should listen on configured addresses only +{% if listen_address is vyos_defined %} +{% for address in listen_address %} +bindaddress {{ address }} +{% endfor %} +{% endif %} +{% if interface is vyos_defined %} +{% for ifname in interface %} +binddevice {{ ifname }} +{% endfor %} +{% endif %} +{% endif %} diff --git a/data/templates/ntp/override.conf.j2 b/data/templates/chrony/override.conf.j2 index 6fed9d7d2..b8935ae76 100644 --- a/data/templates/ntp/override.conf.j2 +++ b/data/templates/chrony/override.conf.j2 @@ -5,10 +5,13 @@ ConditionPathExists={{ config_file }} After=vyos-router.service [Service] +EnvironmentFile= ExecStart= -ExecStart={{ vrf_command }}/usr/sbin/ntpd -g -p {{ config_file | replace('.conf', '.pid') }} -c {{ config_file }} -u ntp:ntp +ExecStart=!{{ vrf_command }}/usr/sbin/chronyd -F 1 -f {{ config_file }} PIDFile= PIDFile={{ config_file | replace('.conf', '.pid') }} Restart=always RestartSec=10 - +# Required for VRF support +ProcSubset=all +ProtectControlGroups=no diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2 new file mode 100644 index 000000000..c635ca213 --- /dev/null +++ b/data/templates/container/containers.conf.j2 @@ -0,0 +1,709 @@ +### Autogenerated by container.py ###
+
+# The containers configuration file specifies all of the available configuration
+# command-line options/flags for container engine tools like Podman & Buildah,
+# but in a TOML format that can be easily modified and versioned.
+
+# Please refer to containers.conf(5) for details of all configuration options.
+# Not all container engines implement all of the options.
+# All of the options have hard coded defaults and these options will override
+# the built in defaults. Users can then override these options via the command
+# line. Container engines will read containers.conf files in up to three
+# locations in the following order:
+# 1. /usr/share/containers/containers.conf
+# 2. /etc/containers/containers.conf
+# 3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)
+# Items specified in the latter containers.conf, if they exist, override the
+# previous containers.conf settings, or the default settings.
+
+[containers]
+
+# List of annotation. Specified as
+# "key = value"
+# If it is empty or commented out, no annotations will be added
+#
+#annotations = []
+
+# Used to change the name of the default AppArmor profile of container engine.
+#
+#apparmor_profile = "container-default"
+
+# The hosts entries from the base hosts file are added to the containers hosts
+# file. This must be either an absolute path or as special values "image" which
+# uses the hosts file from the container image or "none" which means
+# no base hosts file is used. The default is "" which will use /etc/hosts.
+#
+#base_hosts_file = ""
+
+# Default way to to create a cgroup namespace for the container
+# Options are:
+# `private` Create private Cgroup Namespace for the container.
+# `host` Share host Cgroup Namespace with the container.
+#
+#cgroupns = "private"
+
+# Control container cgroup configuration
+# Determines whether the container will create CGroups.
+# Options are:
+# `enabled` Enable cgroup support within container
+# `disabled` Disable cgroup support, will inherit cgroups from parent
+# `no-conmon` Do not create a cgroup dedicated to conmon.
+#
+#cgroups = "enabled"
+
+# List of default capabilities for containers. If it is empty or commented out,
+# the default capabilities defined in the container engine will be added.
+#
+default_capabilities = [
+ "CHOWN",
+ "DAC_OVERRIDE",
+ "FOWNER",
+ "FSETID",
+ "KILL",
+ "NET_BIND_SERVICE",
+ "SETFCAP",
+ "SETGID",
+ "SETPCAP",
+ "SETUID",
+ "SYS_CHROOT"
+]
+
+# A list of sysctls to be set in containers by default,
+# specified as "name=value",
+# for example:"net.ipv4.ping_group_range=0 0".
+#
+default_sysctls = [
+ "net.ipv4.ping_group_range=0 0",
+]
+
+# A list of ulimits to be set in containers by default, specified as
+# "<ulimit name>=<soft limit>:<hard limit>", for example:
+# "nofile=1024:2048"
+# See setrlimit(2) for a list of resource names.
+# Any limit not specified here will be inherited from the process launching the
+# container engine.
+# Ulimits has limits for non privileged container engines.
+#
+#default_ulimits = [
+# "nofile=1280:2560",
+#]
+
+# List of devices. Specified as
+# "<device-on-host>:<device-on-container>:<permissions>", for example:
+# "/dev/sdc:/dev/xvdc:rwm".
+# If it is empty or commented out, only the default devices will be used
+#
+#devices = []
+
+# List of default DNS options to be added to /etc/resolv.conf inside of the container.
+#
+#dns_options = []
+
+# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.
+#
+#dns_searches = []
+
+# Set default DNS servers.
+# This option can be used to override the DNS configuration passed to the
+# container. The special value "none" can be specified to disable creation of
+# /etc/resolv.conf in the container.
+# The /etc/resolv.conf file in the image will be used without changes.
+#
+#dns_servers = []
+
+# Environment variable list for the conmon process; used for passing necessary
+# environment variables to conmon or the runtime.
+#
+#env = [
+# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+# "TERM=xterm",
+#]
+
+# Pass all host environment variables into the container.
+#
+#env_host = false
+
+# Set the ip for the host.containers.internal entry in the containers /etc/hosts
+# file. This can be set to "none" to disable adding this entry. By default it
+# will automatically choose the host ip.
+#
+# NOTE: When using podman machine this entry will never be added to the containers
+# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
+# it is not possible to disable the entry in this case.
+#
+#host_containers_internal_ip = ""
+
+# Default proxy environment variables passed into the container.
+# The environment variables passed in include:
+# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
+# these. This option is needed when host system uses a proxy but container
+# should not use proxy. Proxy environment variables specified for the container
+# in any other way will override the values passed from the host.
+#
+#http_proxy = true
+
+# Run an init inside the container that forwards signals and reaps processes.
+#
+#init = false
+
+# Container init binary, if init=true, this is the init binary to be used for containers.
+#
+#init_path = "/usr/libexec/podman/catatonit"
+
+# Default way to to create an IPC namespace (POSIX SysV IPC) for the container
+# Options are:
+# "host" Share host IPC Namespace with the container.
+# "none" Create shareable IPC Namespace for the container without a private /dev/shm.
+# "private" Create private IPC Namespace for the container, other containers are not allowed to share it.
+# "shareable" Create shareable IPC Namespace for the container.
+#
+#ipcns = "shareable"
+
+# keyring tells the container engine whether to create
+# a kernel keyring for use within the container.
+#
+#keyring = true
+
+# label tells the container engine whether to use container separation using
+# MAC(SELinux) labeling or not.
+# The label flag is ignored on label disabled systems.
+#
+#label = true
+
+# Logging driver for the container. Available options: k8s-file and journald.
+#
+#log_driver = "k8s-file"
+
+# Maximum size allowed for the container log file. Negative numbers indicate
+# that no size limit is imposed. If positive, it must be >= 8192 to match or
+# exceed conmon's read buffer. The file is truncated and re-opened so the
+# limit is never exceeded.
+#
+#log_size_max = -1
+
+# Specifies default format tag for container log messages.
+# This is useful for creating a specific tag for container log messages.
+# Containers logs default to truncated container ID as a tag.
+#
+#log_tag = ""
+
+# Default way to to create a Network namespace for the container
+# Options are:
+# `private` Create private Network Namespace for the container.
+# `host` Share host Network Namespace with the container.
+# `none` Containers do not use the network
+#
+#netns = "private"
+
+# Create /etc/hosts for the container. By default, container engine manage
+# /etc/hosts, automatically adding the container's own IP address.
+#
+#no_hosts = false
+
+# Default way to to create a PID namespace for the container
+# Options are:
+# `private` Create private PID Namespace for the container.
+# `host` Share host PID Namespace with the container.
+#
+#pidns = "private"
+
+# Maximum number of processes allowed in a container.
+#
+#pids_limit = 2048
+
+# Copy the content from the underlying image into the newly created volume
+# when the container is created instead of when it is started. If false,
+# the container engine will not copy the content until the container is started.
+# Setting it to true may have negative performance implications.
+#
+#prepare_volume_on_create = false
+
+# Path to the seccomp.json profile which is used as the default seccomp profile
+# for the runtime.
+#
+#seccomp_profile = "/usr/share/containers/seccomp.json"
+
+# Size of /dev/shm. Specified as <number><unit>.
+# Unit is optional, values:
+# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# If the unit is omitted, the system uses bytes.
+#
+#shm_size = "65536k"
+
+# Set timezone in container. Takes IANA timezones as well as "local",
+# which sets the timezone in the container to match the host machine.
+#
+#tz = ""
+
+# Set umask inside the container
+#
+#umask = "0022"
+
+# Default way to to create a User namespace for the container
+# Options are:
+# `auto` Create unique User Namespace for the container.
+# `host` Share host User Namespace with the container.
+#
+#userns = "host"
+
+# Number of UIDs to allocate for the automatic container creation.
