diff options
Diffstat (limited to 'data')
35 files changed, 647 insertions, 885 deletions
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json index db13eeb5a..9500d3aa7 100644 --- a/data/op-mode-standardized.json +++ b/data/op-mode-standardized.json @@ -8,7 +8,10 @@ "neighbor.py", "openconnect.py", "route.py", +"system.py", "ipsec.py", +"storage.py", +"uptime.py", "version.py", "vrf.py" ] diff --git a/data/templates/accel-ppp/chap-secrets.ipoe.j2 b/data/templates/accel-ppp/chap-secrets.ipoe.j2 index a1430ec22..43083e22e 100644 --- a/data/templates/accel-ppp/chap-secrets.ipoe.j2 +++ b/data/templates/accel-ppp/chap-secrets.ipoe.j2 @@ -1,18 +1,13 @@ # username server password acceptable local IP addresses shaper -{% for interface in auth_interfaces %} -{% for mac in interface.mac %} -{% if mac.rate_upload and mac.rate_download %} -{% if mac.vlan_id %} -{{ interface.name }}.{{ mac.vlan_id }} * {{ mac.address | lower }} * {{ mac.rate_download }}/{{ mac.rate_upload }} -{% else %} -{{ interface.name }} * {{ mac.address | lower }} * {{ mac.rate_download }}/{{ mac.rate_upload }} -{% endif %} -{% else %} -{% if mac.vlan_id %} -{{ interface.name }}.{{ mac.vlan_id }} * {{ mac.address | lower }} * -{% else %} -{{ interface.name }} * {{ mac.address | lower }} * -{% endif %} +{% if authentication.interface is vyos_defined %} +{% for iface, iface_config in authentication.interface.items() %} +{% if iface_config.mac is vyos_defined %} +{% for mac, mac_config in iface_config.mac.items() %} +{% if mac_config.vlan is vyos_defined %} +{% set iface = iface ~ '.' ~ mac_config.vlan %} +{% endif %} +{{ "%-11s" | format(iface) }} * {{ mac | lower }} * {{ mac_config.rate_limit.download ~ '/' ~ mac_config.rate_limit.upload if mac_config.rate_limit.download is vyos_defined and mac_config.rate_limit.upload is vyos_defined }} +{% endfor %} {% endif %} {% endfor %} -{% endfor %} +{% endif %} diff --git a/data/templates/accel-ppp/config_ipv6_pool.j2 b/data/templates/accel-ppp/config_ipv6_pool.j2 index 953469577..a1562a1eb 100644 --- a/data/templates/accel-ppp/config_ipv6_pool.j2 +++ b/data/templates/accel-ppp/config_ipv6_pool.j2 @@ -1,6 +1,7 @@ {% if client_ipv6_pool is vyos_defined %} [ipv6-nd] AdvAutonomousFlag=1 +verbose=1 {% if client_ipv6_pool.prefix is vyos_defined %} [ipv6-pool] @@ -13,6 +14,7 @@ delegate={{ prefix }},{{ options.delegation_prefix }} {% endfor %} {% endif %} {% endif %} + {% if client_ipv6_pool.delegate is vyos_defined %} [ipv6-dhcp] verbose=1 diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index 6df12db2c..99227ea33 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -4,18 +4,15 @@ log_syslog ipoe shaper +{# Common authentication backend definitions #} +{% include 'accel-ppp/config_modules_auth_mode.j2' %} ipv6pool ipv6_nd ipv6_dhcp ippool -{% if auth_mode == 'radius' %} -radius -{% elif auth_mode == 'local' %} -chap-secrets -{% endif %} [core] -thread-count={{ thread_cnt }} +thread-count={{ thread_count }} [log] syslog=accel-ipoe,daemon @@ -24,28 +21,34 @@ level=5 [ipoe] verbose=1 -{% for interface in interfaces %} -{% set tmp = 'interface=' %} -{% if interface.vlan_mon %} -{% set tmp = tmp ~ 're:' ~ interface.name ~ '\.\d+' %} -{% else %} -{% set tmp = tmp ~ interface.name %} -{% endif %} -{{ tmp }},shared={{ interface.shared }},mode={{ interface.mode }},ifcfg={{ interface.ifcfg }}{{ ',range=' ~ interface.range if interface.range is defined and interface.range is not none }},start={{ interface.sess_start }},ipv6=1 -{% endfor %} -{% if auth_mode == 'noauth' %} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +{% set tmp = 'interface=' %} +{% if iface_config.vlan is vyos_defined %} +{% set tmp = tmp ~ 're:' ~ iface ~ '\.\d+' %} +{% else %} +{% set tmp = tmp ~ iface %} +{% endif %} +{% set shared = '' %} +{% if iface_config.network is vyos_defined('shared') %} +{% set shared = 'shared=1,' %} +{% elif iface_config.network is vyos_defined('vlan') %} +{% set shared = 'shared=0,' %} +{% endif %} +{{ tmp }},{{ shared }}mode={{ iface_config.mode | upper }},ifcfg=1,range={{ iface_config.client_subnet }},start=dhcpv4,ipv6=1 +{% endfor %} +{% endif %} +{% if authentication.mode is vyos_defined('noauth') %} noauth=1 -{% if client_named_ip_pool %} -{% for pool in client_named_ip_pool %} -{% if pool.subnet is defined %} -ip-pool={{ pool.name }} -{% endif %} -{% if pool.gateway_address is defined %} -gw-ip-address={{ pool.gateway_address }}/{{ pool.subnet.split('/')[1] }} +{% if client_ip_pool.name is vyos_defined %} +{% for pool, pool_options in client_ip_pool.name.items() %} +{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} +ip-pool={{ pool }} +gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} {% endif %} {% endfor %} {% endif %} -{% elif auth_mode == 'local' %} +{% elif authentication.mode is vyos_defined('local') %} username=ifname password=csid {% endif %} @@ -57,92 +60,27 @@ vlan-mon={{ interface.name }},{{ interface.vlan_mon | join(',') }} {% endif %} {% endfor %} -{% if dnsv4 %} -[dns] -{% for dns in dnsv4 %} -dns{{ loop.index }}={{ dns }} -{% endfor %} -{% endif %} - -{% if dnsv6 %} -[ipv6-dns] -{% for dns in dnsv6 %} -{{ dns }} -{% endfor %} -{% endif %} - -[ipv6-nd] -verbose=1 - -[ipv6-dhcp] -verbose=1 - -{% if client_named_ip_pool %} +{% if client_ip_pool.name is vyos_defined %} [ip-pool] -{% for pool in client_named_ip_pool %} -{% if pool.subnet is defined %} -{{ pool.subnet }},name={{ pool.name }} -{% endif %} -{% if pool.gateway_address is defined %} -gw-ip-address={{ pool.gateway_address }}/{{ pool.subnet.split('/')[1] }} +{% for pool, pool_options in client_ip_pool.name.items() %} +{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} +{{ pool_options.subnet }},name={{ pool }} +gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} {% endif %} {% endfor %} {% endif %} -{% if client_ipv6_pool %} -[ipv6-pool] -{% for p in client_ipv6_pool %} -{{ p.prefix }},{{ p.mask }} -{% endfor %} -{% for p in client_ipv6_delegate_prefix %} -delegate={{ p.prefix }},{{ p.mask }} -{% endfor %} -{% endif %} +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} -{% if auth_mode == 'local' %} -[chap-secrets] -chap-secrets={{ chap_secrets_file }} -{% elif auth_mode == 'radius' %} -[radius] -verbose=1 -{% for r in radius_server %} -server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }} -{% endfor %} - -{% if radius_acct_inter_jitter %} -acct-interim-jitter={{ radius_acct_inter_jitter }} -{% endif %} +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} -acct-timeout={{ radius_acct_tmo }} -timeout={{ radius_timeout }} -max-try={{ radius_max_try }} -{% if radius_nas_id %} -nas-identifier={{ radius_nas_id }} -{% endif %} -{% if radius_nas_ip %} -nas-ip-address={{ radius_nas_ip }} -{% endif %} -{% if radius_source_address %} -bind={{ radius_source_address }} -{% endif %} -{% if radius_dynamic_author %} -dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }} -{% endif %} +{# Common chap-secrets and RADIUS server/option definitions #} +{% include 'accel-ppp/config_chap_secrets_radius.j2' %} -{% if radius_shaper_enable %} -[shaper] -verbose=1 -{% if radius_shaper_attr %} -attr={{ radius_shaper_attr }} -{% endif %} -{% if radius_shaper_multiplier %} -rate-multiplier={{ radius_shaper_multiplier }} -{% endif %} -{% if radius_shaper_vendor %} -vendor={{ radius_shaper_vendor }} -{% endif %} -{% endif %} -{% endif %} +{# Common RADIUS shaper configuration #} +{% include 'accel-ppp/config_shaper_radius.j2' %} [cli] tcp=127.0.0.1:2002 diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2 index 0a92e2d54..f4129d3e2 100644 --- a/data/templates/accel-ppp/pppoe.config.j2 +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -105,20 +105,13 @@ ac-name={{ access_concentrator }} {% if interface is vyos_defined %} {% for iface, iface_config in interface.items() %} -{% if iface_config.vlan_id is not vyos_defined and iface_config.vlan_range is not vyos_defined %} +{% if iface_config.vlan is not vyos_defined %} interface={{ iface }} -{% endif %} -{% if iface_config.vlan_range is vyos_defined %} -{% for regex in iface_config.regex %} -interface=re:^{{ iface | replace('.', '\\.') }}\.({{ regex }})$ -{% endfor %} -vlan-mon={{ iface }},{{ iface_config.vlan_range | join(',') }} -{% endif %} -{% if iface_config.vlan_id is vyos_defined %} -{% for vlan in iface_config.vlan_id %} -vlan-mon={{ iface }},{{ vlan }} -interface=re:^{{ iface | replace('.', '\\.') }}\.{{ vlan }}$ +{% else %} +{% for vlan in iface_config.vlan %} +interface=re:^{{ iface }}\.