diff options
Diffstat (limited to 'data')
25 files changed, 319 insertions, 180 deletions
diff --git a/data/templates/bcast-relay/udp-broadcast-relay.tmpl b/data/templates/bcast-relay/udp-broadcast-relay.tmpl index 3d8c3fe94..d0c7d8bf9 100644 --- a/data/templates/bcast-relay/udp-broadcast-relay.tmpl +++ b/data/templates/bcast-relay/udp-broadcast-relay.tmpl @@ -4,4 +4,4 @@ {%- if description %} # Comment: {{ description }} {% endif %} -DAEMON_ARGS="{% if address %}-s {{ address }} {% endif %}{{ id }} {{ port }} {{ interfaces | join(' ') }}" +DAEMON_ARGS="{{ '-s ' + address if address is defined }} {{ instance }} {{ port }} {{ interface | join(' ') }}" diff --git a/data/templates/dhcp-client/ipv6_new.tmpl b/data/templates/dhcp-client/ipv6_new.tmpl new file mode 100644 index 000000000..112431c5f --- /dev/null +++ b/data/templates/dhcp-client/ipv6_new.tmpl @@ -0,0 +1,47 @@ +# generated by dhcp.py +# man https://www.unix.com/man-page/debian/5/dhcp6c.conf/ + +interface {{ ifname }} { + request domain-name-servers; + request domain-name; +{% if dhcpv6_options is defined %} +{% if dhcpv6_options.parameters_only is defined %} + information-only; +{% endif %} +{% if dhcpv6_options.temporary is not defined %} + send ia-na 1; # non-temporary address +{% endif %} +{% if dhcpv6_options.prefix_delegation is defined %} + send ia-pd 2; # prefix delegation +{% endif %} +{% endif %} +}; + +{% if dhcpv6_options is defined %} +{% if dhcpv6_options.temporary is not defined %} +id-assoc na 1 { + # Identity association NA +}; +{% endif %} + +{% if dhcpv6_options.prefix_delegation is defined %} +id-assoc pd 2 { +{% if dhcpv6_options.prefix_delegation.length is defined %} + prefix ::/{{ dhcpv6_options.prefix_delegation.length }} infinity; +{% endif %} +{% for interface in dhcpv6_options.prefix_delegation.interface %} + prefix-interface {{ interface }} { +{% if dhcpv6_options.prefix_delegation.interface[interface].sla_id is defined %} + sla-id {{ dhcpv6_options.prefix_delegation.interface[interface].sla_id }}; +{% endif %} +{% if dhcpv6_options.prefix_delegation.interface[interface].sla_len is defined %} + sla-len {{ dhcpv6_options.prefix_delegation.interface[interface].sla_len }}; +{% endif %} +{% if dhcpv6_options.prefix_delegation.interface[interface].address is defined %} + ifid {{ dhcpv6_options.prefix_delegation.interface[interface].address }}; +{% endif %} + }; +{% endfor %} +}; +{% endif %} +{% endif %} diff --git a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl index 6d1760199..b0d99d9ae 100644 --- a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl +++ b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl @@ -17,7 +17,7 @@ addNTA("{{ a }}.", "{{ tag }} alias") -- from 'service dns forwarding domain' {%- for zone, zonedata in forward_zones.items() %} {%- if zonedata['addNTA'] %} -addNTA("{{ zone }}.", "static") +addNTA("{{ zone }}", "static") {%- endif %} {%- endfor %} {%- endif %} diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 8108d5e0f..0c29f536b 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -6,7 +6,7 @@ flush table nat {% if helper_functions == 'remove' %} {# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = "delete rule ip raw" %} +{% set base_command = "delete rule ip raw" %} {{ base_command }} PREROUTING handle {{ pre_ct_ignore }} {{ base_command }} OUTPUT handle {{ out_ct_ignore }} {{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} @@ -19,7 +19,7 @@ delete chain ip raw NAT_CONNTRACK add chain ip raw NAT_CONNTRACK add rule ip raw NAT_CONNTRACK counter accept -{% set base_command = "add rule ip raw" %} +{% set base_command = "add rule ip raw" %} {{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER {{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER @@ -48,10 +48,11 @@ add rule ip raw NAT_CONNTRACK counter accept {% set comment = "DST-NAT-" + rule.number %} {% if chain == "PREROUTING" %} -{% set interface = " iifname \"" + rule.interface_in + "\"" %} +{% set interface = " iifname \"" + rule.interface_in + "\"" if rule.interface_in is defined and rule.interface_in != 'any' else '' %} {% set trns_addr = "dnat to " + rule.translation_address %} + {% elif chain == "POSTROUTING" %} -{% set interface = " oifname \"" + rule.interface_out + "\"" %} +{% set interface = " oifname \"" + rule.interface_out + "\"" if rule.interface_out is defined and rule.interface_out != 'any' else '' %} {% if rule.translation_address == 'masquerade' %} {% set trns_addr = rule.translation_address %} {% if rule.translation_port %} diff --git a/data/templates/ids/fastnetmon.tmpl b/data/templates/ids/fastnetmon.tmpl new file mode 100644 index 000000000..71a1b2bd7 --- /dev/null +++ b/data/templates/ids/fastnetmon.tmpl @@ -0,0 +1,60 @@ +# enable this option if you want to send logs to local syslog facility +logging:local_syslog_logging = on + +# list of all your networks in CIDR format +networks_list_path = /etc/networks_list + +# list networks in CIDR format which will be not monitored for attacks +white_list_path = /etc/networks_whitelist + +# Enable/Disable any actions in case of attack +enable_ban = on + +## How many packets will be collected from attack traffic +ban_details_records_count = 500 + +## How long (in seconds) we should keep an IP in blocked state +## If you set 0 here it completely disables unban capability +ban_time = 1900 + +# Check if the attack is still active, before triggering an unban callback with this option +# If the attack is still active, check each run of the unban watchdog +unban_only_if_attack_finished = on + +# enable per subnet speed meters +# For each subnet, list track speed in bps and pps for both directions +enable_subnet_counters = off + +{% if "mirror" in mode %} +mirror_afpacket = on +{% endif -%} + +{% if "in" in direction %} +process_incoming_traffic = on +{% endif -%} +{% if "out" in direction %} +process_outgoing_traffic = on +{% endif -%} +{% for th in threshold %} +{% if th == "fps" %} +ban_for_flows = on +threshold_flows = {{ threshold[th] }} +{% endif -%} +{% if th == "mbps" %} +ban_for_bandwidth = on +threshold_mbps = {{ threshold[th] }} +{% endif -%} +{% if th == "pps" %} +ban_for_pps = on +threshold_pps = {{ threshold[th] }} +{% endif -%} +{% endfor -%} + +{% if listen_interface %} +{% set value = listen_interface if listen_interface is string else listen_interface | join(',') %} +interfaces = {{ value }} +{% endif -%} + +{% if alert_script %} +notify_script_path = {{ alert_script }} +{% endif -%} diff --git a/data/templates/ids/fastnetmon_networks_list.tmpl b/data/templates/ids/fastnetmon_networks_list.tmpl new file mode 100644 index 000000000..d58990053 --- /dev/null +++ b/data/templates/ids/fastnetmon_networks_list.tmpl @@ -0,0 +1,7 @@ +{% if network is string %} +{{ network }} +{% else %} +{% for net in network %} +{{ net }} +{% endfor %} +{% endif %} diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl index a614d23f5..1731bf160 100644 --- a/data/templates/macsec/wpa_supplicant.conf.tmpl +++ b/data/templates/macsec/wpa_supplicant.conf.tmpl @@ -45,9 +45,10 @@ network={ # - the key server has decided to enable MACsec # 0: Encrypt traffic (default) # 1: Integrity only - macsec_integ_only={{ '0' if security_encrypt else '1' }} + macsec_integ_only={{ '0' if security is defined and security.encrypt is defined else '1' }} -{% if security_encrypt %} +{% if security is defined %} +{% if security.encrypt is defined %} # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer @@ -56,21 +57,22 @@ network={ # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string # (2..64 hex-digits) - mka_cak={{ security_mka_cak }} - mka_ckn={{ security_mka_ckn }} + mka_cak={{ security.mka.cak }} + mka_ckn={{ security.mka.ckn }} # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being # default priority - mka_priority={{ security_mka_priority }} -{% endif %} -{% if security_replay_window %} + mka_priority={{ security.mka.priority }} +{% endif %} + +{% if security.replay_window is defined %} # macsec_replay_protect: IEEE 802.1X/MACsec replay protection # This setting applies only when MACsec is in use, i.e., # - macsec_policy is enabled # - the key server has decided to enable MACsec # 0: Replay protection disabled (default) # 1: Replay protection enabled - macsec_replay_protect={{ '1' if security_replay_window else '0' }} + macsec_replay_protect=1 # macsec_replay_window: IEEE 802.1X/MACsec replay protection window # This determines a window in which replay is tolerated, to allow receipt @@ -80,7 +82,8 @@ network={ # - the key server has decided to enable MACsec # 0: No replay window, strict check (default) # 1..2^32-1: number of packets that could be misordered - macsec_replay_window={{ security_replay_window }} + macsec_replay_window={{ security.replay_window }} +{% endif %} {% endif %} } diff --git a/data/templates/ntp/ntp.conf.tmpl b/data/templates/ntp/ntp.conf.tmpl index 52042d218..6ef0c0f2c 100644 --- a/data/templates/ntp/ntp.conf.tmpl +++ b/data/templates/ntp/ntp.conf.tmpl @@ -13,26 +13,35 @@ restrict -6 ::1 # # Configurable section # - -{% if servers -%} -{% for s in servers -%} -# Server configuration for: {{ s.name }} -server {{ s.name }} iburst {{ s.options | join(" ") }} -{% endfor -%} +{% if server %} +{% for srv in server %} +{% set options = '' %} +{% set options = options + 'noselect ' if server[srv].noselect is defined else '' %} +{% set options = options + 'preempt ' if server[srv].preempt is defined else '' %} +{% set options = options + 'prefer ' if server[srv].prefer is defined else '' %} +server {{ srv | replace('_', '-') }} iburst {{ options }} +{% endfor %} {% endif %} -{% if allowed_networks -%} -{% for n in allowed_networks -%} -# Client configuration for network: {{ n.network }} -restrict {{ n.address }} mask {{ n.netmask }} nomodify notrap nopeer - -{% endfor -%} +{% if allow_clients is defined and allow_clients.address is defined %} +# Allowed clients configuration +{% if allow_clients.address is string %} +restrict {{ allow_clients.address|address_from_cidr }} mask {{ allow_clients.address|netmask_from_cidr }} nomodify notrap nopeer +{% else %} +{% for address in allow_clients.address %} +restrict {{ address|address_from_cidr }} mask {{ address|netmask_from_cidr }} nomodify notrap nopeer +{% endfor %} +{% endif %} {% endif %} -{% if listen_address -%} +{% if listen_address %} # NTP should listen on configured addresses only interface ignore wildcard -{% for a in listen_address -%} -interface listen {{ a }} -{% endfor -%} +{% if listen_address is string %} +interface listen {{ listen_address }} +{% else %} +{% for address in listen_address %} +interface listen {{ address }} +{% endfor %} +{% endif %} {% endif %} diff --git a/data/templates/ntp/override.conf.tmpl b/data/templates/ntp/override.conf.tmpl index 69a73b128..466638e5a 100644 --- a/data/templates/ntp/override.conf.tmpl +++ b/data/templates/ntp/override.conf.tmpl @@ -1,8 +1,11 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + [Service] ExecStart= -{% if vrf %} -ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/lib/ntp/ntp-systemd-wrapper -{% else %} -ExecStart=/usr/lib/ntp/ntp-systemd-wrapper -{% endif %} +ExecStart={{vrf_command}}/usr/lib/ntp/ntp-systemd-wrapper +Restart=on-failure +RestartSec=10 diff --git a/data/templates/pppoe/ip-down.script.tmpl b/data/templates/pppoe/ip-down.script.tmpl index 9e6bd2a8e..7b1952a80 100644 --- a/data/templates/pppoe/ip-down.script.tmpl +++ b/data/templates/pppoe/ip-down.script.tmpl @@ -2,21 +2,21 @@ # As PPPoE is an "on demand" interface we need to re-configure it when it # becomes up -if [ "$6" != "{{ intf }}" ]; then +if [ "$6" != "{{ ifname }}" ]; then exit fi # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -{% if not on_demand %} +{% if connect_on_demand is not defined %} # See https://phabricator.vyos.net/T2248. Determine if we are enslaved to a # VRF, this