+# UIDs are allocated from the "container" UIDs listed in
+# /etc/subuid & /etc/subgid
+#
+#userns_size = 65536
+
+# Default way to to create a UTS namespace for the container
+# Options are:
+# `private` Create private UTS Namespace for the container.
+# `host` Share host UTS Namespace with the container.
+#
+#utsns = "private"
+
+# List of volumes. Specified as
+# "<directory-on-host>:<directory-in-container>:<options>", for example:
+# "/db:/var/lib/db:ro".
+# If it is empty or commented out, no volumes will be added
+#
+#volumes = []
+
+[secrets]
+#driver = "file"
+
+[secrets.opts]
+#root = "/example/directory"
+
+[network]
+
+# Network backend determines what network driver will be used to set up and tear down container networks.
+# Valid values are "cni" and "netavark".
+# The default value is empty which means that it will automatically choose CNI or netavark. If there are
+# already containers/images or CNI networks preset it will choose CNI.
+#
+# Before changing this value all containers must be stopped otherwise it is likely that
+# iptables rules and network interfaces might leak on the host. A reboot will fix this.
+#
+network_backend = "netavark"
+
+# Path to directory where CNI plugin binaries are located.
+#
+#cni_plugin_dirs = [
+# "/usr/local/libexec/cni",
+# "/usr/libexec/cni",
+# "/usr/local/lib/cni",
+# "/usr/lib/cni",
+# "/opt/cni/bin",
+#]
+
+# The network name of the default network to attach pods to.
+#
+#default_network = "podman"
+
+# The default subnet for the default network given in default_network.
+# If a network with that name does not exist, a new network using that name and
+# this subnet will be created.
+# Must be a valid IPv4 CIDR prefix.
+#
+#default_subnet = "10.88.0.0/16"
+
+# DefaultSubnetPools is a list of subnets and size which are used to
+# allocate subnets automatically for podman network create.
+# It will iterate through the list and will pick the first free subnet
+# with the given size. This is only used for ipv4 subnets, ipv6 subnets
+# are always assigned randomly.
+#
+#default_subnet_pools = [
+# {"base" = "10.89.0.0/16", "size" = 24},
+# {"base" = "10.90.0.0/15", "size" = 24},
+# {"base" = "10.92.0.0/14", "size" = 24},
+# {"base" = "10.96.0.0/11", "size" = 24},
+# {"base" = "10.128.0.0/9", "size" = 24},
+#]
+
+# Path to the directory where network configuration files are located.
+# For the CNI backend the default is "/etc/cni/net.d" as root
+# and "$HOME/.config/cni/net.d" as rootless.
+# For the netavark backend "/etc/containers/networks" is used as root
+# and "$graphroot/networks" as rootless.
+#
+#network_config_dir = "/etc/cni/net.d/"
+
+# Port to use for dns forwarding daemon with netavark in rootful bridge
+# mode and dns enabled.
+# Using an alternate port might be useful if other dns services should
+# run on the machine.
+#
+#dns_bind_port = 53
+
+[engine]
+# Index to the active service
+#
+#active_service = production
+
+# The compression format to use when pushing an image.
+# Valid options are: `gzip`, `zstd` and `zstd:chunked`.
+#
+#compression_format = "gzip"
+
+
+# Cgroup management implementation used for the runtime.
+# Valid options "systemd" or "cgroupfs"
+#
+#cgroup_manager = "systemd"
+
+# Environment variables to pass into conmon
+#
+#conmon_env_vars = [
+# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+#]
+
+# Paths to look for the conmon container manager binary
+#
+#conmon_path = [
+# "/usr/libexec/podman/conmon",
+# "/usr/local/libexec/podman/conmon",
+# "/usr/local/lib/podman/conmon",
+# "/usr/bin/conmon",
+# "/usr/sbin/conmon",
+# "/usr/local/bin/conmon",
+# "/usr/local/sbin/conmon"
+#]
+
+# Enforces using docker.io for completing short names in Podman's compatibility
+# REST API. Note that this will ignore unqualified-search-registries and
+# short-name aliases defined in containers-registries.conf(5).
+#compat_api_enforce_docker_hub = true
+
+# Specify the keys sequence used to detach a container.
+# Format is a single character [a-Z] or a comma separated sequence of
+# `ctrl-<value>`, where `<value>` is one of:
+# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
+#
+#detach_keys = "ctrl-p,ctrl-q"
+
+# Determines whether engine will reserve ports on the host when they are
+# forwarded to containers. When enabled, when ports are forwarded to containers,
+# ports are held open by as long as the container is running, ensuring that
+# they cannot be reused by other programs on the host. However, this can cause
+# significant memory usage if a container has many ports forwarded to it.
+# Disabling this can save memory.
+#
+#enable_port_reservation = true
+
+# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
+# For example "http_proxy=internal.proxy.company.com".
+# Note these environment variables will not be used within the container.
+# Set the env section under [containers] table, if you want to set environment variables for the container.
+#
+#env = []
+
+# Define where event logs will be stored, when events_logger is "file".
+#events_logfile_path=""
+
+# Sets the maximum size for events_logfile_path.
+# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
+# If no unit is included then the size will be read in bytes.
+# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
+# If the maximum size is set to 0, then no limit will be applied,
+# and the logfile will not be rotated.
+#events_logfile_max_size = "1m"
+
+# Selects which logging mechanism to use for container engine events.
+# Valid values are `journald`, `file` and `none`.
+#
+#events_logger = "journald"
+
+# A is a list of directories which are used to search for helper binaries.
+#
+#helper_binaries_dir = [
+# "/usr/local/libexec/podman",
+# "/usr/local/lib/podman",
+# "/usr/libexec/podman",
+# "/usr/lib/podman",
+#]
+
+# Path to OCI hooks directories for automatically executed hooks.
+#
+#hooks_dir = [
+# "/usr/share/containers/oci/hooks.d",
+#]
+
+# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
+# container images. By default image pulled and pushed match the format of the
+# source image. Building/committing defaults to OCI.
+#
+#image_default_format = ""
+
+# Default transport method for pulling and pushing for images
+#
+#image_default_transport = "docker://"
+
+# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+#
+#image_parallel_copies = 0
+
+# Tells container engines how to handle the builtin image volumes.
+# * bind: An anonymous named volume will be created and mounted
+# into the container.
+# * tmpfs: The volume is mounted onto the container as a tmpfs,
+# which allows users to create content that disappears when
+# the container is stopped.
+# * ignore: All volumes are just ignored and no action is taken.
+#
+#image_volume_mode = ""
+
+# Default command to run the infra container
+#
+#infra_command = "/pause"
+
+# Infra (pause) container image name for pod infra containers. When running a
+# pod, we start a `pause` process in a container to hold open the namespaces
+# associated with the pod. This container does nothing other then sleep,
+# reserving the pods resources for the lifetime of the pod. By default container
+# engines run a builtin container using the pause executable. If you want override
+# specify an image to pull.
+#
+#infra_image = ""
+
+# Specify the locking mechanism to use; valid values are "shm" and "file".
+# Change the default only if you are sure of what you are doing, in general
+# "file" is useful only on platforms where cgo is not available for using the
+# faster "shm" lock type. You may need to run "podman system renumber" after
+# you change the lock type.
+#
+#lock_type** = "shm"
+
+# MultiImageArchive - if true, the container engine allows for storing archives
+# (e.g., of the docker-archive transport) with multiple images. By default,
+# Podman creates single-image archives.
+#
+#multi_image_archive = "false"
+
+# Default engine namespace
+# If engine is joined to a namespace, it will see only containers and pods
+# that were created in the same namespace, and will create new containers and
+# pods in that namespace.
+# The default namespace is "", which corresponds to no namespace. When no
+# namespace is set, all containers and pods are visible.
+#
+#namespace = ""
+
+# Path to the slirp4netns binary
+#
+#network_cmd_path = ""
+
+# Default options to pass to the slirp4netns binary.
+# Valid options values are:
+#
+# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).
+# Default is false.
+# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).
+# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
+# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).
+# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
+# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
+# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
+# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
+# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
+# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container
+# network namespace, usually `10.0.2.100`. If your application requires the real source IP address,
+# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for
+# rootless containers when connected to user-defined networks.
+# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but
+# preserves the correct source IP address. This port handler cannot be used for user-defined networks.
+#
+#network_cmd_options = []
+
+# Whether to use chroot instead of pivot_root in the runtime
+#
+#no_pivot_root = false
+
+# Number of locks available for containers and pods.
+# If this is changed, a lock renumber must be performed (e.g. with the
+# 'podman system renumber' command).
+#
+#num_locks = 2048
+
+# Set the exit policy of the pod when the last container exits.
+#pod_exit_policy = "continue"
+
+# Whether to pull new image before running a container
+#
+#pull_policy = "missing"
+
+# Indicates whether the application should be running in remote mode. This flag modifies the
+# --remote option on container engines. Setting the flag to true will default
+# `podman --remote=true` for access to the remote Podman service.