{{ vlan | range_to_regex }}$ {% endfor %} +vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }} {% endif %} {% endfor %} {% endif %} diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2 index cc1a45d6b..442830b6b 100644 --- a/data/templates/accel-ppp/pptp.config.j2 +++ b/data/templates/accel-ppp/pptp.config.j2 @@ -93,6 +93,15 @@ bind={{ radius_source_address }} gw-ip-address={{ gw_ip }} {% endif %} +{% if radius_shaper_attr %} +[shaper] +verbose=1 +attr={{ radius_shaper_attr }} +{% if radius_shaper_vendor %} +vendor={{ radius_shaper_vendor }} +{% endif %} +{% endif %} + [cli] tcp=127.0.0.1:2003 diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2 index 66024869d..808a77759 100644 --- a/data/templates/conntrackd/conntrackd.conf.j2 +++ b/data/templates/conntrackd/conntrackd.conf.j2 @@ -9,7 +9,9 @@ Sync { {% if iface_config.peer is vyos_defined %} UDP { {% if listen_address is vyos_defined %} - IPv4_address {{ listen_address }} +{% for address in listen_address %} + IPv4_address {{ address }} +{% endfor %} {% endif %} IPv4_Destination_Address {{ iface_config.peer }} Port {{ iface_config.port if iface_config.port is vyos_defined else '3780' }} diff --git a/data/templates/conserver/conserver.conf.j2 b/data/templates/conserver/conserver.conf.j2 index 1823657d7..ffd29389d 100644 --- a/data/templates/conserver/conserver.conf.j2 +++ b/data/templates/conserver/conserver.conf.j2 @@ -25,6 +25,9 @@ console {{ key }} { baud {{ value.speed }}; parity {{ value.parity }}; options {{ "!" if value.stop_bits == "1" }}cstopb; +{% if value.alias is vyos_defined %} + aliases "{{ value.alias }}"; +{% endif %} } {% endfor %} diff --git a/data/templates/dhcp-client/ipv6.j2 b/data/templates/dhcp-client/ipv6.j2 index e136b1789..b5e55cdd1 100644 --- a/data/templates/dhcp-client/ipv6.j2 +++ b/data/templates/dhcp-client/ipv6.j2 @@ -40,20 +40,22 @@ id-assoc pd {{ pd }} { prefix ::/{{ pd_config.length }} infinity; {% set sla_len = 64 - pd_config.length | int %} {% set count = namespace(value=0) %} -{% for interface, interface_config in pd_config.interface.items() if pd_config.interface is vyos_defined %} +{% if pd_config.interface is vyos_defined %} +{% for interface, interface_config in pd_config.interface.items() if pd_config.interface is vyos_defined %} prefix-interface {{ interface }} { sla-len {{ sla_len }}; -{% if interface_config.sla_id is vyos_defined %} +{% if interface_config.sla_id is vyos_defined %} sla-id {{ interface_config.sla_id }}; -{% else %} +{% else %} sla-id {{ count.value }}; -{% endif %} -{% if interface_config.address is vyos_defined %} +{% endif %} +{% if interface_config.address is vyos_defined %} ifid {{ interface_config.address }}; -{% endif %} +{% endif %} }; -{% set count.value = count.value + 1 %} -{% endfor %} +{% set count.value = count.value + 1 %} +{% endfor %} +{% endif %} }; {% endfor %} {% endif %} diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2 index 97fc123d5..5336f7ee6 100644 --- a/data/templates/firewall/nftables-defines.j2 +++ b/data/templates/firewall/nftables-defines.j2 @@ -7,6 +7,7 @@ set A_{{ group_name }} { type {{ ip_type }} flags interval + auto-merge {% if group_conf.address is vyos_defined or includes %} elements = { {{ group_conf.address | nft_nested_group(includes, group.address_group, 'address') | join(",") }} } {% endif %} @@ -19,6 +20,7 @@ set A6_{{ group_name }} { type {{ ip_type }} flags interval + auto-merge {% if group_conf.address is vyos_defined or includes %} elements = { {{ group_conf.address | nft_nested_group(includes, group.ipv6_address_group, 'address') | join(",") }} } {% endif %} @@ -42,6 +44,7 @@ set N_{{ group_name }} { type {{ ip_type }} flags interval + auto-merge {% if group_conf.network is vyos_defined or includes %} elements = { {{ group_conf.network | nft_nested_group(includes, group.network_group, 'network') | join(",") }} } {% endif %} @@ -54,6 +57,7 @@ set N6_{{ group_name }} { type {{ ip_type }} flags interval + auto-merge {% if group_conf.network is vyos_defined or includes %} elements = { {{ group_conf.network | nft_nested_group(includes, group.ipv6_network_group, 'network') | join(",") }} } {% endif %} @@ -66,6 +70,7 @@ set P_{{ group_name }} { type inet_service flags interval + auto-merge {% if group_conf.port is vyos_defined or includes %} elements = { {{ group_conf.port | nft_nested_group(includes, group.port_group, 'port') | join(",") }} } {% endif %} diff --git a/data/templates/firewall/nftables-geoip-update.j2 b/data/templates/firewall/nftables-geoip-update.j2 index f9e61a274..832ccc3e9 100644 --- a/data/templates/firewall/nftables-geoip-update.j2 +++ b/data/templates/firewall/nftables-geoip-update.j2 @@ -2,10 +2,10 @@ {% if ipv4_sets is vyos_defined %} {% for setname, ip_list in ipv4_sets.items() %} -flush set ip filter {{ setname }} +flush set ip vyos_filter {{ setname }} {% endfor %} -table ip filter { +table ip vyos_filter { {% for setname, ip_list in ipv4_sets.items() %} set {{ setname }} { type ipv4_addr @@ -18,10 +18,10 @@ table ip filter { {% if ipv6_sets is vyos_defined %} {% for setname, ip_list in ipv6_sets.items() %} -flush set ip6 filter {{ setname }} +flush set ip6 vyos_filter {{ setname }} {% endfor %} -table ip6 filter { +table ip6 vyos_filter { {% for setname, ip_list in ipv6_sets.items() %} set {{ setname }} { type ipv6_addr diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2 index 1481e9104..55fe6024b 100644 --- a/data/templates/firewall/nftables-nat.j2 +++ b/data/templates/firewall/nftables-nat.j2 @@ -1,146 +1,5 @@ #!/usr/sbin/nft -f -{% macro nat_rule(rule, config, chain) %} -{% set comment = '' %} -{% set base_log = '' %} -{% set src_addr = 'ip saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %} -{% set dst_addr = 'ip daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %} -{# negated port groups need special treatment, move != in front of { } group #} -{% if config.source.port is vyos_defined and config.source.port.startswith('!') %} -{% set src_port = 'sport != { ' ~ config.source.port.replace('!','') ~ ' }' %} -{% else %} -{% set src_port = 'sport { ' ~ config.source.port ~ ' }' if config.source.port is vyos_defined %} -{% endif %} -{# negated port groups need special treatment, move != in front of { } group #} -{% if config.destination.port is vyos_defined and config.destination.port.startswith('!') %} -{% set dst_port = 'dport != { ' ~ config.destination.port.replace('!','') ~ ' }' %} -{% else %} -{% set dst_port = 'dport { ' ~ config.destination.port ~ ' }' if config.destination.port is vyos_defined %} -{% endif %} -{% if chain is vyos_defined('PREROUTING') %} -{% set comment = 'DST-NAT-' ~ rule %} -{% set base_log = '[NAT-DST-' ~ rule %} -{% set interface = ' iifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} -{% if config.translation.address is vyos_defined %} -{# support 1:1 network translation #} -{% if config.translation.address | is_ip_network %} -{% set trns_addr = 'dnat ip prefix to ip daddr map { ' ~ config.destination.address ~ ' : ' ~ config.translation.address ~ ' }' %} -{# we can now clear out the dst_addr part as it's already covered in aboves map #} -{% set dst_addr = '' %} -{% else %} -{% set trns_addr = 'dnat to ' ~ config.translation.address %} -{% endif %} -{% endif %} -{% elif chain is vyos_defined('POSTROUTING') %} -{% set comment = 'SRC-NAT-' ~ rule %} -{% set base_log = '[NAT-SRC-' ~ rule %} -{% set interface = ' oifname "' ~ config.outbound_interface ~ '"' if config.outbound_interface is vyos_defined and config.outbound_interface is not vyos_defined('any') else '' %} -{% if config.translation.address is vyos_defined %} -{% if config.translation.address is vyos_defined('masquerade') %} -{% set trns_addr = config.translation.address %} -{% if config.translation.port is vyos_defined %} -{% set trns_addr = trns_addr ~ ' to ' %} -{% endif %} -{# support 1:1 network translation #} -{% elif config.translation.address | is_ip_network %} -{% set trns_addr = 'snat ip prefix to ip saddr map { ' ~ config.source.address ~ ' : ' ~ config.translation.address ~ ' }' %} -{# we can now clear out the src_addr part as it's already covered in aboves map #} -{% set src_addr = '' %} -{% else %} -{% set trns_addr = 'snat to ' ~ config.translation.address %} -{% endif %} -{% endif %} -{% endif %} -{% set trns_port = ':' ~ config.translation.port if config.translation.port is vyos_defined %} -{# protocol has a default value thus it is always present #} -{% if config.protocol is vyos_defined('tcp_udp') %} -{% set protocol = 'tcp' %} -{% set comment = comment ~ ' tcp_udp' %} -{% else %} -{% set protocol = config.protocol %} -{% endif %} -{% if config.log is vyos_defined %} -{% if config.exclude is vyos_defined %} -{% set log = base_log ~ '-EXCL]' %} -{% elif config.translation.address is vyos_defined('masquerade') %} -{% set log = base_log ~ '-MASQ]' %} -{% else %} -{% set log = base_log ~ ']' %} -{% endif %} -{% endif %} -{% if config.exclude is vyos_defined %} -{# rule has been marked as 'exclude' thus we simply return here #} -{% set trns_addr = 'return' %} -{% set trns_port = '' %} -{% endif %} -{# T1083: NAT address and port translation options #} -{% if config.translation.options is vyos_defined %} -{% if config.translation.options.address_mapping is vyos_defined('persistent') %} -{% set trns_opts_addr = 'persistent' %} -{% endif %} -{% if config.translation.options.port_mapping is vyos_defined('random') %} -{% set trns_opts_port = 'random' %} -{% elif config.translation.options.port_mapping is vyos_defined('fully-random') %} -{% set trns_opts_port = 'fully-random' %} -{% endif %} -{% endif %} -{% if trns_opts_addr is vyos_defined and trns_opts_port is vyos_defined %} -{% set trns_opts = trns_opts_addr ~ ',' ~ trns_opts_port %} -{% elif trns_opts_addr is vyos_defined %} -{% set trns_opts = trns_opts_addr %} -{% elif trns_opts_port is vyos_defined %} -{% set trns_opts = trns_opts_port %} -{% endif %} -{% set output = 'add rule ip nat ' ~ chain ~ interface %} -{% if protocol is not vyos_defined('all') %} -{% set output = output ~ ' ip protocol ' ~ protocol %} -{% endif %} -{% if src_addr is vyos_defined %} -{% set output = output ~ ' ' ~ src_addr %} -{% endif %} -{% if src_port is vyos_defined %} -{% set output = output ~ ' ' ~ protocol ~ ' ' ~ src_port %} -{% endif %} -{% if dst_addr is vyos_defined %} -{% set output = output ~ ' ' ~ dst_addr %} -{% endif %} -{% if dst_port is