summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/config-mode-dependencies/vyos-1x.json1
-rw-r--r--data/op-mode-standardized.json3
-rw-r--r--data/templates/conntrack/nftables-ct.j251
-rw-r--r--data/templates/conntrack/nftables-helpers.j270
-rw-r--r--data/templates/conntrack/vyos_nf_conntrack.conf.j23
-rw-r--r--data/templates/frr/daemons.frr.tmpl133
-rw-r--r--data/templates/load-balancing/haproxy.cfg.j22
7 files changed, 172 insertions, 91 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index a433c2522..72a3d1153 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,4 +1,5 @@
{
+ "conntrack": {"conntrack_sync": ["conntrack_sync"]},
"firewall": {"conntrack": ["conntrack"], "group_resync": ["conntrack", "nat", "policy-route"]},
"http_api": {"https": ["https"]},
"load_balancing_wan": {"conntrack": ["conntrack"]},
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index ded934bff..ed9bb6cad 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -26,6 +26,5 @@
"storage.py",
"uptime.py",
"version.py",
-"vrf.py",
-"zone.py"
+"vrf.py"
]
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 895f61a55..1e0fc8065 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -1,5 +1,6 @@
#!/usr/sbin/nft -f
+{% import 'conntrack/nftables-helpers.j2' as helper_tmpl %}
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% if first_install is not vyos_defined %}
@@ -52,30 +53,7 @@ table ip vyos_conntrack {
notrack
}
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{% if modules[module] is vyos_defined %}
-{% if 'nftables' in module_conf %}
-{% for rule in module_conf.nftables %}
- {{ rule }}
-{% endfor %}
-{% endif %}
-{% endif %}
-{% endfor %}
- return
- }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }}
chain FW_CONNTRACK {
{{ ipv4_firewall_action }}
@@ -140,30 +118,7 @@ table ip6 vyos_conntrack {
notrack
}
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{% if modules[module] is vyos_defined %}
-{% if 'nftables' in module_conf %}
-{% for rule in module_conf.nftables %}
- {{ rule }}
-{% endfor %}
-{% endif %}
-{% endif %}
-{% endfor %}
- return
- }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }}
chain FW_CONNTRACK {
{{ ipv6_firewall_action }}
diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2
new file mode 100644
index 000000000..433931162
--- /dev/null
+++ b/data/templates/conntrack/nftables-helpers.j2
@@ -0,0 +1,70 @@
+{% macro conntrack_helpers(module_map, modules, ipv4=True) %}
+{% if modules.ftp is vyos_defined %}
+ ct helper ftp_tcp {
+ type "ftp" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.h323 is vyos_defined %}
+ ct helper ras_udp {
+ type "RAS" protocol udp;
+ }
+
+ ct helper q931_tcp {
+ type "Q.931" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.pptp is vyos_defined and ipv4 %}
+ ct helper pptp_tcp {
+ type "pptp" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.nfs is vyos_defined %}
+ ct helper rpc_tcp {
+ type "rpc" protocol tcp;
+ }
+
+ ct helper rpc_udp {
+ type "rpc" protocol udp;
+ }
+{% endif %}
+
+{% if modules.sip is vyos_defined %}
+ ct helper sip_tcp {
+ type "sip" protocol tcp;
+ }
+
+ ct helper sip_udp {
+ type "sip" protocol udp;
+ }
+{% endif %}
+
+{% if modules.tftp is vyos_defined %}
+ ct helper tftp_udp {
+ type "tftp" protocol udp;
+ }
+{% endif %}
+
+{% if modules.sqlnet is vyos_defined %}
+ ct helper tns_tcp {
+ type "tns" protocol tcp;
+ }
+{% endif %}
+
+ chain VYOS_CT_HELPER {
+{% for module, module_conf in module_map.items() %}
+{% if modules[module] is vyos_defined %}
+{% if 'nftables' in module_conf %}
+{% if module_conf.ipv4 is not vyos_defined or module_conf.ipv4 == ipv4 %}
+{% for rule in module_conf.nftables %}
+ {{ rule }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+{% endfor %}
+ return
+ }
+{% endmacro %}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 111459485..197155d96 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,3 +1,2 @@
# Autogenerated by conntrack.py
-options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1
-
+options nf_conntrack hashsize={{ hash_size }}
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl
index fe2610724..a65f0868a 100644
--- a/data/templates/frr/daemons.frr.tmpl
+++ b/data/templates/frr/daemons.frr.tmpl
@@ -1,4 +1,26 @@
-zebra=yes
+#
+# The watchfrr, zebra, mgmtd and staticd daemons are always started.
+#
+# Note: The following FRR-services must be kept disabled because they are replaced by other packages in VyOS:
+#
+# pimd Replaced by package igmpproxy.
+# nhrpd Replaced by package opennhrp.
+# pbrd Replaced by PBR in nftables.
+# vrrpd Replaced by package keepalived.