+#
+#remote = false
+
+# Default OCI runtime
+#
+#runtime = "crun"
+
+# List of the OCI runtimes that support --format=json. When json is supported
+# engine will use it for reporting nicer errors.
+#
+#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]
+
+# List of the OCI runtimes that supports running containers with KVM Separation.
+#
+#runtime_supports_kvm = ["kata", "krun"]
+
+# List of the OCI runtimes that supports running containers without cgroups.
+#
+#runtime_supports_nocgroups = ["crun", "krun"]
+
+# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment
+# variable. If you specify "storage", then the location of the
+# container/storage tmp directory will be used.
+# image_copy_tmp_dir="/var/tmp"
+
+# Number of seconds to wait without a connection
+# before the `podman system service` times out and exits
+#
+#service_timeout = 5
+
+# Directory for persistent engine files (database, etc)
+# By default, this will be configured relative to where the containers/storage
+# stores containers
+# Uncomment to change location from this default
+#
+#static_dir = "/var/lib/containers/storage/libpod"
+
+# Number of seconds to wait for container to exit before sending kill signal.
+#
+#stop_timeout = 10
+
+# Number of seconds to wait before exit command in API process is given to.
+# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).
+#
+#exit_command_delay = 300
+
+# map of service destinations
+#
+#[service_destinations]
+# [service_destinations.production]
+# URI to access the Podman service
+# Examples:
+# rootless "unix://run/user/$UID/podman/podman.sock" (Default)
+# rootful "unix://run/podman/podman.sock (Default)
+# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
+# remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock
+#
+# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
+# Path to file containing ssh identity key
+# identity = "~/.ssh/id_rsa"
+
+# Directory for temporary files. Must be tmpfs (wiped after reboot)
+#
+#tmp_dir = "/run/libpod"
+
+# Directory for libpod named volumes.
+# By default, this will be configured relative to where containers/storage
+# stores containers.
+# Uncomment to change location from this default.
+#
+#volume_path = "/var/lib/containers/storage/volumes"
+
+# Default timeout (in seconds) for volume plugin operations.
+# Plugins are external programs accessed via a REST API; this sets a timeout
+# for requests to that API.
+# A value of 0 is treated as no timeout.
+#volume_plugin_timeout = 5
+
+# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
+[engine.runtimes]
+#crun = [
+# "/usr/bin/crun",
+# "/usr/sbin/crun",
+# "/usr/local/bin/crun",
+# "/usr/local/sbin/crun",
+# "/sbin/crun",
+# "/bin/crun",
+# "/run/current-system/sw/bin/crun",
+#]
+
+#kata = [
+# "/usr/bin/kata-runtime",
+# "/usr/sbin/kata-runtime",
+# "/usr/local/bin/kata-runtime",
+# "/usr/local/sbin/kata-runtime",
+# "/sbin/kata-runtime",
+# "/bin/kata-runtime",
+# "/usr/bin/kata-qemu",
+# "/usr/bin/kata-fc",
+#]
+
+#runc = [
+# "/usr/bin/runc",
+# "/usr/sbin/runc",
+# "/usr/local/bin/runc",
+# "/usr/local/sbin/runc",
+# "/sbin/runc",
+# "/bin/runc",
+# "/usr/lib/cri-o-runc/sbin/runc",
+#]
+
+#runsc = [
+# "/usr/bin/runsc",
+# "/usr/sbin/runsc",
+# "/usr/local/bin/runsc",
+# "/usr/local/sbin/runsc",
+# "/bin/runsc",
+# "/sbin/runsc",
+# "/run/current-system/sw/bin/runsc",
+#]
+
+#krun = [
+# "/usr/bin/krun",
+# "/usr/local/bin/krun",
+#]
+
+[engine.volume_plugins]
+#testplugin = "/run/podman/plugins/test.sock"
+
+[machine]
+# Number of CPU's a machine is created with.
+#
+#cpus=1
+
+# The size of the disk in GB created when init-ing a podman-machine VM.
+#
+#disk_size=10
+
+# Default image URI when creating a new VM using `podman machine init`.
+# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major
+# version of the OS (e.g `36`) for Fedora 36. For all platforms you can
+# alternatively specify a custom download URL to an image. Container engines
+# translate URIs $OS and $ARCH to the native OS and ARCH. URI
+# "https://example.com/$OS/$ARCH/foobar.ami" becomes
+# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
+# The default value is `testing`.
+#
+# image = "testing"
+
+# Memory in MB a machine is created with.
+#
+#memory=2048
+
+# The username to use and create on the podman machine OS for rootless
+# container access.
+#
+#user = "core"
+
+# Host directories to be mounted as volumes into the VM by default.
+# Environment variables like $HOME as well as complete paths are supported for
+# the source and destination. An optional third field `:ro` can be used to
+# tell the container engines to mount the volume readonly.
+#
+# volumes = [
+# "$HOME:$HOME",
+#]
+
+# The [machine] table MUST be the last entry in this file.
+# (Unless another table is added)
+# TOML does not provide a way to end a table other than a further table being
+# defined, so every key hereafter will be part of [machine] and not the
+# main config.
diff --git a/data/templates/container/registries.conf.j2 b/data/templates/container/registries.conf.j2 index 2e86466a1..eb7ff8775 100644 --- a/data/templates/container/registries.conf.j2 +++ b/data/templates/container/registries.conf.j2 @@ -23,5 +23,9 @@ # unqualified-search-registries = ["example.com"] {% if registry is vyos_defined %} -unqualified-search-registries = {{ registry }} +{% set registry_list = [] %} +{% for r, r_options in registry.items() if r_options.disable is not vyos_defined %} +{% set _ = registry_list.append(r) %} +{% endfor %} +unqualified-search-registries = {{ registry_list }} {% endif %} diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2 index 665f9bf95..ec2046fb5 100644 --- a/data/templates/container/storage.conf.j2 +++ b/data/templates/container/storage.conf.j2 @@ -1,4 +1,6 @@ ### Autogenerated by container.py ### [storage] - driver = "vfs" + driver = "overlay" graphroot = "/usr/lib/live/mount/persistence/container/storage" + [storage.options] + mount_program = "/usr/bin/fuse-overlayfs" diff --git a/data/templates/dhcp-relay/dhcrelay.conf.j2 b/data/templates/dhcp-relay/dhcrelay.conf.j2 index 11710bd8e..c26c263fd 100644 --- a/data/templates/dhcp-relay/dhcrelay.conf.j2 +++ b/data/templates/dhcp-relay/dhcrelay.conf.j2 @@ -2,5 +2,8 @@ {% set max_size = '-A ' ~ relay_options.max_size if relay_options.max_size is vyos_defined %} {# hop_count and relay_agents_packets is a default option, thus it is always present #} +{% if interface is vyos_defined %} OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -i {{ interface | join(' -i ') }} {{ server | join(' ') }}" - +{% else %} +OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -id {{ listen_interface | join(' -id ') }} -iu {{ upstream_interface | join(' -iu ') }} {{ server | join(' ') }}" +{% endif %}
\ No newline at end of file diff --git a/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 index de3269e47..593a98c24 100644 --- a/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 +++ b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 @@ -23,7 +23,6 @@ {% if forward_zones is vyos_defined %} # zones added via 'service dns forwarding domain' {% for zone, zonedata in forward_zones.items() %} -{{ "+" if zonedata.recursion_desired is vyos_defined }}{{ zone | replace('_', '-') }}={{ zonedata.server | join(', ') }} +{{ "+" if zonedata.recursion_desired is vyos_defined }}{{ zone | replace('_', '-') }}={{ zonedata.name_server | join(', ') }} {% endfor %} {% endif %} - diff --git a/data/templates/dynamic-dns/ddclient.conf.j2 b/data/templates/dynamic-dns/ddclient.conf.j2 index 3c2d17cbb..c2c9b1dd6 100644 --- a/data/templates/dynamic-dns/ddclient.conf.j2 +++ b/data/templates/dynamic-dns/ddclient.conf.j2 @@ -10,7 +10,7 @@ ssl=yes {% set web_skip = ", web-skip='" ~ iface_config.use_web.skip ~ "'" if iface_config.use_web.skip is vyos_defined else '' %} use=web, web='{{ iface_config.use_web.url }}'{{ web_skip }} {% else %} -{{ 'usev6=if' if iface_config.ipv6_enable is vyos_defined else 'use=if' }}, if={{ iface }} +{{ 'usev6=ifv6' if iface_config.ipv6_enable is vyos_defined else 'use=if' }}, if={{ iface }} {% endif %} {% if iface_config.rfc2136 is vyos_defined %} diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2 index 8f140f6cb..cd35d6d1e 100644 --- a/data/templates/ethernet/wpa_supplicant.conf.j2 +++ b/data/templates/ethernet/wpa_supplicant.conf.j2 @@ -67,6 +67,11 @@ network={ # discards such frames to protect against potential attacks by rogue # devices, but this option can be used to disable that