vyos_defined %} -{% set output = output ~ ' ' ~ protocol ~ ' ' ~ dst_port %} -{% endif %} -{# Count packets #} -{% set output = output ~ ' counter' %} -{# Special handling of log option, we must repeat the entire rule before the #} -{# NAT translation options are added, this is essential #} -{% if log is vyos_defined %} -{% set log_output = output ~ ' log prefix "' ~ log ~ '" comment "' ~ comment ~ '"' %} -{% endif %} -{% if trns_addr is vyos_defined %} -{% set output = output ~ ' ' ~ trns_addr %} -{% endif %} -{% if trns_port is vyos_defined %} -{# Do not add a whitespace here, translation port must be directly added after IP address #} -{# e.g. 192.0.2.10:3389 #} -{% set output = output ~ trns_port %} -{% endif %} -{% if trns_opts is vyos_defined %} -{% set output = output ~ ' ' ~ trns_opts %} -{% endif %} -{% if comment is vyos_defined %} -{% set output = output ~ ' comment "' ~ comment ~ '"' %} -{% endif %} -{{ log_output if log_output is vyos_defined }} -{{ output }} -{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #} -{% if config.protocol is vyos_defined('tcp_udp') %} -{# Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp #} -{{ log_output | replace('tcp ', 'udp ') if log_output is vyos_defined }} -{{ output | replace('tcp ', 'udp ') }} -{% endif %} -{% endmacro %} - -# Start with clean SNAT and DNAT chains -flush chain ip nat PREROUTING -flush chain ip nat POSTROUTING {% if helper_functions is vyos_defined('remove') %} {# NAT if going to be disabled - remove rules and targets from nftables #} {% set base_command = 'delete rule ip raw' %} @@ -162,21 +21,41 @@ add rule ip raw NAT_CONNTRACK counter accept {{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK {% endif %} -# -# Destination NAT rules build up here -# -add rule ip nat PREROUTING counter jump VYOS_PRE_DNAT_HOOK +{% if first_install is not vyos_defined %} +delete table ip vyos_nat +{% endif %} +table ip vyos_nat { + # + # Destination NAT rules build up here + # + chain PREROUTING { + type nat hook prerouting priority -100; policy accept; + counter jump VYOS_PRE_DNAT_HOOK {% if destination.rule is vyos_defined %} {% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} -{{ nat_rule(rule, config, 'PREROUTING') }} + {{ config | nat_rule(rule, 'destination') }} {% endfor %} {% endif %} -# -# Source NAT rules build up here -# -add rule ip nat POSTROUTING counter jump VYOS_PRE_SNAT_HOOK + } + + # + # Source NAT rules build up here + # + chain POSTROUTING { + type nat hook postrouting priority 100; policy accept; + counter jump VYOS_PRE_SNAT_HOOK {% if source.rule is vyos_defined %} {% for rule, config in source.rule.items() if config.disable is not vyos_defined %} -{{ nat_rule(rule, config, 'POSTROUTING') }} + {{ config | nat_rule(rule, 'source') }} {% endfor %} {% endif %} + } + + chain VYOS_PRE_DNAT_HOOK { + return + } + + chain VYOS_PRE_SNAT_HOOK { + return + } +} diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2 index 28714c7a7..27b3eec88 100644 --- a/data/templates/firewall/nftables-nat66.j2 +++ b/data/templates/firewall/nftables-nat66.j2 @@ -1,125 +1,5 @@ #!/usr/sbin/nft -f -{% macro nptv6_rule(rule,config, chain) %} -{% set comment = '' %} -{% set base_log = '' %} -{% set dst_prefix = 'ip6 daddr ' ~ config.destination.prefix.replace('!','!= ') if config.destination.prefix is vyos_defined %} -{% set src_prefix = 'ip6 saddr ' ~ config.source.prefix.replace('!','!= ') if config.source.prefix is vyos_defined %} -{% set source_address = 'ip6 saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %} -{% set dest_address = 'ip6 daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %} -{# Port #} -{% if config.source.port is vyos_defined and config.source.port.startswith('!') %} -{% set src_port = 'sport != { ' ~ config.source.port.replace('!','') ~ ' }' %} -{% else %} -{% set src_port = 'sport { ' ~ config.source.port ~ ' }' if config.source.port is vyos_defined %} -{% endif %} -{% if config.destination.port is vyos_defined and config.destination.port.startswith('!') %} -{% set dst_port = 'dport != { ' ~ config.destination.port.replace('!','') ~ ' }' %} -{% else %} -{% set dst_port = 'dport { ' ~ config.destination.port ~ ' }' if config.destination.port is vyos_defined %} -{% endif %} -{% if chain is vyos_defined('PREROUTING') %} -{% set comment = 'DST-NAT66-' ~ rule %} -{% set base_log = '[NAT66-DST-' ~ rule %} -{% set interface = ' iifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} -{% if config.translation.address | is_ip_network %} -{# support 1:1 network translation #} -{% set dnat_type = 'dnat prefix to ' %} -{% else %} -{% set dnat_type = 'dnat to ' %} -{% endif %} -{% set trns_address = dnat_type ~ config.translation.address if config.translation.address is vyos_defined %} -{% elif chain is vyos_defined('POSTROUTING') %} -{% set comment = 'SRC-NAT66-' ~ rule %} -{% set base_log = '[NAT66-SRC-' ~ rule %} -{% if config.translation.address is vyos_defined %} -{% if config.translation.address is vyos_defined('masquerade') %} -{% set trns_address = config.translation.address %} -{% else %} -{% if config.translation.address | is_ip_network %} -{# support 1:1 network translation #} -{% set snat_type = 'snat prefix to ' %} -{% else %} -{% set snat_type = 'snat to ' %} -{% endif %} -{% set trns_address = snat_type ~ config.translation.address %} -{% endif %} -{% endif %} -{% set interface = ' oifname "' ~ config.outbound_interface ~ '"' if config.outbound_interface is vyos_defined else '' %} -{% endif %} -{% set trns_port = ':' ~ config.translation.port if config.translation.port is vyos_defined %} -{# protocol has a default value thus it is always present #} -{% if config.protocol is vyos_defined('tcp_udp') %} -{% set protocol = 'tcp' %} -{% set comment = comment ~ ' tcp_udp' %} -{% else %} -{% set protocol = config.protocol %} -{% endif %} -{% if config.log is vyos_defined %} -{% if config.translation.address is vyos_defined('masquerade') %} -{% set log = base_log ~ '-MASQ]' %} -{% else %} -{% set log = base_log ~ ']' %} -{% endif %} -{% endif %} -{% if config.exclude is vyos_defined %} -{# rule has been marked as 'exclude' thus we simply return here #} -{% set trns_addr = 'return' %} -{% set trns_port = '' %} -{% endif %} -{% set output = 'add rule ip6 nat ' ~ chain ~ interface %} -{# Count packets #} -{% set output = output ~ ' counter' %} -{# Special handling of log option, we must repeat the entire rule before the #} -{# NAT translation options are added, this is essential #} -{% if log is vyos_defined %} -{% set log_output = output ~ ' log prefix "' ~ log ~ '" comment "' ~ comment ~ '"' %} -{% endif %} -{% if src_prefix is vyos_defined %} -{% set output = output ~ ' ' ~ src_prefix %} -{% endif %} -{% if dst_port is vyos_defined %} -{% set output = output ~ ' ' ~ protocol ~ ' ' ~ dst_port %} -{% endif %} -{% if dst_prefix is vyos_defined %} -{% set output = output ~ ' ' ~ dst_prefix %} -{% endif %} -{% if source_address is vyos_defined %} -{% set output = output ~ ' ' ~ source_address %} -{% endif %} -{% if src_port is vyos_defined %} -{% set output = output ~ ' ' ~ protocol ~ ' ' ~ src_port %} -{% endif %} -{% if dest_address is vyos_defined %} -{% set output = output ~ ' ' ~ dest_address %} -{% endif %} -{% if config.exclude is vyos_defined %} -{# rule has been marked as 'exclude' thus we simply return here #} -{% set trns_address = 'return' %} -{% endif %} -{% if trns_address is vyos_defined %} -{% set output = output ~ ' ' ~ trns_address %} -{% endif %} -{% if trns_port is vyos_defined %} -{# Do not add a whitespace here, translation port must be directly added after IP address #} -{# e.g. 2001:db8::1:3389 #} -{% set output = output ~ trns_port %} -{% endif %} -{% if comment is vyos_defined %} -{% set output = output ~ ' comment "' ~ comment ~ '"' %} -{% endif %} -{{ log_output if log_output is vyos_defined }} -{{ output }} -{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #} -{% if config.protocol is vyos_defined('tcp_udp') %} -{# Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp #} -{{ log_output | replace('tcp ', 'udp ') if log_output is vyos_defined }} -{{ output | replace('tcp ', 'udp ') }} -{% endif %} -{% endmacro %} - -# Start with clean NAT table -flush table ip6 nat {% if helper_functions is vyos_defined('remove') %} {# NAT if going to be disabled - remove rules and targets from nftables #} {% set base_command = 'delete rule ip6 raw' %} @@ -137,19 +17,41 @@ add rule ip6 raw NAT_CONNTRACK counter accept {{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK {% endif %} -# -# Destination NAT66 rules build up here -# +{% if first_install is not vyos_defined %} +delete table ip6 vyos_nat +{% endif %} +table ip6 vyos_nat { + # + # Destination NAT66 rules build up here + # + chain PREROUTING { + type nat hook prerouting priority -100; policy accept; + counter jump VYOS_DNPT_HOOK {% if destination.rule is vyos_defined %} {% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} -{{ nptv6_rule(rule, config, 'PREROUTING') }} + {{ config | nat_rule(rule, 'destination', ipv6=True) }} {% endfor %} {% endif %} -# -# Source NAT66 rules build up here -# + } + + # + # Source NAT66 rules build up here + # + chain POSTROUTING { + type nat hook postrouting priority 100; policy accept; + counter jump VYOS_SNPT_HOOK {% if source.rule is vyos_defined %} {% for rule, config in source.rule.items() if config.disable is not vyos_defined %} -{{ nptv6_rule(rule, config, 'POSTROUTING') }} + {{ config | nat_rule(rule, 'source', ipv6=True) }} {% endfor %} {% endif %} + } + + chain VYOS_DNPT_HOOK { + return + } + + chain VYOS_SNPT_HOOK { + return + } +} diff --git a/data/templates/firewall/nftables-static-nat.j2 b/data/templates/firewall/nftables-static-nat.j2 index d3c43858f..790c33ce9 100644 --- a/data/templates/firewall/nftables-static-nat.j2 +++ b/data/templates/firewall/nftables-static-nat.j2 @@ -1,115 +1,31 @@ #!