is needed to properly insert the default route. VRF_NAME="" -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF=${VRF#"upper_"} # Populate variable to run in VR context @@ -24,13 +24,13 @@ if [ -d /sys/class/net/{{ intf }}/upper_* ]; then fi # Always delete default route when interface goes down -vtysh -c "conf t" ${VRF_NAME} -c "no ip route 0.0.0.0/0 {{ intf }} ${VRF_NAME}" +vtysh -c "conf t" ${VRF_NAME} -c "no ip route 0.0.0.0/0 {{ ifname }} ${VRF_NAME}" {% if ipv6_enable %} -vtysh -c "conf t" ${VRF_NAME} -c "no ipv6 route ::/0 {{ intf }} ${VRF_NAME}" +vtysh -c "conf t" ${VRF_NAME} -c "no ipv6 route ::/0 {{ ifname }} ${VRF_NAME}" {% endif %} {% endif %} -{% if dhcpv6_pd_interfaces %} -# Start wide dhcpv6 client -systemctl stop dhcp6c@{{ intf }}.service +{% if dhcpv6_options is defined and dhcpv6_options.prefix_delegation is defined %} +# Stop wide dhcpv6 client +systemctl stop dhcp6c@{{ ifname }}.service {% endif %} diff --git a/data/templates/pppoe/ip-pre-up.script.tmpl b/data/templates/pppoe/ip-pre-up.script.tmpl index 6a2d2af94..cf85ed067 100644 --- a/data/templates/pppoe/ip-pre-up.script.tmpl +++ b/data/templates/pppoe/ip-pre-up.script.tmpl @@ -2,17 +2,17 @@ # As PPPoE is an "on demand" interface we need to re-configure it when it # becomes up -if [ "$6" != "{{ intf }}" ]; then +if [ "$6" != "{{ ifname }}" ]; then exit fi # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -echo "{{ description }}" > /sys/class/net/{{ intf }}/ifalias +echo "{{ description }}" > /sys/class/net/{{ ifname }}/ifalias {% if vrf -%} logger -t pppd[$DIALER_PID] "configuring dialer interface $6 for VRF {{ vrf }}" -ip link set dev {{ intf }} master {{ vrf }} +ip link set dev {{ ifname }} master {{ vrf }} {% endif %} diff --git a/data/templates/pppoe/ip-up.script.tmpl b/data/templates/pppoe/ip-up.script.tmpl index a274296b6..568e21c4e 100644 --- a/data/templates/pppoe/ip-up.script.tmpl +++ b/data/templates/pppoe/ip-up.script.tmpl @@ -2,13 +2,13 @@ # As PPPoE is an "on demand" interface we need to re-configure it when it # becomes up -if [ "$6" != "{{ intf }}" ]; then +if [ "$6" != "{{ ifname }}" ]; then exit fi -{% if not on_demand %} +{% if connect_on_demand is not defined %} # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" {% if default_route != 'none' -%} @@ -17,9 +17,9 @@ logger -t pppd[$DIALER_PID] "executing $0" SED_OPT="^ip route" VRF_NAME="" -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF=${VRF#"upper_"} # generate new SED command @@ -43,7 +43,7 @@ done {% endif %} # Add default route to default or VRF routing table -vtysh -c "conf t" ${VTY_OPT} -c "ip route 0.0.0.0/0 {{ intf }} ${VRF_NAME}" -logger -t pppd[$DIALER_PID] "added default route via {{ intf }} ${VRF_NAME}" +vtysh -c "conf t" ${VTY_OPT} -c "ip route 0.0.0.0/0 {{ ifname }} ${VRF_NAME}" +logger -t pppd[$DIALER_PID] "added default route via {{ ifname }} ${VRF_NAME}" {% endif %} {% endif %} diff --git a/data/templates/pppoe/ipv6-up.script.tmpl b/data/templates/pppoe/ipv6-up.script.tmpl index 097f1d4c3..3dee3d011 100644 --- a/data/templates/pppoe/ipv6-up.script.tmpl +++ b/data/templates/pppoe/ipv6-up.script.tmpl @@ -3,17 +3,15 @@ # As PPPoE is an "on demand" interface we need to re-configure it when it # becomes up -if [ "$6" != "{{ intf }}" ]; then +if [ "$6" != "{{ ifname }}" ]; then exit fi -set -x - -{% if ipv6_autoconf -%} +{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined -%} # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -logger -t pppd[$DIALER_PID] "configuring interface {{ intf }} via {{ source_interface }}" +logger -t pppd[$DIALER_PID] "configuring interface {{ ifname }} via {{ source_interface }}" # Configure interface-specific Host/Router behaviour. # Note: It is recommended to have the same setting on all interfaces; mixed @@ -22,7 +20,7 @@ logger -t pppd[$DIALER_PID] "configuring interface {{ intf }} via {{ source_inte # 0 Forwarding disabled # 1 Forwarding enabled # -echo 1 > /proc/sys/net/ipv6/conf/{{ intf }}/forwarding +echo 1 > /proc/sys/net/ipv6/conf/{{ ifname }}/forwarding # Accept Router Advertisements; autoconfigure using them. # @@ -36,27 +34,27 @@ echo 1 > /proc/sys/net/ipv6/conf/{{ intf }}/forwarding # 2 Overrule forwarding behaviour. Accept Router Advertisements # even if forwarding is enabled. # -echo 2 > /proc/sys/net/ipv6/conf/{{ intf }}/accept_ra +echo 2 > /proc/sys/net/ipv6/conf/{{ ifname }}/accept_ra # Autoconfigure addresses using Prefix Information in Router Advertisements. -echo 1 > /proc/sys/net/ipv6/conf/{{ intf }}/autoconf +echo 1 > /proc/sys/net/ipv6/conf/{{ ifname }}/autoconf {% endif %} -{% if dhcpv6_pd_interfaces %} +{% if dhcpv6_options is defined and dhcpv6_options.prefix_delegation is defined %} # Start wide dhcpv6 client -systemctl start dhcp6c@{{ intf }}.service +systemctl start dhcp6c@{{ ifname }}.service {% endif %} -{% if default_route != 'none' -%} +{% if default_route != 'none' -%} # See https://phabricator.vyos.net/T2248 & T2220. Determine if we are enslaved # to a VRF, this is needed to properly insert the default route. SED_OPT="^ipv6 route" VRF_NAME="" -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF=${VRF#"upper_"} # generate new SED command @@ -65,23 +63,22 @@ if [ -d /sys/class/net/{{ intf }}/upper_* ]; then VRF_NAME="vrf ${VRF}" fi -{% if default_route == 'auto' -%} +{% if default_route == 'auto' -%} # Only insert a new default route if there is no default route configured routes=$(vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep ::/0 | wc -l) if [ "$routes" -ne 0 ]; then exit 1 fi -{% elif default_route == 'force' -%} +{% elif default_route == 'force' -%} # Retrieve current static default routes and remove it from the routing table vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep ::/0 | while read route ; do vtysh -c "conf t" ${VTY_OPT} -c "no ${route} ${VRF_NAME}" done -{% endif %} - -# Add default route to default or VRF routing table -vtysh -c "conf t" ${VTY_OPT} -c "ipv6 route ::/0 {{ intf }} ${VRF_NAME}" -logger -t pppd[$DIALER_PID] "added default route via {{ intf }} ${VRF_NAME}" {% endif %} +# Add default route to default or VRF routing table +vtysh -c "conf t" ${VTY_OPT} -c "ipv6 route ::/0 {{ ifname }} ${VRF_NAME}" +logger -t pppd[$DIALER_PID] "added default route via {{ ifname }} ${VRF_NAME}" +{% endif %} diff --git a/data/templates/pppoe/peer.tmpl b/data/templates/pppoe/peer.tmpl index fb85265b2..e909843a5 100644 --- a/data/templates/pppoe/peer.tmpl +++ b/data/templates/pppoe/peer.tmpl @@ -40,32 +40,37 @@ maxfail 0 plugin rp-pppoe.so {{ source_interface }} persist -ifname {{ intf }} -ipparam {{ intf }} +ifname {{ ifname }} +ipparam {{ ifname }} debug mtu {{ mtu }} mru {{ mtu }} -user "{{ auth_username }}" -password "{{ auth_password }}" -{% if name_server -%} -usepeerdns + +{% if authentication is defined %} +{{ "user " + authentication.user if authentication.user is defined }} +{{ "password " + authentication.password if authentication.password is defined }} {% endif %} -{% if ipv6_enable -%} + +{{ "usepeerdns" if no_peer_dns is not defined }} + +{% if ipv6 is defined and ipv6.enable is defined -%} +ipv6 ipv6cp-use-ipaddr {% endif %} -{% if service_name -%} + +{% if service_name is defined -%} rp_pppoe_service "{{ service_name }}" {% endif %} -{% if on_demand %} + +{% if connect_on_demand is defined %} demand # See T2249. PPP default route options should only be set when in on-demand # mode. As soon as we are not in on-demand mode the default-route handling is # passed to the ip-up.d/ip-down.s scripts which is required for VRF support. -{% if 'auto' in default_route -%} +{% if 'auto' in default_route -%} defaultroute -{% elif 'force' in default_route -%} +{% elif 'force' in default_route -%} defaultroute replacedefaultroute -{% endif %} +{% endif %} {% endif %} diff --git a/data/templates/snmp/etc.snmp.conf.tmpl b/data/templates/snmp/etc.snmp.conf.tmpl index 159578906..6e4c6f063 