protection for cases # where the server/authenticator does not need to be authenticated. - phase1="allow_canned_success=1" + # + # "tls_disable_tlsv1_0=0" is used to allow TLSv1 for compatibility with + # legacy networks. This follows the behavior of Debian's wpa_supplicant, + # which includes a custom patch for allowing TLSv1, but the patch currently + # does not work for VyOS' git builds of wpa_supplicant. + phase1="allow_canned_success=1 tls_disable_tlsv1_0=0" } diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2 index 6cb3b2f95..7a89d29e4 100644 --- a/data/templates/firewall/nftables-policy.j2 +++ b/data/templates/firewall/nftables-policy.j2 @@ -11,7 +11,7 @@ table ip vyos_mangle { type filter hook prerouting priority -150; policy accept; {% if route is vyos_defined %} {% for route_text, conf in route.items() if conf.interface is vyos_defined %} - iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR_{{ route_text }} + iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_{{ route_text }} {% endfor %} {% endif %} } diff --git a/data/templates/frr/babeld.frr.j2 b/data/templates/frr/babeld.frr.j2 new file mode 100644 index 000000000..344a5f988 --- /dev/null +++ b/data/templates/frr/babeld.frr.j2 @@ -0,0 +1,85 @@ +{% from 'frr/distribute_list_macro.j2' import render_distribute_list %} +{% from 'frr/ipv6_distribute_list_macro.j2' import render_ipv6_distribute_list %} +! +{# Interface specific configuration #} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} +{% if iface_config.type is vyos_defined('wired') or iface_config.type is vyos_defined('wireless') %} + babel {{ iface_config.type }} +{% endif %} +{% if iface_config.split_horizon is vyos_defined("enable") %} + babel split-horizon +{% elif iface_config.split_horizon is vyos_defined("disable") %} + no babel split-horizon +{% endif %} +{% if iface_config.hello_interval is vyos_defined %} + babel hello-interval {{ iface_config.hello_interval }} +{% endif %} +{% if iface_config.update_interval is vyos_defined %} + babel update-interval {{ iface_config.update_interval }} +{% endif %} +{% if iface_config.rxcost is vyos_defined %} + babel rxcost {{ iface_config.rxcost }} +{% endif %} +{% if iface_config.rtt_decay is vyos_defined %} + babel rtt-decay {{ iface_config.rtt_decay }} +{% endif %} +{% if iface_config.rtt_min is vyos_defined %} + babel rtt-min {{ iface_config.rtt_min }} +{% endif %} +{% if iface_config.rtt_max is vyos_defined %} + babel rtt-max {{ iface_config.rtt_max }} +{% endif %} +{% if iface_config.max_rtt_penalty is vyos_defined %} + babel max-rtt-penalty {{ iface_config.max_rtt_penalty }} +{% endif %} +{% if iface_config.enable_timestamps is vyos_defined %} + babel enable-timestamps +{% endif %} +{% if iface_config.channel is vyos_defined %} + babel channel {{ iface_config.channel | replace("non-interfering", "noninterfering") }} +{% endif %} +exit +! +{% endfor %} +{% endif %} +! +{# Babel configuration #} +router babel +{% if parameters.diversity is vyos_defined %} + babel diversity +{% endif %} +{% if parameters.diversity_factor is vyos_defined %} + babel diversity-factor {{ parameters.diversity_factor }} +{% endif %} +{% if parameters.resend_delay is vyos_defined %} + babel resend-delay {{ parameters.resend_delay }} +{% endif %} +{% if parameters.smoothing_half_life is vyos_defined %} + babel smoothing-half-life {{ parameters.smoothing_half_life }} +{% endif %} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} + network {{ iface }} +{% endfor %} +{% endif %} +{% if redistribute is vyos_defined %} +{% for address_family in redistribute %} +{% for protocol, protocol_config in redistribute[address_family].items() %} +{% if protocol is vyos_defined('ospfv3') %} +{% set protocol = 'ospf6' %} +{% endif %} + redistribute {{ address_family }} {{ protocol }} +{% endfor %} +{% endfor %} +{% endif %} +{% if distribute_list.ipv4 is vyos_defined %} +{{ render_distribute_list(distribute_list.ipv4) }} +{% endif %} +{% if distribute_list.ipv6 is vyos_defined %} +{{ render_ipv6_distribute_list(distribute_list.ipv6) }} +{% endif %} +exit +! +end diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index 5febd7c66..b749be93f 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -9,6 +9,11 @@ {% if config.remote_as is vyos_defined %} neighbor {{ neighbor }} remote-as {{ config.remote_as }} {% endif %} +{% if config.local_role is vyos_defined %} +{% for role, strict in config.local_role.items() %} + neighbor {{ neighbor }} local-role {{ role }} {{ 'strict-mode' if strict }} +{% endfor %} +{% endif %} {% if config.interface.remote_as is vyos_defined %} neighbor {{ neighbor }} interface remote-as {{ config.interface.remote_as }} {% endif %} @@ -69,6 +74,9 @@ {% if config.password is vyos_defined %} neighbor {{ neighbor }} password {{ config.password }} {% endif %} +{% if config.path_attribute.discard is vyos_defined %} + neighbor {{ neighbor }} path-attribute discard {{ config.path_attribute.discard }} +{% endif %} {% if config.port is vyos_defined %} neighbor {{ neighbor }} port {{ config.port }} {% endif %} @@ -240,7 +248,7 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% else %} no bgp ebgp-requires-policy {% endif %} -{# Option must be set before any neighbor - see https://phabricator.vyos.net/T3463 #} +{# Option must be set before any neighbor - see https://vyos.dev/T3463 #} no bgp default ipv4-unicast {# Workaround for T2100 until we have decided about a migration script #} no bgp network import-check @@ -414,10 +422,14 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} route-target both {{ vni_config.route_target.both }} {% endif %} {% if vni_config.route_target.export is vyos_defined %} - route-target export {{ vni_config.route_target.export }} +{% for route_target in vni_config.route_target.export %} + route-target export {{ route_target }} +{% endfor %} {% endif %} {% if vni_config.route_target.import is vyos_defined %} - route-target import {{ vni_config.route_target.import }} +{% for route_target in vni_config.route_target.import %} + route-target import {{ route_target }} +{% endfor %} {% endif %} exit-vni {% endfor %} @@ -541,6 +553,9 @@ bgp route-reflector allow-outbound-policy {% if parameters.suppress_fib_pending is vyos_defined %} bgp suppress-fib-pending {% endif %} +{% if parameters.tcp_keepalive.idle is vyos_defined and parameters.tcp_keepalive.interval is vyos_defined and parameters.tcp_keepalive.probes is vyos_defined %} + bgp tcp-keepalive {{ parameters.tcp_keepalive.idle }} {{ parameters.tcp_keepalive.interval }} {{ parameters.tcp_keepalive.probes }} +{% endif %} {% if timers.keepalive is vyos_defined and timers.holdtime is vyos_defined %} timers bgp {{ timers.keepalive }} {{ timers.holdtime }} {% endif %} diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl index df98e74d6..fdff9772a 100644 --- a/data/templates/frr/daemons.frr.tmpl +++ b/data/templates/frr/daemons.frr.tmpl @@ -9,7 +9,7 @@ pimd=no ldpd=yes nhrpd=no eigrpd=yes -babeld=no +babeld=yes sharpd=no pbrd=no bfdd=yes @@ -51,4 +51,3 @@ bfdd_options=" --daemon -A 127.0.0.1" watchfrr_enable=no valgrind_enable=no - diff --git a/data/templates/frr/distribute_list_macro.j2 b/data/templates/frr/distribute_list_macro.j2 new file mode 100644 index 000000000..c10bf732d --- /dev/null +++ b/data/templates/frr/distribute_list_macro.j2 @@ -0,0 +1,30 @@ +{% macro render_distribute_list(distribute_list) %} +{% if distribute_list.access_list.in is vyos_defined %} + distribute-list {{ distribute_list.access_list.in }} in +{% endif %} +{% if distribute_list.access_list.out is vyos_defined %} + distribute-list {{ distribute_list.access_list.out }} out +{% endif %} +{% if distribute_list.interface is vyos_defined %} +{% for interface, interface_config in distribute_list.interface.items() %} +{% if interface_config.access_list.in is vyos_defined %} + distribute-list {{ interface_config.access_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.access_list.out is vyos_defined %} + distribute-list {{ interface_config.access_list.out }} out {{ interface }} +{% endif %} +{% if interface_config.prefix_list.in is vyos_defined %} + distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.prefix_list.out is vyos_defined %} + distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} +{% endif %} +{% endfor %} +{% endif %} +{% if distribute_list.prefix_list.in is vyos_defined %} + distribute-list prefix {{ distribute_list.prefix_list.in }} in +{% endif %} +{% if distribute_list.prefix_list.out is vyos_defined %} + distribute-list prefix {{ distribute_list.prefix_list.out }} out +{% endif %} +{% endmacro %} diff --git a/data/templates/frr/ipv6_distribute_list_macro.j2 b/data/templates/frr/ipv6_distribute_list_macro.j2 new file mode 100644 index 000000000..c365fbdae --- /dev/null +++ b/data/templates/frr/ipv6_distribute_list_macro.j2 @@ -0,0 +1,30 @@ +{% macro render_ipv6_distribute_list(distribute_list) %} +{% if distribute_list.access_list.in is vyos_defined %} + ipv6 distribute-list {{ distribute_list.access_list.in }} in +{% endif %} +{% if distribute_list.access_list.out is vyos_defined %} + ipv6 distribute-list {{ distribute_list.access_list.out }} out +{% endif %} +{% if distribute_list.interface is vyos_defined %} +{% for interface, interface_config in distribute_list.interface.items() %} +{% if interface_config.access_list.in is vyos_defined %} + ipv6 distribute-list {{ interface_config.access_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.access_list.out is vyos_defined %} + ipv6 distribute-list {{ interface_config.access_list.out }} out {{ interface }} +{% endif %} +{% if interface_config.prefix_list.in is vyos_defined %} + ipv6 distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.prefix_list.out is vyos_defined %} + ipv6 distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} +{% endif %} +{% endfor %} +{% endif %} +{% if distribute_list.prefix_list.in is vyos_defined %} + ipv6 distribute-list prefix {{ distribute_list.prefix_list.in }} in +{% endif %} +{% if distribute_list.prefix_list.out is vyos_defined %} + ipv6 distribute-list prefix {{ distribute_list.prefix_list.out }} out +{% endif %} +{% endmacro %} diff --git a/data/templates/frr/isisd.frr.j2 b/data/templates/frr/isisd.frr.j2 index 8df1e9513..3c37e28b9 100644 --- a/data/templates/frr/isisd.frr.j2 +++ b/data/templates/frr/isisd.frr.j2 @@ -25,6 +25,12 @@ interface {{ iface }} {% if iface_config.hello_padding is vyos_defined %} isis hello padding {% endif %} +{% if iface_config.ldp_sync.disable is vyos_defined %} + no isis mpls ldp-sync +{% elif iface_config.ldp_sync.holddown is vyos_defined %} + isis mpls ldp-sync + isis mpls ldp-sync holddown {{ iface_config.ldp_sync.holddown }} +{% endif %} {% if iface_config.metric is vyos_defined %} isis metric {{ iface_config.metric }} {% endif %} @@ -84,6 +90,11 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }} {% if max_lsp_lifetime is vyos_defined %} max-lsp-lifetime {{ max_lsp_lifetime }} {% endif %} +{% if ldp_sync.holddown is vyos_defined %} + mpls ldp-sync holddown {{ ldp_sync.holddown }} +{% elif ldp_sync is vyos_defined %} + mpls ldp-sync +{% endif %} {% if spf_interval is vyos_defined %} spf-interval {{ spf_interval }} {% endif %} diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index 882ec8f97..3f97b7325 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -44,6 +44,12 @@ interface {{ iface }} {% if iface_config.bfd.profile is vyos_defined %} ip ospf bfd profile {{ iface_config.bfd.profile }} {% endif %} +{% if iface_config.ldp_sync.disable is vyos_defined %} + no ip ospf mpls ldp-sync +{% elif iface_config.ldp_sync.holddown is vyos_defined %} + ip ospf mpls ldp-sync + ip ospf mpls ldp-sync holddown {{ iface_config.ldp_sync.holddown }} +{% endif %} {% if iface_config.mtu_ignore is vyos_defined %} ip ospf mtu-ignore {% endif %} @@ -84,11 +90,13 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% endfor %} {% if area_config.range is vyos_defined %} {% for range, range_config in area_config.range.items() %} -{% if range_config.cost is vyos_defined %} - area {{ area_id }} range {{ range }} cost {{ range_config.cost }} -{% endif %} {% if range_config.not_advertise is vyos_defined %} area {{ area_id }} range {{ range }} not-advertise +{% else %} + area {{ area_id }} range {{ range }} +{% endif %} +{% if range_config.cost is vyos_defined %} + area {{ area_id }} range {{ range }} cost {{ range_config.cost }} {% endif %} {% if range_config.substitute is vyos_defined %} area {{ area_id }} range {{ range }} substitute {{ range_config.substitute }} @@ -131,6 +139,11 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if maximum_paths is vyos_defined %} maximum-paths {{ maximum_paths }} {% endif %} +{% if ldp_sync.holddown is vyos_defined %} + mpls ldp-sync holddown {{ ldp_sync.holddown }} +{% elif ldp_sync is vyos_defined %} + mpls ldp-sync +{% endif %} {% if distance.global is vyos_defined %} distance {{ distance.global }} {% endif %} @@ -170,7 +183,7 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if parameters.router_id is vyos_defined %} ospf router-id {{ parameters.router_id }} {% endif %} -{% if passive_interface.default is vyos_defined %} +{% if passive_interface is vyos_defined('default') %} passive-interface default {% endif %} {% if redistribute is vyos_defined %} diff --git a/data/templates/frr/ripd.frr.j2 b/data/templates/frr/ripd.frr.j2 index e9e484cc2..1445bf97f 100644 --- a/data/templates/frr/ripd.frr.j2 +++ b/data/templates/frr/ripd.frr.j2 @@ -1,3 +1,4 @@ +{% from 'frr/distribute_list_macro.j2' import render_distribute_list %} {# RIP key-chain definition #} {% if interface is vyos_defined %} {% for iface, iface_config in interface.items() %} @@ -60,34 +61,7 @@ router rip {% endfor %} {% endif %} {% if distribute_list is vyos_defined %} -{% if distribute_list.access_list.in is vyos_defined %} - distribute-list {{ distribute_list.access_list.in }} in -{% endif %} -{% if distribute_list.access_list.out is vyos_defined %} - distribute-list {{ distribute_list.access_list.out }} out -{% endif %} -{% if distribute_list.interface is vyos_defined %} -{% for interface, interface_config in distribute_list.interface.items() %} -{% if interface_config.access_list.in is vyos_defined %} - distribute-list {{ interface_config.access_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.access_list.out is vyos_defined %} - distribute-list {{ interface_config.access_list.out }} out {{ interface }} -{% endif %} -{% if interface_config.prefix_list.in is vyos_defined %} - distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.prefix_list.out is vyos_defined %} - distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} -{% endif %} -{% endfor %} -{% endif %} -{% if distribute_list.prefix_list.in is vyos_defined %} - distribute-list prefix {{ distribute_list.prefix_list.in }} in -{% endif %} -{% if distribute_list.prefix_list.out is vyos_defined %} - distribute-list prefix {{ distribute_list.prefix_list.out }} out -{% endif %} +{{ render_distribute_list(distribute_list) }} {% endif %} {% include 'frr/rip_ripng.frr.j2' %} {% if version is vyos_defined %} diff --git a/data/templates/frr/ripngd.frr.j2 b/data/templates/frr/ripngd.frr.j2 index 7919b1bad..e857e9481 100644 --- a/data/templates/frr/ripngd.frr.j2 +++ b/data/templates/frr/ripngd.frr.j2 @@ -1,3 +1,4 @@ +{% from 'frr/ipv6_distribute_list_macro.j2' import render_ipv6_distribute_list %} {# Interface specific configuration #} {% if interface is vyos_defined %} {% for iface, iface_config in interface.items() %} @@ -19,34 +20,7 @@ router ripng {% endfor %} {% endif %} {% if distribute_list is vyos_defined %} -{% if distribute_list.access_list.in is vyos_defined %} - ipv6 distribute-list {{ distribute_list.access_list.in }} in -{% endif %} -{% if distribute_list.access_list.out is vyos_defined %} - ipv6 distribute-list {{ distribute_list.access_list.out }} out -{% endif %} -{% if distribute_list.interface is vyos_defined %} -{% for interface, interface_config in distribute_list.interface.items() %} -{% if interface_config.access_list.in is vyos_defined %} - ipv6 distribute-list {{ interface_config.access_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.access_list.out is vyos_defined %} - ipv6 distribute-list {{ interface_config.access_list.out }} out {{ interface }} -{% endif %} -{% if interface_config.prefix_list.in is vyos_defined %} - ipv6 distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.prefix_list.out is vyos_defined %} - ipv6 distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} -{% endif %} -{% endfor %} -{% endif %} -{% if distribute_list.prefix_list.in is vyos_defined %} - ipv6 distribute-list prefix {{ distribute_list.prefix_list.in }} in -{% endif %} -{% if distribute_list.prefix_list.out is vyos_defined %} - ipv6 distribute-list prefix {{ distribute_list.prefix_list.out }} out -{% endif %} +{{ render_ipv6_distribute_list(distribute_list) }} {% endif %} {% include 'frr/rip_ripng.frr.j2' %} exit diff --git