/usr/sbin/nft -f -{% macro nat_rule(rule, config, chain) %} -{% set comment = '' %} -{% set base_log = '' %} - -{% if chain is vyos_defined('PREROUTING') %} -{% set comment = 'STATIC-NAT-' ~ rule %} -{% set base_log = '[NAT-DST-' ~ rule %} -{% set interface = ' iifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} -{% if config.translation.address is vyos_defined %} -{# support 1:1 network translation #} -{% if config.translation.address | is_ip_network %} -{% set trns_addr = 'dnat ip prefix to ip daddr map { ' ~ config.destination.address ~ ' : ' ~ config.translation.address ~ ' }' %} -{# we can now clear out the dst_addr part as it's already covered in aboves map #} -{% else %} -{% set dst_addr = 'ip daddr ' ~ config.destination.address if config.destination.address is vyos_defined %} -{% set trns_addr = 'dnat to ' ~ config.translation.address %} -{% endif %} -{% endif %} -{% elif chain is vyos_defined('POSTROUTING') %} -{% set comment = 'STATIC-NAT-' ~ rule %} -{% set base_log = '[NAT-SRC-' ~ rule %} -{% set interface = ' oifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} -{% if config.translation.address is vyos_defined %} -{# support 1:1 network translation #} -{% if config.translation.address | is_ip_network %} -{% set trns_addr = 'snat ip prefix to ip saddr map { ' ~ config.translation.address ~ ' : ' ~ config.destination.address ~ ' }' %} -{# we can now clear out the src_addr part as it's already covered in aboves map #} -{% else %} -{% set src_addr = 'ip saddr ' ~ config.translation.address if config.translation.address is vyos_defined %} -{% set trns_addr = 'snat to ' ~ config.destination.address %} -{% endif %} -{% endif %} -{% endif %} - -{% if config.exclude is vyos_defined %} -{# rule has been marked as 'exclude' thus we simply return here #} -{% set trns_addr = 'return' %} -{% set trns_port = '' %} -{% endif %} - -{% if config.translation.options is vyos_defined %} -{% if config.translation.options.address_mapping is vyos_defined('persistent') %} -{% set trns_opts_addr = 'persistent' %} -{% endif %} -{% if config.translation.options.port_mapping is vyos_defined('random') %} -{% set trns_opts_port = 'random' %} -{% elif config.translation.options.port_mapping is vyos_defined('fully-random') %} -{% set trns_opts_port = 'fully-random' %} -{% endif %} -{% endif %} - -{% if trns_opts_addr is vyos_defined and trns_opts_port is vyos_defined %} -{% set trns_opts = trns_opts_addr ~ ',' ~ trns_opts_port %} -{% elif trns_opts_addr is vyos_defined %} -{% set trns_opts = trns_opts_addr %} -{% elif trns_opts_port is vyos_defined %} -{% set trns_opts = trns_opts_port %} -{% endif %} - -{% set output = 'add rule ip vyos_static_nat ' ~ chain ~ interface %} - -{% if dst_addr is vyos_defined %} -{% set output = output ~ ' ' ~ dst_addr %} +{% if first_install is not vyos_defined %} +delete table ip vyos_static_nat {% endif %} -{% if src_addr is vyos_defined %} -{% set output = output ~ ' ' ~ src_addr %} -{% endif %} - -{# Count packets #} -{% set output = output ~ ' counter' %} -{# Special handling of log option, we must repeat the entire rule before the #} -{# NAT translation options are added, this is essential #} -{% if log is vyos_defined %} -{% set log_output = output ~ ' log prefix "' ~ log ~ '" comment "' ~ comment ~ '"' %} -{% endif %} -{% if trns_addr is vyos_defined %} -{% set output = output ~ ' ' ~ trns_addr %} -{% endif %} - -{% if trns_opts is vyos_defined %} -{% set output = output ~ ' ' ~ trns_opts %} -{% endif %} -{% if comment is vyos_defined %} -{% set output = output ~ ' comment "' ~ comment ~ '"' %} -{% endif %} -{{ log_output if log_output is vyos_defined }} -{{ output }} -{% endmacro %} - -# Start with clean STATIC NAT chains -flush chain ip vyos_static_nat PREROUTING -flush chain ip vyos_static_nat POSTROUTING +table ip vyos_static_nat { + # + # Destination NAT rules build up here + # -{# NAT if enabled - add targets to nftables #} - -# -# Destination NAT rules build up here -# -add rule ip vyos_static_nat PREROUTING counter jump VYOS_PRE_DNAT_HOOK + chain PREROUTING { + type nat hook prerouting priority -100; policy accept; {% if static.rule is vyos_defined %} {% for rule, config in static.rule.items() if config.disable is not vyos_defined %} -{{ nat_rule(rule, config, 'PREROUTING') }} + {{ config | nat_static_rule(rule, 'destination') }} {% endfor %} {% endif %} -# -# Source NAT rules build up here -# -add rule ip vyos_static_nat POSTROUTING counter jump VYOS_PRE_SNAT_HOOK + } + + # + # Source NAT rules build up here + # + chain POSTROUTING { + type nat hook postrouting priority 100; policy accept; {% if static.rule is vyos_defined %} {% for rule, config in static.rule.items() if config.disable is not vyos_defined %} -{{ nat_rule(rule, config, 'POSTROUTING') }} + {{ config | nat_static_rule(rule, 'source') }} {% endfor %} {% endif %} + } +} diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 new file mode 100644 index 000000000..17ef5101d --- /dev/null +++ b/data/templates/firewall/nftables-zone.j2 @@ -0,0 +1,78 @@ + +{% macro zone_chains(zone, state_policy=False, ipv6=False) %} +{% set fw_name = 'ipv6_name' if ipv6 else 'name' %} +{% set suffix = '6' if ipv6 else '' %} + chain VYOS_ZONE_FORWARD { + type filter hook forward priority 1; policy accept; +{% if state_policy %} + jump VYOS_STATE_POLICY{{ suffix }} +{% endif %} +{% for zone_name, zone_conf in zone.items() %} +{% if 'local_zone' not in zone_conf %} + oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }} +{% endif %} +{% endfor %} + } + chain VYOS_ZONE_LOCAL { + type filter hook input priority 1; policy accept; +{% if state_policy %} + jump VYOS_STATE_POLICY{{ suffix }} +{% endif %} +{% for zone_name, zone_conf in zone.items() %} +{% if 'local_zone' in zone_conf %} + counter jump VZONE_{{ zone_name }}_IN +{% endif %} +{% endfor %} + } + chain VYOS_ZONE_OUTPUT { + type filter hook output priority 1; policy accept; +{% if state_policy %} + jump VYOS_STATE_POLICY{{ suffix }} +{% endif %} +{% for zone_name, zone_conf in zone.items() %} +{% if 'local_zone' in zone_conf %} + counter jump VZONE_{{ zone_name }}_OUT +{% endif %} +{% endfor %} + } +{% for zone_name, zone_conf in zone.items() %} +{% if zone_conf.local_zone is vyos_defined %} + chain VZONE_{{ zone_name }}_IN { + iifname lo counter return +{% if zone_conf.from is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %} + iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} + iifname { {{ zone[from_zone].interface | join(",") }} } counter return +{% endfor %} +{% endif %} + {{ zone_conf | nft_default_rule('zone_' + zone_name) }} + } + chain VZONE_{{ zone_name }}_OUT { + oifname lo counter return +{% if zone_conf.from_local is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %} + oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} + oifname { {{ zone[from_zone].interface | join(",") }} } counter return +{% endfor %} +{% endif %} + {{ zone_conf | nft_default_rule('zone_' + zone_name) }} + } +{% else %} + chain VZONE_{{ zone_name }} { + iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6) }} +{% if zone_conf.intra_zone_filtering is vyos_defined %} + iifname { {{ zone_conf.interface | join(",") }} } counter return +{% endif %} +{% if zone_conf.from is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %} +{% if zone[from_zone].local_zone is not defined %} + iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} + iifname { {{ zone[from_zone].interface | join(",") }} } counter return +{% endif %} +{% endfor %} +{% endif %} + {{ zone_conf | nft_default_rule('zone_' + zone_name) }} + } +{% endif %} +{% endfor %} +{% endmacro %} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 5971e1bbc..a0f0b8c11 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -1,25 +1,48 @@ #!