+#
+# And these must be disabled aswell since they are currently missing a VyOS CLI:
+#
+# eigrp
+# sharpd
+# fabricd
+# pathd
+#
+# The zebra, mgmtd and staticd daemons are always started and can not be disabled
+#
+#zebra=yes
+#mgmtd=yes
+#staticd=yes
+
bgpd=yes
ospfd=yes
ospf6d=yes
@@ -9,49 +31,84 @@ pimd=no
pim6d=yes
ldpd=yes
nhrpd=no
-eigrpd=yes
+eigrpd=no
babeld=yes
sharpd=no
pbrd=no
bfdd=yes
-staticd=yes
+fabricd=no
+vrrpd=no
+pathd=no
-vtysh_enable=yes
-zebra_options=" --daemon -A 127.0.0.1 -s 90000000
-{%- if irdp is defined %} -M irdp{% endif -%}
-{%- if snmp is defined and snmp.zebra is defined %} -M snmp{% endif -%}
-"
-bgpd_options=" --daemon -A 127.0.0.1 -M rpki
-{%- if bmp is defined %} -M bmp{% endif -%}
-{%- if snmp is defined and snmp.bgpd is defined %} -M snmp{% endif -%}
-"
-ospfd_options=" --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ospfd is defined %} -M snmp{% endif -%}
-"
-ospf6d_options=" --daemon -A ::1
-{%- if snmp is defined and snmp.ospf6d is defined %} -M snmp{% endif -%}
-"
-ripd_options=" --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ripd is defined %} -M snmp{% endif -%}
-"
-ripngd_options=" --daemon -A ::1"
-isisd_options=" --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.isisd is defined %} -M snmp{% endif -%}
-"
-pimd_options=" --daemon -A 127.0.0.1"
-pim6d_options=" --daemon -A ::1"
-ldpd_options=" --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%}
-"
-mgmtd_options=" --daemon -A 127.0.0.1"
-nhrpd_options=" --daemon -A 127.0.0.1"
-eigrpd_options=" --daemon -A 127.0.0.1"
-babeld_options=" --daemon -A 127.0.0.1"
-sharpd_options=" --daemon -A 127.0.0.1"
-pbrd_options=" --daemon -A 127.0.0.1"
-staticd_options=" --daemon -A 127.0.0.1"
-bfdd_options=" --daemon -A 127.0.0.1"
+#
+# Define defaults for all services even those who shall be kept disabled.
+#
+
+zebra_options=" --daemon -A 127.0.0.1 -s 90000000{{ ' -M snmp' if snmp.zebra is vyos_defined }}{{ ' -M irdp' if irdp is vyos_defined }}"
+mgmtd_options=" --daemon -A 127.0.0.1"
+staticd_options="--daemon -A 127.0.0.1"
+bgpd_options=" --daemon -A 127.0.0.1 -M rpki{{ ' -M snmp' if snmp.bgpd is vyos_defined }}{{ ' -M bmp' if bmp is vyos_defined }}"
+ospfd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ospfd is vyos_defined }}"
+ospf6d_options=" --daemon -A ::1{{ ' -M snmp' if snmp.ospf6d is vyos_defined }}"
+ripd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ripd is vyos_defined }}"
+ripngd_options=" --daemon -A ::1"
+isisd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.isisd is vyos_defined }}"
+pimd_options=" --daemon -A 127.0.0.1"
+pim6d_options=" --daemon -A ::1"
+ldpd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ldpd is vyos_defined }}"
+nhrpd_options=" --daemon -A 127.0.0.1"
+eigrpd_options=" --daemon -A 127.0.0.1"
+babeld_options=" --daemon -A 127.0.0.1"
+sharpd_options=" --daemon -A 127.0.0.1"
+pbrd_options=" --daemon -A 127.0.0.1"
+bfdd_options=" --daemon -A 127.0.0.1"
+fabricd_options="--daemon -A 127.0.0.1"
+vrrpd_options=" --daemon -A 127.0.0.1"
+pathd_options=" --daemon -A 127.0.0.1"
+
+#frr_global_options=""
+
+#zebra_wrap=""
+#mgmtd_wrap=""
+#staticd_wrap=""
+#bgpd_wrap=""
+#ospfd_wrap=""
+#ospf6d_wrap=""
+#ripd_wrap=""
+#ripngd_wrap=""
+#isisd_wrap=""
+#pimd_wrap=""
+#pim6d_wrap=""
+#ldpd_wrap=""
+#nhrpd_wrap=""
+#eigrpd_wrap=""
+#babeld_wrap=""
+#sharpd_wrap=""
+#pbrd_wrap=""
+#bfdd_wrap=""
+#fabricd_wrap=""
+#vrrpd_wrap=""
+#pathd_wrap=""
+
+#all_wrap=""
+#
+# Other options.
+#
+# For more information see:
+# https://github.com/FRRouting/frr/blob/stable/9.0/tools/etc/frr/daemons
+# https://docs.frrouting.org/en/stable-9.0/setup.html
+#
+
+vtysh_enable=yes
watchfrr_enable=no
valgrind_enable=no
+#watchfrr_options=""
+
+frr_profile="traditional"
+
+#MAX_FDS=1024
+
+#FRR_NO_ROOT="yes"
+
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 0a40e1ecf..a75ee9904 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -146,7 +146,7 @@ backend {{ back }}
{% if back_config.server is vyos_defined %}
{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
{% for server, server_config in back_config.server.items() %}
- server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
+ server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
{% endfor %}
{% endif %}
{% if back_config.timeout.check is vyos_defined %}
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-23 13:31:24 +0000