a/data/templates/frr/staticd.frr.j2 b/data/templates/frr/staticd.frr.j2 index 55c05ceb7..992a0435c 100644 --- a/data/templates/frr/staticd.frr.j2 +++ b/data/templates/frr/staticd.frr.j2 @@ -37,7 +37,7 @@ vrf {{ vrf }} {% endfor %} {% endif %} {% if vrf is vyos_defined %} - exit-vrf +exit-vrf {% endif %} ! {# Policy route tables #} diff --git a/data/templates/frr/vrf-vni.frr.j2 b/data/templates/frr/vrf-vni.frr.j2 deleted file mode 100644 index e5f4810a1..000000000 --- a/data/templates/frr/vrf-vni.frr.j2 +++ /dev/null @@ -1,9 +0,0 @@ -{% if name is vyos_defined %} -{% for vrf, vrf_config in name.items() %} -vrf {{ vrf }} -{% if vrf_config.vni is vyos_defined %} - vni {{ vrf_config.vni }} -{% endif %} - exit-vrf -{% endfor %} -{% endif %} diff --git a/data/templates/frr/vrf.route-map.frr.j2 b/data/templates/frr/vrf.route-map.frr.j2 deleted file mode 100644 index 5e0c56a7b..000000000 --- a/data/templates/frr/vrf.route-map.frr.j2 +++ /dev/null @@ -1,10 +0,0 @@ -! -{% if vrf is vyos_defined and route_map is vyos_defined %} -vrf {{ vrf }} - ip protocol {{ protocol }} route-map {{ route_map }} - exit-vrf -! -{% elif route_map is vyos_defined %} -ip protocol {{ protocol }} route-map {{ route_map }} -{% endif %} -! diff --git a/data/templates/frr/zebra.route-map.frr.j2 b/data/templates/frr/zebra.route-map.frr.j2 new file mode 100644 index 000000000..8e18abbde --- /dev/null +++ b/data/templates/frr/zebra.route-map.frr.j2 @@ -0,0 +1,9 @@ +! +{% if protocol is vyos_defined %} +{% for protocol_name, protocol_config in protocol.items() %} +{% if protocol_name is vyos_defined('ospfv3') %} +{% set protocol_name = 'ospf6' %} +{% endif %} +{{ afi }} protocol {{ protocol_name }} route-map {{ protocol_config.route_map }} +{% endfor %} +{% endif %} diff --git a/data/templates/frr/zebra.vrf.route-map.frr.j2 b/data/templates/frr/zebra.vrf.route-map.frr.j2 new file mode 100644 index 000000000..4e1206374 --- /dev/null +++ b/data/templates/frr/zebra.vrf.route-map.frr.j2 @@ -0,0 +1,28 @@ +! +{% if name is vyos_defined %} +{% for vrf, vrf_config in name.items() %} +{# code path required for vrf_vni.py as we will only render the required VR configuration and not all of them #} +{% if only_vrf is vyos_defined and vrf is not vyos_defined(only_vrf) %} +{% continue %} +{% endif %} +vrf {{ vrf }} +{% if vrf_config.ip.protocol is vyos_defined %} +{% for protocol_name, protocol_config in vrf_config.ip.protocol.items() %} + ip protocol {{ protocol_name }} route-map {{ protocol_config.route_map }} +{% endfor %} +{% endif %} +{% if vrf_config.ipv6.protocol is vyos_defined %} +{% for protocol_name, protocol_config in vrf_config.ipv6.protocol.items() %} +{% if protocol_name is vyos_defined('ospfv3') %} +{% set protocol_name = 'ospf6' %} +{% endif %} + ipv6 protocol {{ protocol_name }} route-map {{ protocol_config.route_map }} +{% endfor %} +{% endif %} +{% if vrf_config.vni is vyos_defined and no_vni is not vyos_defined %} + vni {{ vrf_config.vni }} +{% endif %} +exit-vrf +{% endfor %} +! +{% endif %} diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2 index 706e1c5ae..6ea5f91d0 100644 --- a/data/templates/high-availability/keepalived.conf.j2 +++ b/data/templates/high-availability/keepalived.conf.j2 @@ -2,9 +2,30 @@ # Do not edit this file, all your changes will be lost # on next commit or reboot +# Global definitions configuration block global_defs { dynamic_interfaces script_user root +{% if vrrp.global_parameters.startup_delay is vyos_defined %} + vrrp_startup_delay {{ vrrp.global_parameters.startup_delay }} +{% endif %} +{% if vrrp.global_parameters.garp is vyos_defined %} +{% if vrrp.global_parameters.garp.interval is vyos_defined %} + vrrp_garp_interval {{ vrrp.global_parameters.garp.interval }} +{% endif %} +{% if vrrp.global_parameters.garp.master_delay is vyos_defined %} + vrrp_garp_master_delay {{ vrrp.global_parameters.garp.master_delay }} +{% endif %} +{% if vrrp.global_parameters.garp.master_refresh is vyos_defined %} + vrrp_garp_master_refresh {{ vrrp.global_parameters.garp.master_refresh }} +{% endif %} +{% if vrrp.global_parameters.garp.master_refresh_repeat is vyos_defined %} + vrrp_garp_master_refresh_repeat {{ vrrp.global_parameters.garp.master_refresh_repeat }} +{% endif %} +{% if vrrp.global_parameters.garp.master_repeat is vyos_defined %} + vrrp_garp_master_repeat {{ vrrp.global_parameters.garp.master_repeat }} +{% endif %} +{% endif %} notify_fifo /run/keepalived/keepalived_notify_fifo notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py } @@ -28,6 +49,23 @@ vrrp_instance {{ name }} { virtual_router_id {{ group_config.vrid }} priority {{ group_config.priority }} advert_int {{ group_config.advertise_interval }} +{% if group_config.garp is vyos_defined %} +{% if group_config.garp.interval is vyos_defined %} + garp_interval {{ group_config.garp.interval }} +{% endif %} +{% if group_config.garp.master_delay is vyos_defined %} + garp_master_delay {{ group_config.garp.master_delay }} +{% endif %} +{% if group_config.garp.master_repeat is vyos_defined %} + garp_master_repeat {{ group_config.garp.master_repeat }} +{% endif %} +{% if group_config.garp.master_refresh is vyos_defined %} + garp_master_refresh {{ group_config.garp.master_refresh }} +{% endif %} +{% if group_config.garp.master_refresh_repeat is vyos_defined %} + garp_master_refresh_repeat {{ group_config.garp.master_refresh_repeat }} +{% endif %} +{% endif %} {% if group_config.track.exclude_vrrp_interface is vyos_defined %} dont_track_primary {% endif %} @@ -126,7 +164,12 @@ vrrp_sync_group {{ name }} { {% if virtual_server is vyos_defined %} # Virtual-server configuration {% for vserver, vserver_config in virtual_server.items() %} +# Vserver {{ vserver }} +{% if vserver_config.port is vyos_defined %} virtual_server {{ vserver }} {{ vserver_config.port }} { +{% else %} +virtual_server fwmark {{ vserver_config.fwmark }} { +{% endif %} delay_loop {{ vserver_config.delay_loop }} {% if vserver_config.algorithm is vyos_defined('round-robin') %} lb_algo rr @@ -156,9 +199,14 @@ virtual_server {{ vserver }} {{ vserver_config.port }} { {% for rserver, rserver_config in vserver_config.real_server.items() %} real_server {{ rserver }} {{ rserver_config.port }} { weight 1 +{% if rserver_config.health_check.script is vyos_defined %} + MISC_CHECK { + misc_path {{ rserver_config.health_check.script }} +{% else %} {{ vserver_config.protocol | upper }}_CHECK { -{% if rserver_config.connection_timeout is vyos_defined %} +{% if rserver_config.connection_timeout is vyos_defined %} connect_timeout {{ rserver_config.connection_timeout }} +{% endif %} {% endif %} } } diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index dbb08e187..b541ff309 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -16,6 +16,8 @@ server { server_name {{ name }}; {% endfor %} + root /srv/localui; + {% if server.certbot %} ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem; ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem; @@ -34,7 +36,7 @@ server { ssl_protocols TLSv1.2 TLSv1.3; # proxy settings for HTTP API, if enabled; 503, if not - location ~ /(retrieve|configure|config-file|image|generate|show|reset|docs|openapi.json|redoc|graphql) { + location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reset|docs|openapi.json|redoc|graphql) { {% if server.api %} {% if server.api.socket %} proxy_pass http://unix:/run/api.sock; @@ -48,6 +50,12 @@ server { {% else %} return 503; {% endif %} +{% if server.allow_client %} +{% for client in server.allow_client %} + allow {{ client }}; +{% endfor %} + deny all; +{% endif %} } error_page 497 =301 https://$host:{{ server.port }}$request_uri; diff --git a/data/templates/iproute2/static.conf.j2 b/data/templates/iproute2/static.conf.j2 new file mode 100644 index 000000000..10c9bdab7 --- /dev/null +++ b/data/templates/iproute2/static.conf.j2 @@ -0,0 +1,8 @@ +# Generated by VyOS (protocols_static.py), do not edit by hand +{% if table is vyos_defined %} +{% for t, t_options in table.items() %} +{% if t_options.description is vyos_defined %} +{{ "%-6s" | format(t) }} {{ "%-40s" | format(t_options.description) }} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/vrf/vrf.conf.j2 b/data/templates/iproute2/vrf.conf.j2 index d31d23574..d31d23574 100644 --- a/data/templates/vrf/vrf.conf.j2 +++ b/data/templates/iproute2/vrf.conf.j2 diff --git a/data/templates/ipsec/ipsec.conf.j2 b/data/templates/ipsec/ipsec.conf.j2 deleted file mode 100644 index f63995b38..000000000 --- a/data/templates/ipsec/ipsec.conf.j2 +++ /dev/null @@ -1,19 +0,0 @@ -# Created by VyOS - manual changes will be overwritten - -config setup -{% set charondebug = '' %} -{% if log.subsystem is vyos_defined %} -{% set subsystem = log.subsystem %} -{% if 'any' in log.subsystem %} -{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', - 'net', 'asn', 'enc', 'lib', 'esp', 'tls', 'tnc', - 'imc', 'imv', 'pts'] %} -{% endif %} -{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} -{% endif %} - charondebug = "{{ charondebug }}" - uniqueids = {{ "no" if disable_uniqreqids is vyos_defined else "yes" }} - -{% if include_ipsec_conf is vyos_defined %} -include {{ include_ipsec_conf }} -{% endif %} diff --git a/data/templates/ipsec/ipsec.secrets.j2 b/data/templates/ipsec/ipsec.secrets.j2 deleted file mode 100644 index a87ac9bc7..000000000 --- a/data/templates/ipsec/ipsec.secrets.