/usr/sbin/nft -f {% import 'firewall/nftables-defines.j2' as group_tmpl %} +{% import 'firewall/nftables-zone.j2' as zone_tmpl %} -{% if cleanup_commands is vyos_defined %} -{% for command in cleanup_commands %} -{{ command }} -{% endfor %} +{% if first_install is not vyos_defined %} +delete table ip vyos_filter {% endif %} - -table ip filter { -{% if first_install is vyos_defined %} +table ip vyos_filter { chain VYOS_FW_FORWARD { type filter hook forward priority 0; policy accept; +{% if state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if interface is vyos_defined %} +{% for ifname, ifconf in interface.items() %} +{% if ifconf.in is vyos_defined and ifconf.in.name is vyos_defined %} + iifname {{ ifname }} counter jump NAME_{{ ifconf.in.name }} +{% endif %} +{% if ifconf.out is vyos_defined and ifconf.out.name is vyos_defined %} + oifname {{ ifname }} counter jump NAME_{{ ifconf.out.name }} +{% endif %} +{% endfor %} +{% endif %} jump VYOS_POST_FW } chain VYOS_FW_LOCAL { type filter hook input priority 0; policy accept; +{% if state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if interface is vyos_defined %} +{% for ifname, ifconf in interface.items() %} +{% if ifconf.local is vyos_defined and ifconf.local.name is vyos_defined %} + iifname {{ ifname }} counter jump NAME_{{ ifconf.local.name }} +{% endif %} +{% endfor %} +{% endif %} jump VYOS_POST_FW } chain VYOS_FW_OUTPUT { type filter hook output priority 0; policy accept; +{% if state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} jump VYOS_POST_FW } chain VYOS_POST_FW { @@ -29,7 +52,6 @@ table ip filter { type filter hook prerouting priority -450; policy accept; ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return } -{% endif %} {% if name is vyos_defined %} {% set ns = namespace(sets=[]) %} {% for name_text, conf in name.items() %} @@ -72,6 +94,10 @@ table ip filter { {{ group_tmpl.groups(group, False) }} +{% if zone is vyos_defined %} +{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, False) }} +{% endif %} + {% if state_policy is vyos_defined %} chain VYOS_STATE_POLICY { {% if state_policy.established is vyos_defined %} @@ -88,18 +114,46 @@ table ip filter { {% endif %} } -table ip6 filter { -{% if first_install is vyos_defined %} +{% if first_install is not vyos_defined %} +delete table ip6 vyos_filter +{% endif %} +table ip6 vyos_filter { chain VYOS_FW6_FORWARD { type filter hook forward priority 0; policy accept; +{% if state_policy is vyos_defined %} + jump VYOS_STATE_POLICY6 +{% endif %} +{% if interface is vyos_defined %} +{% for ifname, ifconf in interface.items() %} +{% if ifconf.in is vyos_defined and ifconf.in.ipv6_name is vyos_defined %} + iifname {{ ifname }} counter jump NAME6_{{ ifconf.in.ipv6_name }} +{% endif %} +{% if ifconf.out is vyos_defined and ifconf.out.ipv6_name is vyos_defined %} + oifname {{ ifname }} counter jump NAME6_{{ ifconf.out.ipv6_name }} +{% endif %} +{% endfor %} +{% endif %} jump VYOS_POST_FW6 } chain VYOS_FW6_LOCAL { type filter hook input priority 0; policy accept; +{% if state_policy is vyos_defined %} + jump VYOS_STATE_POLICY6 +{% endif %} +{% if interface is vyos_defined %} +{% for ifname, ifconf in interface.items() %} +{% if ifconf.local is vyos_defined and ifconf.local.ipv6_name is vyos_defined %} + iifname {{ ifname }} counter jump NAME6_{{ ifconf.local.ipv6_name }} +{% endif %} +{% endfor %} +{% endif %} jump VYOS_POST_FW6 } chain VYOS_FW6_OUTPUT { type filter hook output priority 0; policy accept; +{% if state_policy is vyos_defined %} + jump VYOS_STATE_POLICY6 +{% endif %} jump VYOS_POST_FW6 } chain VYOS_POST_FW6 { @@ -109,7 +163,6 @@ table ip6 filter { type filter hook prerouting priority -450; policy accept; exthdr frag exists meta mark set 0xffff1 return } -{% endif %} {% if ipv6_name is vyos_defined %} {% set ns = namespace(sets=[]) %} {% for name_text, conf in ipv6_name.items() %} @@ -122,7 +175,7 @@ table ip6 filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule(name_text) }} + {{ conf | nft_default_rule(name_text, ipv6=True) }} } {% endfor %} {% for set_name in ns.sets %} @@ -144,181 +197,22 @@ table ip6 filter { {{ group_tmpl.groups(group, True) }} +{% if zone is vyos_defined %} +{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, True) }} +{% endif %} + {% if state_policy is vyos_defined %} chain VYOS_STATE_POLICY6 { {% if state_policy.established is vyos_defined %} - {{ state_policy.established | nft_state_policy('established', ipv6=True) }} + {{ state_policy.established | nft_state_policy('established') }} {% endif %} {% if state_policy.invalid is vyos_defined %} - {{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }} + {{ state_policy.invalid | nft_state_policy('invalid') }} {% endif %} {% if state_policy.related is vyos_defined %} - {{ state_policy.related | nft_state_policy('related', ipv6=True) }} + {{ state_policy.related | nft_state_policy('related') }} {% endif %} return } {% endif %} } - -{% if first_install is vyos_defined %} -table ip nat { - chain PREROUTING { - type nat hook prerouting priority -100; policy accept; - counter jump VYOS_PRE_DNAT_HOOK - } - - chain POSTROUTING { - type nat hook postrouting priority 100; policy accept; - counter jump VYOS_PRE_SNAT_HOOK - } - - chain VYOS_PRE_DNAT_HOOK { - return - } - - chain VYOS_PRE_SNAT_HOOK { - return - } -} - -table ip vyos_static_nat { - chain PREROUTING { - type nat hook prerouting priority -100; policy accept; - counter jump VYOS_PRE_DNAT_HOOK - } - - chain POSTROUTING { - type nat hook postrouting priority 100; policy accept; - counter jump VYOS_PRE_SNAT_HOOK - } - - chain VYOS_PRE_DNAT_HOOK { - return - } - - chain VYOS_PRE_SNAT_HOOK { - return - } -} - -table ip6 nat { - chain PREROUTING { - type nat hook prerouting priority -100; policy accept; - counter jump VYOS_DNPT_HOOK - } - - chain POSTROUTING { - type nat hook postrouting priority 100; policy accept; - counter jump VYOS_SNPT_HOOK - } - - chain VYOS_DNPT_HOOK { - return - } - - chain VYOS_SNPT_HOOK { - return - } -} - -table inet mangle { - chain FORWARD { - type filter hook forward priority -150; policy accept; - } -} - -table raw { - chain VYOS_TCP_MSS { - type filter hook forward priority -300; policy accept; - } - - chain PREROUTING { - type filter hook prerouting priority -200; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_PREROUTING_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain OUTPUT { - type filter hook output priority -200; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_OUTPUT_HOOK - counter jump FW_CONNTRACK - notrack - } - - ct helper rpc_tcp { - type "rpc" protocol tcp; - } - - ct helper rpc_udp { - type "rpc" protocol udp; - } - - ct helper tns_tcp { - type "tns" protocol tcp; - } - - chain VYOS_CT_HELPER { - ct helper set "rpc_tcp" tcp dport {111} return - ct helper set "rpc_udp" udp dport {111} return - ct helper set "tns_tcp" tcp dport {1521,1525,1536} return - return - } - - chain VYOS_CT_IGNORE { - return - } - - chain VYOS_CT_TIMEOUT { - return - } - - chain VYOS_CT_PREROUTING_HOOK { - return - } - - chain VYOS_CT_OUTPUT_HOOK { - return - } - - chain FW_CONNTRACK { - accept - } -} - -table ip6 raw { - chain VYOS_TCP_MSS { - type filter hook forward priority -300; policy accept; - } - - chain PREROUTING { - type filter hook prerouting priority -300; policy accept; - counter jump VYOS_CT_PREROUTING_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain OUTPUT { - type filter hook output priority -300; policy accept; - counter jump VYOS_CT_OUTPUT_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain VYOS_CT_PREROUTING_HOOK { - return - } - - chain VYOS_CT_OUTPUT_HOOK { - return - } - - chain FW_CONNTRACK { - accept - } -} -{% endif %} diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index 808e9dbe7..e8d135c78 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -378,14 +378,19 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% endif %} {% endif %} {% if afi_config.route_target.both is vyos_defined %} - route-target both {{ afi_config.route_target.both }} -{% else %} -{% if afi_config.route_target.export is vyos_defined %} - route-target export {{ afi_config.route_target.export }} -{% endif %} -{% if afi_config.route_target.import is vyos_defined %} - route-target import {{ afi_config.route_target.import }} -{% endif %} +{% for route_target in afi_config.route_target.both %} + route-target both {{ route_target }} +{% endfor %} +{% endif %} +{% if afi_config.route_target.export is vyos_defined %} +{% for route_target in afi_config.route_target.export %} + route-target export {{ route_target }} +{% endfor %} +{% endif %} +{% if afi_config.route_target.import is vyos_defined %} +{% for route_target in afi_config.route_target.import %} + route-target import {{ route_target }} +{% endfor %} {% endif %} {% if afi_config.route_map.vpn.export is vyos_defined %} route-map vpn export {{ afi_config.route_map.vpn.export }} @@ -461,6 +466,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if parameters.bestpath.med is vyos_defined %} bgp bestpath med {{ 'confed' if parameters.bestpath.med.confed is vyos_defined }} {{ 'missing-as-worst' if parameters.bestpath.med.missing_as_worst is vyos_defined }} {% endif %} +{% if parameters.bestpath.peer_type is vyos_defined %} + bgp bestpath peer-type {{ 'multipath-relax' if parameters.bestpath.peer_type.multipath_relax is vyos_defined }} +{% endif %} {% if parameters.cluster_id is vyos_defined %} bgp cluster-id {{ parameters.cluster_id }} {% endif %} diff --git a/data/templates/frr/isisd.frr.j2 b/data/templates/frr/isisd.frr.j2 index 8e95348bc..194dbcb07 100644 --- a/data/templates/frr/isisd.frr.j2 +++ b/data/templates/frr/isisd.frr.j2 @@ -107,9 +107,6 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }} mpls-te inter-as{{ level }} {% endif %} {% if segment_routing is vyos_defined %} -{% if segment_routing.enable is vyos_defined %} - segment-routing on -{% endif %} {% if segment_routing.maximum_label_depth is vyos_defined %} segment-routing node-msd {{ segment_routing.maximum_label_depth }} {% endif %} @@ -124,28 +121,27 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }} {% for prefix, prefix_config in segment_routing.prefix.items() %} {% if prefix_config.absolute is vyos_defined %} {% if prefix_config.absolute.value is vyos_defined %} - segment-routing prefix {{ prefixes }} absolute {{ prefix_config.absolute.value }} + segment-routing prefix {{ prefix }} absolute {{ prefix_config.absolute.value }} {% if prefix_config.absolute.explicit_null is vyos_defined %} - segment-routing prefix {{ prefixes }} absolute {{ prefix_config.absolute.value }} explicit-null -{% endif %} -{% if prefix_config.absolute.no_php_flag