diff options
Diffstat (limited to 'data')
| -rw-r--r-- | data/config-mode-dependencies/vyos-1x.json | 6 | ||||
| -rw-r--r-- | data/templates/conntrack/nftables-ct.j2 | 36 | ||||
| -rw-r--r-- | data/templates/conntrack/nftables-helpers.j2 | 6 | ||||
| -rw-r--r-- | data/templates/conntrackd/conntrackd.conf.j2 | 2 | ||||
| -rw-r--r-- | data/templates/frr/ospf6d.frr.j2 | 2 | ||||
| -rw-r--r-- | data/templates/frr/ospfd.frr.j2 | 8 | ||||
| -rw-r--r-- | data/templates/high-availability/keepalived.conf.j2 | 37 | ||||
| -rw-r--r-- | data/templates/https/nginx.default.j2 | 4 | ||||
| -rw-r--r-- | data/templates/load-balancing/wlb.conf.j2 | 4 | ||||
| -rw-r--r-- | data/templates/login/default_motd.j2 | 14 | ||||
| -rw-r--r-- | data/templates/router-advert/radvd.conf.j2 | 7 | ||||
| -rw-r--r-- | data/templates/snmp/etc.snmpd.conf.j2 | 7 | ||||
| -rw-r--r-- | data/templates/vyos-hostsd/hosts.j2 | 2 | ||||
| -rw-r--r-- | data/vyos-firewall-init.conf | 2 |
14 files changed, 107 insertions, 30 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index b0586e0bb..afe3dd838 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -1,6 +1,7 @@ { "system_conntrack": { - "conntrack_sync": ["service_conntrack-sync"] + "conntrack_sync": ["service_conntrack-sync"], + "vrf": ["vrf"] }, "firewall": { "conntrack": ["system_conntrack"], @@ -30,6 +31,9 @@ "rpki": ["protocols_rpki"], "sstp": ["vpn_sstp"] }, + "vpn_ipsec": { + "nhrp": ["protocols_nhrp"] + }, "vpn_l2tp": { "ipsec": ["vpn_ipsec"] }, diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2 index 762a6f693..c753e6bcb 100644 --- a/data/templates/conntrack/nftables-ct.j2 +++ b/data/templates/conntrack/nftables-ct.j2 @@ -40,9 +40,6 @@ table ip vyos_conntrack { chain PREROUTING { type filter hook prerouting priority -300; policy accept; -{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} - counter jump VYOS_CT_HELPER -{% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -51,11 +48,15 @@ table ip vyos_conntrack { notrack } - chain OUTPUT { - type filter hook output priority -300; policy accept; {% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; counter jump VYOS_CT_HELPER + } {% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -66,6 +67,13 @@ table ip vyos_conntrack { notrack } +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + {{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }} chain FW_CONNTRACK { @@ -122,9 +130,6 @@ table ip6 vyos_conntrack { chain PREROUTING { type filter hook prerouting priority -300; policy accept; -{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} - counter jump VYOS_CT_HELPER -{% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -132,11 +137,15 @@ table ip6 vyos_conntrack { notrack } - chain OUTPUT { - type filter hook output priority -300; policy accept; {% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; counter jump VYOS_CT_HELPER + } {% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -144,6 +153,13 @@ table ip6 vyos_conntrack { notrack } +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + {{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }} chain FW_CONNTRACK { diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2 index 433931162..63a0cc855 100644 --- a/data/templates/conntrack/nftables-helpers.j2 +++ b/data/templates/conntrack/nftables-helpers.j2 @@ -31,6 +31,12 @@ } {% endif %} +{% if modules.rtsp is vyos_defined and ipv4 %} + ct helper rtsp_tcp { + type "rtsp" protocol tcp; + } +{% endif %} + {% if modules.sip is vyos_defined %} ct helper sip_tcp { type "sip" protocol tcp; diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2 index 8f56c8171..669b20877 100644 --- a/data/templates/conntrackd/conntrackd.conf.j2 +++ b/data/templates/conntrackd/conntrackd.conf.j2 @@ -76,7 +76,7 @@ General { HashSize {{ hash_size }} HashLimit {{ table_size | int *2 }} LogFile off - Syslog on + Syslog {{ 'off' if disable_syslog is vyos_defined else 'on' }} LockFile /var/lock/conntrack.lock UNIX { Path /var/run/conntrackd.ctl diff --git a/data/templates/frr/ospf6d.frr.j2 b/data/templates/frr/ospf6d.frr.j2 index b0b5663dd..5f758f9e5 100644 --- a/data/templates/frr/ospf6d.frr.j2 +++ b/data/templates/frr/ospf6d.frr.j2 @@ -109,7 +109,7 @@ router ospf6 {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% endif %} {% if redistribute is vyos_defined %} {% for protocol, options in redistribute.items() %} - redistribute {{ protocol }} {{ 'route-map ' ~ options.route_map if options.route_map is vyos_defined }} + redistribute {{ protocol }} {{ 'metric ' ~ options.metric if