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# Created by VyOS - manual changes will be overwritten - -{% if include_ipsec_secrets is vyos_defined %} -include {{ include_ipsec_secrets }} -{% endif %} diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2 index 38d7981c6..d44d0f5e4 100644 --- a/data/templates/ipsec/swanctl.conf.j2 +++ b/data/templates/ipsec/swanctl.conf.j2 @@ -58,23 +58,7 @@ secrets { {% if site_to_site.peer is vyos_defined %} {% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} {% set peer_name = peer.replace("@", "") | dot_colon_to_dash %} -{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %} - ike_{{ peer_name }} { -{% if peer_conf.local_address is vyos_defined %} - id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} -{% endif %} -{% for address in peer_conf.remote_address %} - id-remote_{{ address | dot_colon_to_dash }} = {{ address }} -{% endfor %} -{% if peer_conf.authentication.local_id is vyos_defined %} - id-localid = {{ peer_conf.authentication.local_id }} -{% endif %} -{% if peer_conf.authentication.remote_id is vyos_defined %} - id-remoteid = {{ peer_conf.authentication.remote_id }} -{% endif %} - secret = "{{ peer_conf.authentication.pre_shared_secret }}" - } -{% elif peer_conf.authentication.mode is vyos_defined('x509') %} +{% if peer_conf.authentication.mode is vyos_defined('x509') %} private_{{ peer_name }} { file = {{ peer_conf.authentication.x509.certificate }}.pem {% if peer_conf.authentication.x509.passphrase is vyos_defined %} @@ -91,6 +75,21 @@ secrets { {% endif %} {% endfor %} {% endif %} +{% if authentication.psk is vyos_defined %} +{% for psk, psk_config in authentication.psk.items() %} + ike-{{ psk }} { +{% if psk_config.id is vyos_defined %} + # ID's from auth psk <tag> id xxx +{% for id in psk_config.id %} +{% set gen_uuid = '' | generate_uuid4 %} + id-{{ gen_uuid }} = "{{ id }}" +{% endfor %} +{% endif %} + secret = "{{ psk_config.secret }}" + } +{% endfor %} +{% endif %} + {% if remote_access.connection is vyos_defined %} {% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %} {% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %} @@ -130,4 +129,3 @@ secrets { {% endif %} {% endif %} } - diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 index 837fa263c..9d95271fe 100644 --- a/data/templates/ipsec/swanctl/peer.j2 +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -45,11 +45,7 @@ {% endif %} } remote { -{% if peer_conf.authentication.remote_id is vyos_defined %} id = "{{ peer_conf.authentication.remote_id }}" -{% else %} - id = "{{ peer }}" -{% endif %} auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} {% if peer_conf.authentication.mode == 'rsa' %} pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem diff --git a/data/templates/login/limits.j2 b/data/templates/login/limits.j2 new file mode 100644 index 000000000..5e2c11f35 --- /dev/null +++ b/data/templates/login/limits.j2 @@ -0,0 +1,5 @@ +# Generated by /usr/libexec/vyos/conf_mode/system-login.py + +{% if max_login_session is vyos_defined %} +* - maxsyslogins {{ max_login_session }} +{% endif %} diff --git a/data/templates/ntp/ntpd.conf.j2 b/data/templates/ntp/ntpd.conf.j2 deleted file mode 100644 index 8921826fa..000000000 --- a/data/templates/ntp/ntpd.conf.j2 +++ /dev/null @@ -1,49 +0,0 @@ -### Autogenerated by ntp.py ### - -# -# Non-configurable defaults -# -driftfile /var/lib/ntp/ntp.drift -# By default, only allow ntpd to query time sources, ignore any incoming requests -restrict default noquery nopeer notrap nomodify -# Allow pool associations -restrict source nomodify notrap noquery -# Local users have unrestricted access, allowing reconfiguration via ntpdc -restrict 127.0.0.1 -restrict -6 ::1 - -# -# Configurable section -# -{% if server is vyos_defined %} -{% for server, config in server.items() %} -{% set association = 'server' %} -{% if config.pool is vyos_defined %} -{% set association = 'pool' %} -{% endif %} -{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is vyos_defined }} {{ 'preempt' if config.preempt is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }} -{% endfor %} -{% endif %} - -{% if allow_clients.address is vyos_defined %} -# Allowed clients configuration -restrict default ignore -{% for address in allow_clients.address %} -restrict {{ address | address_from_cidr }} mask {{ address | netmask_from_cidr }} nomodify notrap nopeer -{% endfor %} -{% endif %} - -{% if listen_address is vyos_defined or interface is vyos_defined %} -# NTP should listen on configured addresses only -interface ignore wildcard -{% if listen_address is vyos_defined %} -{% for address in listen_address %} -interface listen {{ address }} -{% endfor %} -{% endif %} -{% if interface is vyos_defined %} -{% for ifname in interface %} -interface listen {{ ifname }} -{% endfor %} -{% endif %} -{% endif %} diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 3194354e6..aa1073bca 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -10,6 +10,10 @@ udp-port = {{ listen_ports.udp }} run-as-user = nobody run-as-group = daemon +{% if accounting.mode.radius is vyos_defined %} +acct = "radius [config=/run/ocserv/radiusclient.conf]" +{% endif %} + {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" {% elif "local" in authentication.mode %} diff --git a/data/templates/ocserv/radius_conf.j2 b/data/templates/ocserv/radius_conf.j2 index b6612fee5..1ab322f69 100644 --- a/data/templates/ocserv/radius_conf.j2 +++ b/data/templates/ocserv/radius_conf.j2 @@ -1,20 +1,34 @@ ### generated by vpn_openconnect.py ### nas-identifier VyOS -{% for srv in server %} -{% if not "disable" in server[srv] %} -{% if "port" in server[srv] %} -authserver {{ srv }}:{{ server[srv]["port"] }} + +#### Accounting +{% if accounting.mode.radius is vyos_defined %} +{% for acctsrv, srv_conf in accounting.radius.server.items() if 'disable' not in srv_conf %} +{% if srv_conf.port is vyos_defined %} +acctserver {{ acctsrv }}:{{ srv_conf.port }} {% else %} -authserver {{ srv }} +acctserver {{ acctsrv }} {% endif %} -{% endif %} -{% endfor %} -radius_timeout {{ timeout }} -{% if source_address %} -bindaddr {{ source_address }} -{% else %} +{% endfor %} +{% endif %} + +#### Authentication +{% if authentication.mode.radius is vyos_defined %} +{% for authsrv, srv_conf in authentication.radius.server.items() if 'disable' not in srv_conf %} +{% if srv_conf.port is vyos_defined %} +authserver {{ authsrv }}:{{ srv_conf.port }} +{% else %} +authserver {{ authsrv }} +{% endif %} +{% endfor %} +radius_timeout {{ authentication['radius']['timeout'] }} +{% if source_address %} +bindaddr {{ authentication['radius']['source_address'] }} +{% else %} bindaddr * +{% endif %} {% endif %} + servers /run/ocserv/radius_servers dictionary /etc/radcli/dictionary default_realm diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index 6dd4ef88d..6332ed9c2 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -98,7 +98,7 @@ server-ipv6 {{ subnet }} {% endif %} {% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} -ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }} +ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }} {{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }} {% endif %} {% if server.max_connections is vyos_defined %} max-clients {{ server.max_connections }} @@ -213,6 +213,9 @@ keysize 256 data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} {% endif %} {% endif %} +# https://vyos.dev/T5027 +# Required to support BF-CBC (default ciphername when none given) +providers legacy default {% if hash is vyos_defined %} auth {{ hash }} diff --git a/data/templates/pppoe/peer.j2 b/data/templates/pppoe/peer.j2 