is vyos_defined %} - segment-routing prefix {{ prefixes }} absolute {{ prefix_config.absolute.value }} no-php-flag + segment-routing prefix {{ prefix }} absolute {{ prefix_config.absolute.value }} explicit-null +{% elif prefix_config.absolute.no_php_flag is vyos_defined %} + segment-routing prefix {{ prefix }} absolute {{ prefix_config.absolute.value }} no-php-flag {% endif %} {% endif %} -{% if prefix_config.index is vyos_defined %} -{% if prefix_config.index.value is vyos_defined %} - segment-routing prefix {{ prefixes }} index {{ prefix_config.index.value }} -{% if prefix_config.index.explicit_null is vyos_defined %} - segment-routing prefix {{ prefixes }} index {{ prefix_config.index.value }} explicit-null -{% endif %} -{% if prefix_config.index.no_php_flag is vyos_defined %} - segment-routing prefix {{ prefixes }} index {{ prefix_config.index.value }} no-php-flag -{% endif %} +{% endif %} +{% if prefix_config.index is vyos_defined %} +{% if prefix_config.index.value is vyos_defined %} + segment-routing prefix {{ prefix }} index {{ prefix_config.index.value }} +{% if prefix_config.index.explicit_null is vyos_defined %} + segment-routing prefix {{ prefix }} index {{ prefix_config.index.value }} explicit-null +{% elif prefix_config.index.no_php_flag is vyos_defined %} + segment-routing prefix {{ prefix }} index {{ prefix_config.index.value }} no-php-flag {% endif %} {% endif %} {% endif %} {% endfor %} {% endif %} + segment-routing on {% endif %} {% if spf_delay_ietf.init_delay is vyos_defined %} spf-delay-ietf init-delay {{ spf_delay_ietf.init_delay }} short-delay {{ spf_delay_ietf.short_delay }} long-delay {{ spf_delay_ietf.long_delay }} holddown {{ spf_delay_ietf.holddown }} time-to-learn {{ spf_delay_ietf.time_to_learn }} diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index 427fc8be7..9cd9b03dc 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -181,6 +181,33 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if refresh.timers is vyos_defined %} refresh timer {{ refresh.timers }} {% endif %} +{% if segment_routing is vyos_defined %} +{% if segment_routing.maximum_label_depth is vyos_defined %} + segment-routing node-msd {{ segment_routing.maximum_label_depth }} +{% endif %} +{% if segment_routing.global_block is vyos_defined %} +{% if segment_routing.local_block is vyos_defined %} + segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }} local-block {{ segment_routing.local_block.low_label_value }} {{ segment_routing.local_block.high_label_value }} +{% else %} + segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }} +{% endif %} +{% endif %} +{% if segment_routing.prefix is vyos_defined %} +{% for prefix, prefix_config in segment_routing.prefix.items() %} +{% if prefix_config.index is vyos_defined %} +{% if prefix_config.index.value is vyos_defined %} + segment-routing prefix {{ prefix }} index {{ prefix_config.index.value }} +{% if prefix_config.index.explicit_null is vyos_defined %} + segment-routing prefix {{ prefix }} index {{ prefix_config.index.value }} explicit-null +{% elif prefix_config.index.no_php_flag is vyos_defined %} + segment-routing prefix {{ prefix }} index {{ prefix_config.index.value }} no-php-flag +{% endif %} +{% endif %} +{% endif %} +{% endfor %} +{% endif %} + segment-routing on +{% endif %} {% if timers.throttle.spf.delay is vyos_defined and timers.throttle.spf.initial_holdtime is vyos_defined and timers.throttle.spf.max_holdtime is vyos_defined %} {# Timer values have default values #} timers throttle spf {{ timers.throttle.spf.delay }} {{ timers.throttle.spf.initial_holdtime }} {{ timers.throttle.spf.max_holdtime }} diff --git a/data/templates/frr/policy.frr.j2 b/data/templates/frr/policy.frr.j2 index 33df17770..5ad4bd28c 100644 --- a/data/templates/frr/policy.frr.j2 +++ b/data/templates/frr/policy.frr.j2 @@ -274,11 +274,17 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }} {% if rule_config.set.atomic_aggregate is vyos_defined %} set atomic-aggregate {% endif %} -{% if rule_config.set.comm_list.comm_list is vyos_defined %} - set comm-list {{ rule_config.set.comm_list.comm_list }} {{ 'delete' if rule_config.set.comm_list.delete is vyos_defined }} +{% if rule_config.set.community.delete is vyos_defined %} + set comm-list {{ rule_config.set.community.delete }} delete {% endif %} -{% if rule_config.set.community is vyos_defined %} - set community {{ rule_config.set.community }} +{% if rule_config.set.community.replace is vyos_defined %} + set community {{ rule_config.set.community.replace | join(' ') | replace("local-as" , "local-AS") }} +{% endif %} +{% if rule_config.set.community.add is vyos_defined %} + set community {{ rule_config.set.community.add | join(' ') | replace("local-as" , "local-AS") }} additive +{% endif %} +{% if rule_config.set.community.none is vyos_defined %} + set community none {% endif %} {% if rule_config.set.distance is vyos_defined %} set distance {{ rule_config.set.distance }} @@ -290,13 +296,16 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }} set evpn gateway-ip ipv6 {{ rule_config.set.evpn.gateway.ipv6 }} {% endif %} {% if rule_config.set.extcommunity.bandwidth is vyos_defined %} - set extcommunity bandwidth {{ rule_config.set.extcommunity.bandwidth }} + set extcommunity bandwidth {{ rule_config.set.extcommunity.bandwidth }} {{ 'non-transitive' if rule_config.set.extcommunity.bandwidth_non_transitive is vyos_defined }} {% endif %} {% if rule_config.set.extcommunity.rt is vyos_defined %} - set extcommunity rt {{ rule_config.set.extcommunity.rt }} + set extcommunity rt {{ rule_config.set.extcommunity.rt | join(' ') }} {% endif %} {% if rule_config.set.extcommunity.soo is vyos_defined %} - set extcommunity soo {{ rule_config.set.extcommunity.soo }} + set extcommunity soo {{ rule_config.set.extcommunity.soo | join(' ') }} +{% endif %} +{% if rule_config.set.extcommunity.none is vyos_defined %} + set extcommunity none {% endif %} {% if rule_config.set.ip_next_hop is vyos_defined %} set ip next-hop {{ rule_config.set.ip_next_hop }} @@ -313,11 +322,17 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }} {% if rule_config.set.ipv6_next_hop.prefer_global is vyos_defined %} set ipv6 next-hop prefer-global {% endif %} -{% if rule_config.set.large_community is vyos_defined %} - set large-community {{ rule_config.set.large_community }} +{% if rule_config.set.large_community.replace is vyos_defined %} + set large-community {{ rule_config.set.large_community.replace | join(' ') }} +{% endif %} +{% if rule_config.set.large_community.add is vyos_defined %} + set large-community {{ rule_config.set.large_community.add | join(' ') }} additive +{% endif %} +{% if rule_config.set.large_community.none is vyos_defined %} + set large-community none {% endif %} -{% if rule_config.set.large_comm_list_delete is vyos_defined %} - set large-comm-list {{ rule_config.set.large_comm_list_delete }} delete +{% if rule_config.set.large_community.delete is vyos_defined %} + set large-comm-list {{ rule_config.set.large_community.delete }} delete {% endif %} {% if rule_config.set.local_preference is vyos_defined %} set local-preference {{ rule_config.set.local_preference }} diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2 index 6684dbc2c..706e1c5ae 100644 --- a/data/templates/high-availability/keepalived.conf.j2 +++ b/data/templates/high-availability/keepalived.conf.j2 @@ -47,10 +47,10 @@ vrrp_instance {{ name }} { {% endif %} {% endif %} {% if group_config.rfc3768_compatibility is vyos_defined and group_config.peer_address is vyos_defined %} - use_vmac {{ group_config.interface }}v{{ group_config.vrid }} + use_vmac {{ group_config.interface }}v{{ group_config.vrid }}v{{ '4' if group_config['address'] | first | is_ipv4 else '6' }} vmac_xmit_base {% elif group_config.rfc3768_compatibility is vyos_defined %} - use_vmac {{ group_config.interface }}v{{ group_config.vrid }} + use_vmac {{ group_config.interface }}v{{ group_config.vrid }}v{{ '4' if group_config['address'] | first | is_ipv4 else '6' }} {% endif %} {% if group_config.authentication is vyos_defined %} authentication { diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2 index b9f77a257..0340d3c92 100644 --- a/data/templates/ids/fastnetmon.j2 +++ b/data/templates/ids/fastnetmon.j2 @@ -37,18 +37,70 @@ process_incoming_traffic = {{ 'on' if direction is vyos_defined and 'in' in dire process_outgoing_traffic = {{ 'on' if direction is vyos_defined and 'out' in direction else 'off' }} {% if threshold is vyos_defined %} -{% for thr, thr_value in threshold.items() %} -{% if thr is vyos_defined('fps') %} +{% if threshold.general is vyos_defined %} +# General threshold +{% for thr, thr_value in threshold.general.items() %} +{% if thr is vyos_defined('fps') %} ban_for_flows = on threshold_flows = {{ thr_value }} -{% elif thr is vyos_defined('mbps') %} +{% elif thr is vyos_defined('mbps') %} ban_for_bandwidth = on threshold_mbps = {{ thr_value }} -{% elif thr is vyos_defined('pps') %} +{% elif thr is vyos_defined('pps') %} ban_for_pps = on threshold_pps = {{ thr_value }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} +{% endif %} + +{% if threshold.tcp is vyos_defined %} +# TCP threshold +{% for thr, thr_value in threshold.tcp.items() %} +{% if thr is vyos_defined('fps') %} +ban_for_tcp_flows = on +threshold_tcp_flows = {{ thr_value }} +{% elif thr is vyos_defined('mbps') %} +ban_for_tcp_bandwidth = on +threshold_tcp_mbps = {{ thr_value }} +{% elif thr