options.metric is vyos_defined }} {{ 'metric-type ' ~ options.metric_type if options.metric_type is vyos_defined }} {{ 'route-map ' ~ options.route_map if options.route_map is vyos_defined }} {% endfor %} {% endif %} exit diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index 040628e82..ab074b6a2 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -214,13 +214,13 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} passive-interface default {% endif %} {% if redistribute is vyos_defined %} -{% for protocol, protocols_options in redistribute.items() %} +{% for protocol, options in redistribute.items() %} {% if protocol == 'table' %} -{% for table, table_options in protocols_options.items() %} - redistribute {{ protocol }} {{ table }} {{ 'metric ' + table_options.metric if table_options.metric is vyos_defined }} {{ 'metric-type ' + table_options.metric_type if table_options.metric_type is vyos_defined }} {{ 'route-map ' + table_options.route_map if table_options.route_map is vyos_defined }} +{% for table, table_options in options.items() %} + redistribute {{ protocol }} {{ table }} {{ 'metric ' ~ table_options.metric if table_options.metric is vyos_defined }} {{ 'metric-type ' ~ table_options.metric_type if table_options.metric_type is vyos_defined }} {{ 'route-map ' ~ table_options.route_map if table_options.route_map is vyos_defined }} {% endfor %} {% else %} - redistribute {{ protocol }} {{ 'metric ' + protocols_options.metric if protocols_options.metric is vyos_defined }} {{ 'metric-type ' + protocols_options.metric_type if protocols_options.metric_type is vyos_defined }} {{ 'route-map ' + protocols_options.route_map if protocols_options.route_map is vyos_defined }} + redistribute {{ protocol }} {{ 'metric ' ~ options.metric if options.metric is vyos_defined }} {{ 'metric-type ' ~ options.metric_type if options.metric_type is vyos_defined }} {{ 'route-map ' ~ options.route_map if options.route_map is vyos_defined }} {% endif %} {% endfor %} {% endif %} diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2 index d54f575b5..240161748 100644 --- a/data/templates/high-availability/keepalived.conf.j2 +++ b/data/templates/high-availability/keepalived.conf.j2 @@ -33,6 +33,24 @@ global_defs { notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py } +{# Sync group has own health-check scripts T6020 #} +{% if vrrp.sync_group is vyos_defined %} +{% for name, sync_group_config in vrrp.sync_group.items() if sync_group_config.disable is not vyos_defined %} +{% if sync_group_config.health_check is vyos_defined %} +vrrp_script healthcheck_sg_{{ name }} { +{% if sync_group_config.health_check.script is vyos_defined %} + script "{{ sync_group_config.health_check.script }}" +{% elif sync_group_config.health_check.ping is vyos_defined %} + script "/usr/bin/ping -c1 {{ sync_group_config.health_check.ping }}" +{% endif %} + interval {{ sync_group_config.health_check.interval }} + fall {{ sync_group_config.health_check.failure_count }} + rise 1 +} +{% endif %} +{% endfor %} +{% endif %} + {% if vrrp.group is vyos_defined %} {% for name, group_config in vrrp.group.items() if group_config.disable is not vyos_defined %} {% if group_config.health_check is vyos_defined %} @@ -82,7 +100,11 @@ vrrp_instance {{ name }} { nopreempt {% endif %} {% if group_config.peer_address is vyos_defined %} - unicast_peer { {{ group_config.peer_address }} } + unicast_peer { +{% for peer_address in group_config.peer_address %} + {{ peer_address }} +{% endfor %} + } {% endif %} {% if group_config.hello_source_address is vyos_defined %} {% if group_config.peer_address is vyos_defined %} @@ -128,7 +150,8 @@ vrrp_instance {{ name }} { {% endfor %} } {% endif %} -{% if group_config.health_check is vyos_defined %} +{# Sync group member can't use own health check script #} +{% if group_config.health_check is vyos_defined and group_config._is_sync_group_member is not vyos_defined %} track_script { healthcheck_{{ name }} } @@ -148,16 +171,12 @@ vrrp_sync_group {{ name }} { {% endif %} } -{# Health-check scripts should be in section sync-group if member is part of the sync-group T4081 #} -{% if vrrp.group is vyos_defined %} -{% for name, group_config in vrrp.group.items() if group_config.disable is not vyos_defined %} -{% if group_config.health_check.script is vyos_defined and name in sync_group_config.member %} +{% if sync_group_config.health_check is vyos_defined %} track_script { - healthcheck_{{ name }} + healthcheck_sg_{{ name }} } -{% endif %} -{% endfor %} {% endif %} + {% if conntrack_sync_group