index 6221abb9b..f30cefe63 100644 --- a/data/templates/pppoe/peer.j2 +++ b/data/templates/pppoe/peer.j2 @@ -36,10 +36,13 @@ maxfail 0 plugin rp-pppoe.so {{ source_interface }} {% if access_concentrator is vyos_defined %} -rp_pppoe_ac '{{ access_concentrator }}' +pppoe-ac "{{ access_concentrator }}" {% endif %} {% if service_name is vyos_defined %} -rp_pppoe_service '{{ service_name }}' +pppoe-service "{{ service_name }}" +{% endif %} +{% if host_uniq is vyos_defined %} +pppoe-host-uniq "{{ host_uniq }}" {% endif %} persist @@ -50,7 +53,7 @@ mtu {{ mtu }} mru {{ mtu }} {% if authentication is vyos_defined %} -{{ 'user "' + authentication.user + '"' if authentication.user is vyos_defined }} +{{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }} {{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }} {% endif %} @@ -62,6 +65,10 @@ mru {{ mtu }} noipv6 {% endif %} +{% if holdoff is vyos_defined %} +holdoff {{ holdoff }} +{% endif %} + {% if connect_on_demand is vyos_defined %} demand # See T2249. PPP default route options should only be set when in on-demand diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2 index f4b384958..4ef4751dd 100644 --- a/data/templates/router-advert/radvd.conf.j2 +++ b/data/templates/router-advert/radvd.conf.j2 @@ -46,7 +46,7 @@ interface {{ iface }} { {% if iface_config.source_address is vyos_defined %} AdvRASrcAddress { {% for source_address in iface_config.source_address %} - {{ source_address }} + {{ source_address }}; {% endfor %} }; {% endif %} diff --git a/data/templates/sflow/hsflowd.conf.j2 b/data/templates/sflow/hsflowd.conf.j2 new file mode 100644 index 000000000..5000956bd --- /dev/null +++ b/data/templates/sflow/hsflowd.conf.j2 @@ -0,0 +1,32 @@ +# Genereated by /usr/libexec/vyos/conf_mode/system_sflow.py +# Parameters http://sflow.net/host-sflow-linux-config.php + +sflow { +{% if polling is vyos_defined %} + polling={{ polling }} +{% endif %} +{% if sampling_rate is vyos_defined %} + sampling={{ sampling_rate }} + sampling.bps_ratio=0 +{% endif %} +{% if agent_address is vyos_defined %} + agentIP={{ agent_address }} +{% endif %} +{% if agent_interface is vyos_defined %} + agent={{ agent_interface }} +{% endif %} +{% if server is vyos_defined %} +{% for server, server_config in server.items() %} + collector { ip = {{ server }} udpport = {{ server_config.port }} } +{% endfor %} +{% endif %} +{% if interface is vyos_defined %} +{% for iface in interface %} + pcap { dev={{ iface }} } +{% endfor %} +{% endif %} +{% if drop_monitor_limit is vyos_defined %} + dropmon { limit={{ drop_monitor_limit }} start=on sw=on hw=off } +{% endif %} + dbus { } +} diff --git a/data/templates/sflow/override.conf.j2 b/data/templates/sflow/override.conf.j2 new file mode 100644 index 000000000..f2a982528 --- /dev/null +++ b/data/templates/sflow/override.conf.j2 @@ -0,0 +1,16 @@ +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/sflow/hsflowd.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart=/usr/sbin/hsflowd -m %m -d -f /run/sflow/hsflowd.conf +WorkingDirectory= +WorkingDirectory=/run/sflow +PIDFile= +PIDFile=/run/sflow/hsflowd.pid +Restart=always +RestartSec=10 diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2 index 47bf6878f..9d78d479a 100644 --- a/data/templates/snmp/etc.snmpd.conf.j2 +++ b/data/templates/snmp/etc.snmpd.conf.j2 @@ -26,6 +26,9 @@ monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2 # interface (with different ifIndex) - this is the case on e.g. ppp interfaces interface_replace_old yes +# T4902: exclude container storage from monitoring +ignoreDisk /usr/lib/live/mount/persistence/container + ######################## # configurable section # ######################## @@ -59,28 +62,43 @@ agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vy {% if comm_config.client is vyos_defined %} {% for client in comm_config.client %} {% if client | is_ipv4 %} -{{ comm_config.authorization }}community {{ comm }} {{ client }} +{{ comm_config.authorization }}community {{ comm }} {{ client }} -V RESTRICTED {% elif client | is_ipv6 %} -{{ comm_config.authorization }}community6 {{ comm }} {{ client }} +{{ comm_config.authorization }}community6 {{ comm }} {{ client }} -V RESTRICTED {% endif %} {% endfor %} {% endif %} {% if comm_config.network is vyos_defined %} {% for network in comm_config.network %} {% if network | is_ipv4 %} -{{ comm_config.authorization }}community {{ comm }} {{ network }} +{{ comm_config.authorization }}community {{ comm }} {{ network }} -V RESTRICTED {% elif network | is_ipv6 %} -{{ comm_config.authorization }}community6 {{ comm }} {{ network }} +{{ comm_config.authorization }}community6 {{ comm }} {{ network }} -V RESTRICTED {% endif %} {% endfor %} {% endif %} -{% if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %} -{{ comm_config.authorization }}community {{ comm }} -{{ comm_config.authorization }}community6 {{ comm }} -{% endif %} {% endfor %} {% endif %} +# Default RESTRICTED view +view RESTRICTED included .1 80 +{% if 'ip-route-table' not in oid_enable %} +# ipRouteTable oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.21 +{% endif %} +{% if 'ip-net-to-media-table' not in oid_enable %} +# ipNetToMediaTable oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.22 +{% endif %} +{% if 'ip-net-to-physical-phys-address' not in oid_enable %} +# ipNetToPhysicalPhysAddress oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.35 +{% endif %} +{% if 'ip-forward' not in oid_enable %} +# ipForward oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.24 +{% endif %} + {% if contact is vyos_defined %} # system contact information SysContact {{ contact }} diff --git a/data/templates/snmp/override.conf.j2 b/data/templates/snmp/override.conf.j2 index 5d787de86..443ee64db 100644 --- a/data/templates/snmp/override.conf.j2 +++ b/data/templates/snmp/override.conf.j2 @@ -1,5 +1,4 @@ {% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} -{% set oid_route_table = ' ' if oid_enable is vyos_defined('route-table') else '-I -ipCidrRouteTable,inetCidrRouteTable' %} [Unit] StartLimitIntervalSec=0 After=vyos-router.service @@ -8,7 +7,7 @@ After=vyos-router.service Environment= Environment="MIBDIRS=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/vyos/mibs" ExecStart= -ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp {{ oid_route_table }} -f -p /run/snmpd.pid +ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -f -p /run/snmpd.pid Restart=always RestartSec=10 diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index 93735020c..422969ed8 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -29,7 +29,7 @@ PermitRootLogin no PidFile /run/sshd/sshd.pid AddressFamily any DebianBanner no -PasswordAuthentication no +KbdInteractiveAuthentication no # # User configurable section @@ -48,7 +48,7 @@ Port {{ value }} LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed -ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} +PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} {% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2 index 7a0b0e1f7..745a09e14 100644 --- a/data/templates/sstp-client/peer.j2 +++ b/data/templates/sstp-client/peer.j2 @@ -45,7 +45,7 @@ lock nodeflate {% if authentication is vyos_defined %} -{{ 'user "' + authentication.user + '"' if authentication.user is vyos_defined }} +{{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }} {{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }} {% endif %} diff --git a/data/templates/system/ssh_config.j2 b/data/templates/system/ssh_config.j2 index 1449f95b1..d3ede0971 100644 --- a/data/templates/system/ssh_config.j2 +++ b/data/templates/system/ssh_config.j2 @@ -1,3 +1,6 @@ {% if ssh_client.source_address is vyos_defined %} BindAddress {{ ssh_client.source_address }} {% endif %} +{% if ssh_client.source_interface is vyos_defined %} +BindInterface {{ ssh_client.source_interface }} +{% endif %} diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2 index 36571ce98..5852d6232 100644 --- a/data/templates/telegraf/telegraf.j2 +++ b/data/templates/telegraf/telegraf.j2 @@ -12,7 +12,7 @@ debug = false quiet = false logfile = "" - hostname = "" + hostname = "{{ hostname }}" omit_hostname = false {% if azure_data_explorer is vyos_defined %} ### Azure Data Explorer ### @@ -102,7 +102,7 @@ dirs = ["/proc/sys/net/ipv4/netfilter","/proc/sys/net/netfilter"] [[inputs.ethtool]] interface_include = {{ interfaces_ethernet }} -[[inputs.ntpq]] +[[inputs.chrony]] dns_lookup = true [[inputs.internal]] [[inputs.nstat]] |