100644 --- a/data/templates/snmp/etc.snmp.conf.tmpl +++ b/data/templates/snmp/etc.snmp.conf.tmpl @@ -1,4 +1,4 @@ ### Autogenerated by snmp.py ### -{% if trap_source -%} +{% if trap_source %} clientaddr {{ trap_source }} {% endif %} diff --git a/data/templates/snmp/etc.snmpd.conf.tmpl b/data/templates/snmp/etc.snmpd.conf.tmpl index 1659abf93..278506350 100644 --- a/data/templates/snmp/etc.snmpd.conf.tmpl +++ b/data/templates/snmp/etc.snmpd.conf.tmpl @@ -32,87 +32,84 @@ sysDescr VyOS {{ version }} {% if description %} # Description SysDescr {{ description }} -{%- endif %} +{% endif %} # Listen agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{{ li }}{% endfor %}{% else %},udp:161{% if ipv6_enabled %},udp6:161{% endif %}{% endif %} # SNMP communities -{%- for c in communities %} - -{%- if c.network_v4 %} -{%- for network in c.network_v4 %} +{% for c in communities %} +{% if c.network_v4 %} +{% for network in c.network_v4 %} {{ c.authorization }}community {{ c.name }} {{ network }} -{%- endfor %} -{%- elif not c.has_source %} +{% endfor %} +{% elif not c.has_source %} {{ c.authorization }}community {{ c.name }} -{%- endif %} - -{%- if c.network_v6 %} -{%- for network in c.network_v6 %} +{% endif %} +{% if c.network_v6 %} +{% for network in c.network_v6 %} {{ c.authorization }}community6 {{ c.name }} {{ network }} -{%- endfor %} -{%- elif not c.has_source %} +{% endfor %} +{% elif not c.has_source %} {{ c.authorization }}community6 {{ c.name }} -{%- endif %} - -{%- endfor %} +{% endif %} +{% endfor %} {% if contact %} # system contact information SysContact {{ contact }} -{%- endif %} +{% endif %} {% if location %} # system location information SysLocation {{ location }} -{%- endif %} +{% endif %} -{% if smux_peers -%} +{% if smux_peers %} # additional smux peers -{%- for sp in smux_peers %} +{% for sp in smux_peers %} smuxpeer {{ sp }} -{%- endfor %} -{%- endif %} +{% endfor %} +{% endif %} -{% if trap_targets -%} +{% if trap_targets %} # if there is a problem - tell someone! -{%- for t in trap_targets %} -trap2sink {{ t.target }}{% if t.port -%}:{{ t.port }}{% endif %} {{ t.community }} -{%- endfor %} -{%- endif %} +{% for trap in trap_targets %} +trap2sink {{ trap.target }}{{ ":" + trap.port if trap.port is defined }} {{ trap.community }} +{% endfor %} +{% endif %} -{%- if v3_enabled %} +{% if v3_enabled %} # # SNMPv3 stuff goes here # # views -{%- for v in v3_views %} -{%- for oid in v.oids %} -view {{ v.name }} included .{{ oid.oid }} -{%- endfor %} -{%- endfor %} +{% for view in v3_views %} +{% for oid in view.oids %} +view {{ view.name }} included .{{ oid.oid }} +{% endfor %} +{% endfor %} # access # context sec.model sec.level match read write notif -{%- for g in v3_groups %} -access {{ g.name }} "" usm {{ g.seclevel }} exact {{ g.view }} {% if g.mode == 'ro' %}none{% else %}{{ g.view }}{% endif %} none -{%- endfor %} +{% for group in v3_groups %} +access {{ group.name }} "" usm {{ group.seclevel }} exact {{ group.view }} {% if group.mode == 'ro' %}none{% else %}{{ group.view }}{% endif %} none +{% endfor %} # trap-target -{%- for t in v3_traps %} +{% for t in v3_traps %} trapsess -v 3 {{ '-Ci' if t.type == 'inform' }} -e {{ v3_engineid }} -u {{ t.secName }} -l {{ t.secLevel }} -a {{ t.authProtocol }} {% if t.authPassword %}-A {{ t.authPassword }}{% elif t.authMasterKey %}-3m {{ t.authMasterKey }}{% endif %} -x {{ t.privProtocol }} {% if t.privPassword %}-X {{ t.privPassword }}{% elif t.privMasterKey %}-3M {{ t.privMasterKey }}{% endif %} {{ t.ipProto }}:{{ t.ipAddr }}:{{ t.ipPort }} -{%- endfor %} +{% endfor %} # group -{%- for u in v3_users %} +{% for u in v3_users %} group {{ u.group }} usm {{ u.name }} -{% endfor %} -{%- endif %} +{% endfor %} +{% endif %} {% if script_ext %} # extension scripts -{%- for ext in script_ext|sort(attribute='name') %} +{% for ext in script_ext|sort(attribute='name') %} extend {{ ext.name }} {{ ext.script }} -{%- endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/snmp/override.conf.tmpl b/data/templates/snmp/override.conf.tmpl index 1eb8f20a9..e6302a9e1 100644 --- a/data/templates/snmp/override.conf.tmpl +++ b/data/templates/snmp/override.conf.tmpl @@ -1,9 +1,13 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + [Service] Environment= Environment="MIBSDIR=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/mibs/site:/usr/share/snmp/mibs:/usr/share/mibs/iana:/usr/share/mibs/ietf:/usr/share/mibs/netsnmp" ExecStart= -{% if vrf %} -ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid -{% else %} -ExecStart=/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid -{% endif %} +ExecStart={{vrf_command}}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid +Restart=on-failure +RestartSec=10 + diff --git a/data/templates/snmp/var.snmpd.conf.tmpl b/data/templates/snmp/var.snmpd.conf.tmpl index 0b8e9f291..6cbc687ef 100644 --- a/data/templates/snmp/var.snmpd.conf.tmpl +++ b/data/templates/snmp/var.snmpd.conf.tmpl @@ -3,14 +3,12 @@ {%- for u in v3_users %} {%- if u.authOID == 'none' %} createUser {{ u.name }} -{%- elif u.authPassword %} -createUser {{ u.name }} {{ u.authProtocol | upper }} "{{ u.authPassword }}" {{ u.privProtocol | upper }} {{ u.privPassword }} {%- else %} -usmUser 1 3 {{ v3_engineid }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} {{ u.authMasterKey }} {{ u.privOID }} {{ u.privMasterKey }} 0x +usmUser 1 3 0x{{ v3_engineid }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} 0x{{ u.authMasterKey }} {{ u.privOID }} 0x{{ u.privMasterKey }} 0x {%- endif %} {%- endfor %} createUser {{ vyos_user }} MD5 "{{ vyos_user_pass }}" DES {%- if v3_engineid %} -oldEngineID {{ v3_engineid }} +oldEngineID 0x{{ v3_engineid }} {%- endif %} diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl index 1013d4b48..4276366ae 100644 --- a/data/templates/ssh/override.conf.tmpl +++ b/data/templates/ssh/override.conf.tmpl @@ -1,8 +1,10 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + [Service] ExecStart= -{% if vrf %} -ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/sbin/sshd -D $SSHD_OPTS -{% else %} -ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -{% endif %} +ExecStart={{vrf_command}}/usr/sbin/sshd -D $SSHD_OPTS +RestartSec=10 diff --git a/data/templates/ssh/sshd_config.tmpl b/data/templates/ssh/sshd_config.tmpl index 1c136bb23..4fde24255 100644 --- a/data/templates/ssh/sshd_config.tmpl +++ b/data/templates/ssh/sshd_config.tmpl @@ -46,7 +46,7 @@ Port {{ value }} {% endif %} # Gives the verbosity level that is used when logging messages from sshd -LogLevel {{ loglevel }} +LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed PasswordAuthentication {{ "no" if disable_password_authentication is defined else "yes" }} @@ -57,7 +57,7 @@ PasswordAuthentication {{ "no" if disable_password_authentication is defined els ListenAddress {{ listen_address }} {% else %} {% for address in listen_address %} -ListenAddress {{ value }} +ListenAddress {{ address }} {% endfor %} {% endif %} {% endif %} diff --git a/data/templates/system/curlrc.tmpl b/data/templates/system/curlrc.tmpl new file mode 100644 index 000000000..675e35a0c --- /dev/null +++ b/data/templates/system/curlrc.tmpl @@ -0,0 +1,8 @@ +{% if http_client is defined %}
+{% if http_client.source_interface is defined %}
+--interface "{{ http_client.source_interface }}"
+{% endif %}
+{% if http_client.source_address is defined %}
+--interface "{{ http_client.source_address }}"
+{% endif %}
+{% endif %}