is vyos_defined(name) %} {% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %} notify_master "{{ vyos_helper }} master {{ name }}" diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index 5d17df001..4619361e5 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -21,6 +21,10 @@ server { server_name {{ hostname }}; root /srv/localui; +{% if request_body_size_limit is vyos_defined %} + client_max_body_size {{ request_body_size_limit }}M; +{% endif %} + # SSL configuration {% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %} ssl_certificate {{ certificates.cert_path }}; diff --git a/data/templates/load-balancing/wlb.conf.j2 b/data/templates/load-balancing/wlb.conf.j2 index 6557b6f4c..7f04d797e 100644 --- a/data/templates/load-balancing/wlb.conf.j2 +++ b/data/templates/load-balancing/wlb.conf.j2 @@ -93,6 +93,8 @@ rule {{ rule }} { {% if rule_config.destination.port is vyos_defined %} {% if '-' in rule_config.destination.port %} port-ipt "-m multiport --dports {{ rule_config.destination.port | replace('-', ':') }}" +{% elif ',' in rule_config.destination.port %} + port-ipt "-m multiport --dports {{ rule_config.destination.port }}" {% else %} port-ipt " --dport {{ rule_config.destination.port }}" {% endif %} @@ -107,6 +109,8 @@ rule {{ rule }} { {% if rule_config.source.port is vyos_defined %} {% if '-' in rule_config.source.port %} port-ipt "-m multiport --sports {{ rule_config.source.port | replace('-', ':') }}" +{% elif ',' in rule_config.destination.port %} + port-ipt "-m multiport --sports {{ rule_config.source.port }}" {% else %} port.ipt " --sport {{ rule_config.source.port }}" {% endif %} diff --git a/data/templates/login/default_motd.j2 b/data/templates/login/default_motd.j2 new file mode 100644 index 000000000..543c6f8e0 --- /dev/null +++ b/data/templates/login/default_motd.j2 @@ -0,0 +1,14 @@ +Welcome to VyOS! + + ┌── ┐ + . VyOS {{ version_data.version }} + └ ──┘ {{ version_data.release_train }} + + * Documentation: {{ version_data.documentation_url }} + * Project news: {{ version_data.project_news_url }} + * Bug reports: {{ version_data.bugtracker_url }} + +You can change this banner using "set system login banner post-login" command. + +VyOS is a free software distribution that includes multiple components, +you can check individual component licenses under /usr/share/doc/*/copyright diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2 index 4ef4751dd..97180d164 100644 --- a/data/templates/router-advert/radvd.conf.j2 +++ b/data/templates/router-advert/radvd.conf.j2 @@ -50,6 +50,13 @@ interface {{ iface }} { {% endfor %} }; {% endif %} +{% if iface_config.nat64prefix is vyos_defined %} +{% for nat64prefix, nat64prefix_options in iface_config.nat64prefix.items() %} + nat64prefix {{ nat64prefix }} { + AdvValidLifetime {{ nat64prefix_options.valid_lifetime }}; + }; +{% endfor %} +{% endif %} {% if iface_config.prefix is vyos_defined %} {% for prefix, prefix_options in iface_config.prefix.items() %} prefix {{ prefix }} { diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2 index b1ceb0451..9d91192fc 100644 --- a/data/templates/snmp/etc.snmpd.conf.j2 +++ b/data/templates/snmp/etc.snmpd.conf.j2 @@ -141,8 +141,13 @@ trap2sink {{ trap }}:{{ trap_config.port }} {{ trap_config.community }} # views {% for view, view_config in v3.view.items() %} {% if view_config.oid is vyos_defined %} -{% for oid in view_config.oid %} +{% for oid, oid_config in view_config.oid.items() %} view {{ view }} included .{{ oid }} +{% if oid_config.exclude is vyos_defined %} +{% for excluded in oid_config.exclude %} +view {{ view }} excluded .{{ excluded }} +{% endfor %} +{% endif %} {% endfor %} {% endif %} {% endfor %} diff --git a/data/templates/vyos-hostsd/hosts.j2 b/data/templates/vyos-hostsd/hosts.j2 index 5cad983b4..62ecf3ad0 100644 --- a/data/templates/vyos-hostsd/hosts.j2 +++ b/data/templates/vyos-hostsd/hosts.j2 @@ -4,7 +4,7 @@ # Local host 127.0.0.1 localhost -127.0.1.1 {{ host_name }}{% if domain_name %}.{{ domain_name }} {{ host_name }}{% endif %} +127.0.1.1 {{ host_name }} # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index 5a4e03015..3929edf0b 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -65,11 +65,9 @@ table inet vrf_zones { # Chain for inbound traffic chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; - counter ct original zone set iifname map @ct_iface_map } # Chain for locally-generated traffic chain vrf_zones_ct_out { type filter hook output priority raw; policy accept; - counter ct original zone set oifname map @ct_iface_map } } |