is vyos_defined('pps') %} +ban_for_tcp_pps = on +threshold_tcp_pps = {{ thr_value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if threshold.udp is vyos_defined %} +# UDP threshold +{% for thr, thr_value in threshold.udp.items() %} +{% if thr is vyos_defined('fps') %} +ban_for_udp_flows = on +threshold_udp_flows = {{ thr_value }} +{% elif thr is vyos_defined('mbps') %} +ban_for_udp_bandwidth = on +threshold_udp_mbps = {{ thr_value }} +{% elif thr is vyos_defined('pps') %} +ban_for_udp_pps = on +threshold_udp_pps = {{ thr_value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if threshold.icmp is vyos_defined %} +# ICMP threshold +{% for thr, thr_value in threshold.icmp.items() %} +{% if thr is vyos_defined('fps') %} +ban_for_icmp_flows = on +threshold_icmp_flows = {{ thr_value }} +{% elif thr is vyos_defined('mbps') %} +ban_for_icmp_bandwidth = on +threshold_icmp_mbps = {{ thr_value }} +{% elif thr is vyos_defined('pps') %} +ban_for_icmp_pps = on +threshold_icmp_pps = {{ thr_value }} +{% endif %} +{% endfor %} +{% endif %} + {% endif %} {% if listen_interface is vyos_defined %} diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2 index c8e17729a..eb74924b8 100644 --- a/data/templates/ipsec/ios_profile.j2 +++ b/data/templates/ipsec/ios_profile.j2 @@ -41,7 +41,7 @@ <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> <key>RemoteIdentifier</key> - <string>{{ authentication.id if authentication.id is vyos_defined else 'VyOS' }}</string> + <string>{{ authentication.local_id if authentication.local_id is vyos_defined else 'VyOS' }}</string> <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> <key>LocalIdentifier</key> <string></string> diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2 index bf6b8259c..38d7981c6 100644 --- a/data/templates/ipsec/swanctl.conf.j2 +++ b/data/templates/ipsec/swanctl.conf.j2 @@ -63,9 +63,11 @@ secrets { {% if peer_conf.local_address is vyos_defined %} id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} {% endif %} - id-remote = {{ peer }} -{% if peer_conf.authentication.id is vyos_defined %} - id-localid = {{ peer_conf.authentication.id }} +{% for address in peer_conf.remote_address %} + id-remote_{{ address | dot_colon_to_dash }} = {{ address }} +{% endfor %} +{% if peer_conf.authentication.local_id is vyos_defined %} + id-localid = {{ peer_conf.authentication.local_id }} {% endif %} {% if peer_conf.authentication.remote_id is vyos_defined %} id-remoteid = {{ peer_conf.authentication.remote_id }} @@ -93,8 +95,8 @@ secrets { {% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %} {% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %} ike_{{ ra }} { -{% if ra_conf.authentication.id is vyos_defined %} - id = "{{ ra_conf.authentication.id }}" +{% if ra_conf.authentication.local_id is vyos_defined %} + id = "{{ ra_conf.authentication.local_id }}" {% elif ra_conf.local_address is vyos_defined %} id = "{{ ra_conf.local_address }}" {% endif %} diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 index 90d2c774f..d097a04fc 100644 --- a/data/templates/ipsec/swanctl/peer.j2 +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -2,14 +2,14 @@ {% set name = peer.replace("@", "") | dot_colon_to_dash %} {# peer needs to reference the global IKE configuration for certain values #} {% set ike = ike_group[peer_conf.ike_group] %} - peer_{{ name }} { + {{ name }} { proposals = {{ ike | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} {% if peer_conf.virtual_address is vyos_defined %} vips = {{ peer_conf.virtual_address | join(', ') }} {% endif %} - local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} - remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} + local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%any' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} + remote_addrs = {{ peer_conf.remote_address | join(",") if peer_conf.remote_address is vyos_defined and 'any' not in peer_conf.remote_address else '%any' }} {% if peer_conf.authentication.mode is vyos_defined('x509') %} send_cert = always {% endif %} @@ -21,7 +21,7 @@ aggressive = yes {% endif %} rekey_time = {{ ike.lifetime }}s - mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }} + mobike = {{ "no" if ike.disable_mobike is defined else "yes" }} {% if peer[0:1] == '@' %} keyingtries = 0 reauth_time = 0 @@ -30,12 +30,12 @@ {% elif peer_conf.connection_type is vyos_defined('respond') %} keyingtries = 1 {% endif %} -{% if peer_conf.force_encapsulation is vyos_defined('enable') %} +{% if peer_conf.force_udp_encapsulation is vyos_defined %} encap = yes {% endif %} local { -{% if peer_conf.authentication.id is vyos_defined %} - id = "{{ peer_conf.authentication.id }}" +{% if peer_conf.authentication.local_id is vyos_defined %} + id = "{{ peer_conf.authentication.local_id }}" {% endif %} auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} {% if peer_conf.authentication.mode == 'x509' %} @@ -58,7 +58,7 @@ children { {% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %} {% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %} - peer_{{ name }}_vti { + {{ name }}-vti { esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }} {% if vti_esp.life_bytes is vyos_defined %} life_bytes = {{ vti_esp.life_bytes }} @@ -75,7 +75,7 @@ {% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %} if_id_in = {{ if_id }} if_id_out = {{ if_id }} - ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined('enable') else 'no' }} + ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined else 'no' }} mode = {{ vti_esp.mode }} {% if peer[0:1] == '@' %} start_action = none @@ -101,7 +101,7 @@ {% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} {% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %} {% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} - peer_{{ name }}_tunnel_{{ tunnel_id }} { + {{ name }}-tunnel-{{ tunnel_id }} { esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }} {% if tunnel_esp.life_bytes is vyos_defined %} life_bytes = {{ tunnel_esp.life_bytes }} @@ -126,7 +126,7 @@ local_ts = {{ peer_conf.local_address }}{{ local_suffix }} remote_ts = {{ peer }}{{ remote_suffix }} {% endif %} - ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined('enable') else 'no' }} + ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined else 'no' }} mode = {{ tunnel_esp.mode }} {% if peer[0:1] == '@' %} start_action = none @@ -152,7 +152,7 @@ {% endif %} } {% if tunnel_conf.passthrough is vyos_defined %} - peer_{{ name }}_tunnel_{{ tunnel_id }}_passthrough { + {{ name }}-tunnel-{{ tunnel_id }}-passthrough { local_ts = {{ tunnel_conf.passthrough | join(",") }} remote_ts = {{ tunnel_conf.passthrough | join(",") }} start_action = trap diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 index d2760ec1f..60d2d1807 100644 --- a/data/templates/ipsec/swanctl/remote_access.j2 +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -17,9 +17,9 @@ pools = {{ rw_conf.pool | join(',') }} {% endif %} local { -{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %} +{% if rw_conf.authentication.local_id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %} {# please use " quotes - else Apple iOS goes crazy #} - id = "{{ rw_conf.authentication.id }}" + id = "{{ rw_conf.authentication.local_id }}" {% endif %} {% if rw_conf.authentication.server_mode == 'x509' %} auth = pubkey diff --git a/data/templates/login/autologout.j2 b/data/templates/login/autologout.j2 new file mode 100644 index 000000000..dc94eecc3 --- /dev/null +++ b/data/templates/login/autologout.j2 @@ -0,0 +1,5 @@ +{% if timeout is vyos_defined %} +TMOUT={{ timeout }} +readonly TMOUT +export TMOUT +{% endif %} diff --git a/data/templates/login/pam_radius_auth.conf.j2 b/data/templates/login/pam_radius_auth.conf.j2 index 1105b60e5..c61154753 100644 --- a/data/templates/login/pam_radius_auth.conf.j2 +++ b/data/templates/login/pam_radius_auth.conf.j2 @@ -16,7 +16,7 @@ {% if radius.server is vyos_defined %} # server[:port] shared_secret timeout source_ip {# .items() returns a tuple of two elements: key and value. 1 relates to the 2nd element i.e. the value and .priority relates to the key from the internal dict #} -{% for server, options in radius.server.items() | sort(attribute='1.priority') if not options.disabled %} +{% for server, options in radius.server.items() | sort(attribute='1.priority') if not 'disable' in options %} {# RADIUS IPv6 servers must be specified in [] notation #} {% if server | is_ipv4 %} {{ server }}:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv4 if source_address.ipv4 is vyos_defined }} @@ -33,4 +33,3 @@ mapped_priv_user radius_priv_user vrf-name {{ radius.vrf }} {% endif %} {% endif %} - diff --git a/data/templates/nhrp/nftables.conf.j2 b/data/templates/nhrp/nftables.conf.j2 new file mode 100644 index 000000000..a0d1f6d4c --- /dev/null +++ b/data/templates/nhrp/nftables.conf.j2 @@ -0,0 +1,17 @@ +#!