diff --git a/data/templates/wwan/ip-down.script.tmpl b/data/templates/wwan/ip-down.script.tmpl index f7b38cbc5..9dc15ea99 100644 --- a/data/templates/wwan/ip-down.script.tmpl +++ b/data/templates/wwan/ip-down.script.tmpl @@ -11,17 +11,17 @@ fi # Determine if we are running inside a VRF or not, required for proper routing table # NOTE: the down script can not be properly templated as we need the VRF name, # which is not present on deletion, thus we read it from the operating system. -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF_NAME=${VRF#"upper_"} # Remove default route from VRF routing table - vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "no ip route 0.0.0.0/0 {{ intf }}" + vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "no ip route 0.0.0.0/0 {{ ifname }}" else # Remove default route from GRT (global routing table) - vtysh -c "conf t" -c "no ip route 0.0.0.0/0 {{ intf }}" + vtysh -c "conf t" -c "no ip route 0.0.0.0/0 {{ ifname }}" fi -DIALER_PID=$(cat /var/run/{{ intf }}.pid) -logger -t pppd[$DIALER_PID] "removed default route via {{ intf }} metric {{ metric }}" +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) +logger -t pppd[$DIALER_PID] "removed default route via {{ ifname }} metric {{ backup.distance }}" diff --git a/data/templates/wwan/ip-pre-up.script.tmpl b/data/templates/wwan/ip-pre-up.script.tmpl index 7a17a1c71..efc065bad 100644 --- a/data/templates/wwan/ip-pre-up.script.tmpl +++ b/data/templates/wwan/ip-pre-up.script.tmpl @@ -7,17 +7,17 @@ ipparam=$6 # device name and metric are received using ipparam device=`echo "$ipparam"|awk '{ print $1 }'` -if [ "$device" != "{{ intf }}" ]; then +if [ "$device" != "{{ ifname }}" ]; then exit fi # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -echo "{{ description }}" > /sys/class/net/{{ intf }}/ifalias +echo "{{ description }}" > /sys/class/net/{{ ifname }}/ifalias {% if vrf -%} -logger -t pppd[$DIALER_PID] "configuring interface {{ intf }} for VRF {{ vrf }}" -ip link set dev {{ intf }} master {{ vrf }} +logger -t pppd[$DIALER_PID] "configuring interface {{ ifname }} for VRF {{ vrf }}" +ip link set dev {{ ifname }} master {{ vrf }} {% endif %} diff --git a/data/templates/wwan/ip-up.script.tmpl b/data/templates/wwan/ip-up.script.tmpl index 3a7eec800..2603a0286 100644 --- a/data/templates/wwan/ip-up.script.tmpl +++ b/data/templates/wwan/ip-up.script.tmpl @@ -9,17 +9,17 @@ if [ -z $(echo $2 | egrep "(ttyS[0-9]+|usb[0-9]+b.*)$") ]; then fi # Determine if we are running inside a VRF or not, required for proper routing table -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF_NAME=${VRF#"upper_"} # Remove default route from VRF routing table - vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "ip route 0.0.0.0/0 {{ intf }} {{ metric }}" + vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "ip route 0.0.0.0/0 {{ ifname }} {{ backup.distance }}" else # Remove default route from GRT (global routing table) - vtysh -c "conf t" -c "ip route 0.0.0.0/0 {{ intf }} {{ metric }}" + vtysh -c "conf t" -c "ip route 0.0.0.0/0 {{ ifname }} {{ backup.distance }}" fi -DIALER_PID=$(cat /var/run/{{ intf }}.pid) -logger -t pppd[$DIALER_PID] "added default route via {{ intf }} metric {{ metric }} ${VRF_NAME}" +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) +logger -t pppd[$DIALER_PID] "added default route via {{ ifname }} metric {{ backup.distance }} ${VRF_NAME}" diff --git a/data/templates/wwan/peer.tmpl b/data/templates/wwan/peer.tmpl index 0168283fd..aa759f741 100644 --- a/data/templates/wwan/peer.tmpl +++ b/data/templates/wwan/peer.tmpl @@ -1,19 +1,18 @@ ### Autogenerated by interfaces-wirelessmodem.py ### -{% if description %} -# {{ description }} -{% endif %} -ifname {{ intf }} -ipparam {{ intf }} -linkname {{ intf }} -{% if name_server -%} -usepeerdns -{%- endif %} +{{ "# description: " + description if description is defined }} +ifname {{ ifname }} +ipparam {{ ifname }} +linkname {{ ifname }} +{{ "usepeerdns" if no_peer_dns is defined }} # physical device {{ device }} lcp-echo-failure 0 115200 debug +debug +mtu {{ mtu }} +mru {{ mtu }} nodefaultroute ipcp-max-failure 4 ipcp-accept-local @@ -22,8 +21,7 @@ noauth crtscts lock persist -{% if on_demand -%} -demand -{%- endif %} +{{ "demand" if ondemand is defined }} + +connect '/usr/sbin/chat -v -t6 -f /etc/ppp/peers/chat.{{ ifname }}' -connect '/usr/sbin/chat -v -t6 -f {{ chat_script }}' |