/usr/sbin/nft -f + +{% if first_install is not vyos_defined %} +delete table ip vyos_nhrp_filter +{% endif %} +table ip vyos_nhrp_filter { + chain VYOS_NHRP_OUTPUT { + type filter hook output priority 10; policy accept; +{% if tunnel is vyos_defined %} +{% for tun, tunnel_conf in tunnel.items() %} +{% if if_tunnel[tun].source_address is vyos_defined %} + ip protocol gre ip saddr {{ if_tunnel[tun].source_address }} ip daddr 224.0.0.0/4 counter drop comment "VYOS_NHRP_{{ tun }}" +{% endif %} +{% endfor %} +{% endif %} + } +} diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index e0cad5181..3194354e6 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -1,5 +1,9 @@ ### generated by vpn_openconnect.py ### +{% if listen_address is vyos_defined %} +listen-host = {{ listen_address }} +{% endif %} + tcp-port = {{ listen_ports.tcp }} udp-port = {{ listen_ports.udp }} @@ -7,7 +11,7 @@ run-as-user = nobody run-as-group = daemon {% if "radius" in authentication.mode %} -auth = "radius [config=/run/ocserv/radiusclient.conf]" +auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" @@ -62,6 +66,13 @@ device = sslvpn dns = {{ dns }} {% endfor %} {% endif %} +{% if network_settings.tunnel_all_dns is vyos_defined %} +{% if "yes" in network_settings.tunnel_all_dns %} +tunnel-all-dns = true +{% else %} +tunnel-all-dns = false +{% endif %} +{% endif %} # IPv4 network pool {% if network_settings.client_ip_settings.subnet is vyos_defined %} @@ -85,3 +96,10 @@ route = {{ route }} split-dns = {{ tmp }} {% endfor %} {% endif %} + +{% if authentication.group is vyos_defined %} +# Group settings +{% for grp in authentication.group %} +select-group = {{ grp }} +{% endfor %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index 93c6735dd..5bbfdeb88 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -96,3 +96,7 @@ DenyGroups {{ access_control.deny.group | join(' ') }} # sshd(8) will send a message through the encrypted channel to request a response from the client ClientAliveInterval {{ client_keepalive_interval }} {% endif %} + +{% if rekey.data is vyos_defined %} +RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }} +{% endif %} diff --git a/data/templates/telegraf/override.conf.j2 b/data/templates/telegraf/override.conf.j2 index d30bb19de..7e3e4aaf5 100644 --- a/data/templates/telegraf/override.conf.j2 +++ b/data/templates/telegraf/override.conf.j2 @@ -12,4 +12,5 @@ EnvironmentFile= Environment=INFLUX_TOKEN={{ influxdb.authentication.token }} CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_BPF CAP_DAC_OVERRIDE AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN - +Restart=always +RestartSec=10 diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2 index 6b395692b..36571ce98 100644 --- a/data/templates/telegraf/telegraf.j2 +++ b/data/templates/telegraf/telegraf.j2 @@ -45,7 +45,7 @@ ### Prometheus ### [[outputs.prometheus_client]] ## Address to listen on - listen = "{{ prometheus_client.listen_address if prometheus_client.listen_address is vyos_defined else '' }}:{{ prometheus_client.port }}" + listen = "{{ prometheus_client.listen_address | bracketize_ipv6 if prometheus_client.listen_address is vyos_defined else '' }}:{{ prometheus_client.port }}" metric_version = {{ prometheus_client.metric_version }} {% if prometheus_client.authentication.username is vyos_defined and prometheus_client.authentication.password is vyos_defined %} ## Use HTTP Basic Authentication @@ -110,7 +110,7 @@ server = "unixgram:///run/telegraf/telegraf_syslog.sock" best_effort = true syslog_standard = "RFC3164" -{% if influxdb_configured is vyos_defined %} +{% if influxdb is vyos_defined %} [[inputs.exec]] commands = [ "{{ custom_scripts_dir }}/show_firewall_input_filter.py", diff --git a/data/templates/zone_policy/nftables.j2 b/data/templates/zone_policy/nftables.j2 deleted file mode 100644 index fe941f9f8..000000000 --- a/data/templates/zone_policy/nftables.j2 +++ /dev/null @@ -1,113 +0,0 @@ -#!/usr/sbin/nft -f - -{% if cleanup_commands is vyos_defined %} -{% for command in cleanup_commands %} -{{ command }} -{% endfor %} -{% endif %} - -{% if zone is vyos_defined %} -table ip filter { -{% for zone_name, zone_conf in zone.items() if zone_conf.ipv4 %} -{% if zone_conf.local_zone is vyos_defined %} - chain VZONE_{{ zone_name }}_IN { - iifname lo counter return -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %} - iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} - iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} - {{ zone_conf | nft_default_rule('zone_' + zone_name) }} - } - chain VZONE_{{ zone_name }}_OUT { - oifname lo counter return -{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is vyos_defined %} - oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} - oifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} - {{ zone_conf | nft_default_rule('zone_' + zone_name) }} - } -{% else %} - chain VZONE_{{ zone_name }} { - iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=False) }} -{% if zone_conf.intra_zone_filtering is vyos_defined %} - iifname { {{ zone_conf.interface | join(",") }} } counter return -{% endif %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %} -{% if zone[from_zone].local_zone is not defined %} - iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} - iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endif %} -{% endfor %} - {{ zone_conf | nft_default_rule('zone_' + zone_name) }} - } -{% endif %} -{% endfor %} -} - -table ip6 filter { -{% for zone_name, zone_conf in zone.items() if zone_conf.ipv6 %} -{% if zone_conf.local_zone is vyos_defined %} - chain VZONE6_{{ zone_name }}_IN { - iifname lo counter return -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %} - iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} - iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} - {{ zone_conf | nft_default_rule('zone6_' + zone_name) }} - } - chain VZONE6_{{ zone_name }}_OUT { - oifname lo counter return -{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is vyos_defined %} - oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} - oifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} - {{ zone_conf | nft_default_rule('zone6_' + zone_name) }} - } -{% else %} - chain VZONE6_{{ zone_name }} { - iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=True) }} -{% if zone_conf.intra_zone_filtering is vyos_defined %} - iifname { {{ zone_conf.interface | join(",") }} } counter return -{% endif %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %} -{% if zone[from_zone].local_zone is not defined %} - iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} - iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endif %} -{% endfor %} - {{ zone_conf | nft_default_rule('zone6_' + zone_name) }} - } -{% endif %} -{% endfor %} -} - -{% for zone_name, zone_conf in zone.items() %} -{% if zone_conf.ipv4 %} -{% if 'local_zone' in zone_conf %} -insert rule ip filter VYOS_FW_LOCAL counter jump VZONE_{{ zone_name }}_IN -insert rule ip filter VYOS_FW_OUTPUT counter jump VZONE_{{ zone_name }}_OUT -{% else %} -insert rule ip filter VYOS_FW_FORWARD oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }} -{% endif %} -{% endif %} -{% if zone_conf.ipv6 %} -{% if 'local_zone' in zone_conf %} -insert rule ip6 filter VYOS_FW6_LOCAL counter jump VZONE6_{{ zone_name }}_IN -insert rule ip6 filter VYOS_FW6_OUTPUT counter jump VZONE6_{{ zone_name }}_OUT -{% else %} -insert rule ip6 filter VYOS_FW6_FORWARD oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE6_{{ zone_name }} -{% endif %} -{% endif %} -{% endfor %} - -{# Ensure that state-policy rule is first in the chain #} -{% if firewall.state_policy is vyos_defined %} -{% for chain in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'] %} -insert rule ip filter {{ chain }} jump VYOS_STATE_POLICY -{% endfor %} -{% for chain in ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL'] %} -insert rule ip6 filter {{ chain }} jump VYOS_STATE_POLICY6 -{% endfor %} -{% endif %} - -{% endif %} diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf new file mode 100644 index 000000000..11a5bc7bf --- /dev/null +++ b/data/vyos-firewall-init.conf @@ -0,0 +1,110 @@ +#!/usr/sbin/nft -f + +# Required by wanloadbalance +table ip nat { + chain VYOS_PRE_SNAT_HOOK { + type nat hook postrouting priority 99; policy accept; + return + } +} + +table inet mangle { + chain FORWARD { + type filter hook forward priority -150; policy accept; + } +} + +table raw { + chain VYOS_TCP_MSS { + type filter hook forward priority -300; policy accept; + } + + chain PREROUTING { + type filter hook prerouting priority -200; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump VYOS_CT_PREROUTING_HOOK + counter jump FW_CONNTRACK + notrack + } + + chain OUTPUT { + type filter hook output priority -200; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump VYOS_CT_OUTPUT_HOOK + counter jump FW_CONNTRACK + notrack + } + + ct helper rpc_tcp { + type "rpc" protocol tcp; + } + + ct helper rpc_udp { + type "rpc" protocol udp; + } + + ct helper tns_tcp { + type "tns" protocol tcp; + } + + chain VYOS_CT_HELPER { + ct helper set "rpc_tcp" tcp dport {111} return + ct helper set "rpc_udp" udp dport {111} return + ct helper set "tns_tcp" tcp dport {1521,1525,1536} return + return + } + + chain VYOS_CT_IGNORE { + return + } + + chain VYOS_CT_TIMEOUT { + return + } + + chain VYOS_CT_PREROUTING_HOOK { + return + } + + chain VYOS_CT_OUTPUT_HOOK { + return + } + + chain FW_CONNTRACK { + accept + } +} + +table ip6 raw { + chain VYOS_TCP_MSS { + type filter hook forward priority -300; policy accept; + } + + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; + counter jump VYOS_CT_PREROUTING_HOOK + counter jump FW_CONNTRACK + notrack + } + + chain OUTPUT { + type filter hook output priority -300; policy accept; + counter jump VYOS_CT_OUTPUT_HOOK + counter jump FW_CONNTRACK + notrack + } + + chain VYOS_CT_PREROUTING_HOOK { + return + } + + chain VYOS_CT_OUTPUT_HOOK { + return + } + + chain FW_CONNTRACK { + accept + } +} |