diff options
Diffstat (limited to 'data')
| -rw-r--r-- | data/config-mode-dependencies/vyos-1x.json | 6 | ||||
| -rw-r--r-- | data/templates/conntrack/nftables-ct.j2 | 36 | ||||
| -rw-r--r-- | data/templates/conntrackd/conntrackd.conf.j2 | 2 | ||||
| -rw-r--r-- | data/templates/frr/ospf6d.frr.j2 | 2 | ||||
| -rw-r--r-- | data/templates/frr/ospfd.frr.j2 | 8 | ||||
| -rw-r--r-- | data/templates/high-availability/keepalived.conf.j2 | 6 | ||||
| -rw-r--r-- | data/templates/load-balancing/wlb.conf.j2 | 4 | ||||
| -rw-r--r-- | data/templates/login/default_motd.j2 | 14 | ||||
| -rw-r--r-- | data/templates/vyos-hostsd/hosts.j2 | 2 | ||||
| -rw-r--r-- | data/vyos-firewall-init.conf | 2 |
10 files changed, 61 insertions, 21 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index b0586e0bb..afe3dd838 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -1,6 +1,7 @@ { "system_conntrack": { - "conntrack_sync": ["service_conntrack-sync"] + "conntrack_sync": ["service_conntrack-sync"], + "vrf": ["vrf"] }, "firewall": { "conntrack": ["system_conntrack"], @@ -30,6 +31,9 @@ "rpki": ["protocols_rpki"], "sstp": ["vpn_sstp"] }, + "vpn_ipsec": { + "nhrp": ["protocols_nhrp"] + }, "vpn_l2tp": { "ipsec": ["vpn_ipsec"] }, diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2 index 762a6f693..c753e6bcb 100644 --- a/data/templates/conntrack/nftables-ct.j2 +++ b/data/templates/conntrack/nftables-ct.j2 @@ -40,9 +40,6 @@ table ip vyos_conntrack { chain PREROUTING { type filter hook prerouting priority -300; policy accept; -{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} - counter jump VYOS_CT_HELPER -{% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -51,11 +48,15 @@ table ip vyos_conntrack { notrack } - chain OUTPUT { - type filter hook output priority -300; policy accept; {% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; counter jump VYOS_CT_HELPER + } {% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -66,6 +67,13 @@ table ip vyos_conntrack { notrack } +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + {{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }} chain FW_CONNTRACK { @@ -122,9 +130,6 @@ table ip6 vyos_conntrack { chain PREROUTING { type filter hook prerouting priority -300; policy accept; -{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} - counter jump VYOS_CT_HELPER -{% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -132,11 +137,15 @@ table ip6 vyos_conntrack { notrack } - chain OUTPUT { - type filter hook output priority -300; policy accept; {% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; counter jump VYOS_CT_HELPER + } {% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -144,6 +153,13 @@ table ip6 vyos_conntrack { notrack } +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + {{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }} chain FW_CONNTRACK { diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2 index 8f56c8171..669b20877 100644 --- a/data/templates/conntrackd/conntrackd.conf.j2 +++ b/data/templates/conntrackd/conntrackd.conf.j2 @@ -76,7 +76,7 @@ General { HashSize {{ hash_size }} HashLimit {{ table_size | int *2 }} LogFile off - Syslog on + Syslog {{ 'off' if disable_syslog is vyos_defined else 'on' }} LockFile /var/lock/conntrack.lock UNIX { Path /var/run/conntrackd.ctl diff --git a/data/templates/frr/ospf6d.frr.j2 b/data/templates/frr/ospf6d.frr.j2 index b0b5663dd..5f758f9e5 100644 --- a/data/templates/frr/ospf6d.frr.j2 +++ b/data/templates/frr/ospf6d.frr.j2 @@ -109,7 +109,7 @@ router ospf6 {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% endif %} {% if redistribute is vyos_defined %} {% for protocol, options in redistribute.items() %} - redistribute {{ protocol }} {{ 'route-map ' ~ options.route_map if options.route_map is vyos_defined }} + redistribute {{ protocol }} {{ 'metric ' ~ options.metric if options.metric is vyos_defined }} {{ 'metric-type ' ~ options.metric_type if options.metric_type is vyos_defined }} {{ 'route-map ' ~ options.route_map if options.route_map is vyos_defined }} {% endfor %} {% endif %} exit diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index 040628e82..ab074b6a2 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -214,13 +214,13 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} passive-interface default {% endif %} {% if redistribute is vyos_defined %} -{% for protocol, protocols_options in redistribute.items() %} +{% for protocol, options in redistribute.items() %} {% if protocol == 'table' %} -{% for table, table_options in protocols_options.items() %} - redistribute {{ protocol }} {{ table }} {{ 'metric ' + table_options.metric if table_options.metric is vyos_defined }} {{ 'metric-type ' + table_options.metric_type if table_options.metric_type is vyos_defined }} {{ 'route-map ' + table_options.route_map if table_options.route_map is vyos_defined }} +{% for table, table_options in options.items() %} + redistribute {{ protocol }} {{ table }} {{ 'metric ' ~ table_options.metric if table_options.metric is vyos_defined }} {{ 'metric-type ' ~ table_options.metric_type if table_options.metric_type is vyos_defined }} {{ 'route-map ' ~ table_options.route_map if table_options.route_map is vyos_defined }} {% endfor %} {% else %} - redistribute {{ protocol }} {{ 'metric ' + protocols_options.metric if protocols_options.metric is vyos_defined }} {{ 'metric-type ' + protocols_options.metric_type if protocols_options.metric_type is vyos_defined }} {{ 'route-map ' + protocols_options.route_map if protocols_options.route_map is vyos_defined }} + redistribute {{ protocol }} {{ 'metric ' ~ options.metric if options.metric is vyos_defined }} {{ 'metric-type ' ~ options.metric_type if options.metric_type is vyos_defined }} {{ 'route-map ' ~ options.route_map if options.route_map is vyos_defined }} {% endif %} {% endfor %} {% endif %} diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2 index d54f575b5..f34ce64e2 100644 --- a/data/templates/high-availability/keepalived.conf.j2 +++ b/data/templates/high-availability/keepalived.conf.j2 @@ -82,7 +82,11 @@ vrrp_instance {{ name }} { nopreempt {% endif %} {% if group_config.peer_address is vyos_defined %} - unicast_peer { {{ group_config.peer_address }} } + unicast_peer { +{% for peer_address in group_config.peer_address %} + {{ peer_address }} +{% endfor %} + } {% endif %} {% if group_config.hello_source_address is vyos_defined %} {% if group_config.peer_address is vyos_defined %} diff --git a/data/templates/load-balancing/wlb.conf.j2 b/data/templates/load-balancing/wlb.conf.j2 index 6557b6f4c..7f04d797e 100644 --- a/data/templates/load-balancing/wlb.conf.j2 +++ b/data/templates/load-balancing/wlb.conf.j2 @@ -93,6 +93,8 @@ rule {{ rule }} { {% if rule_config.destination.port is vyos_defined %} {% if '-' in rule_config.destination.port %} port-ipt "-m multiport --dports {{ rule_config.destination.port | replace('-', ':') }}" +{% elif ',' in rule_config.destination.port %} + port-ipt "-m multiport --dports {{ rule_config.destination.port }}" {% else %} port-ipt " --dport {{ rule_config.destination.port }}" {% endif %} @@ -107,6 +109,8 @@ rule {{ rule }} { {% if rule_config.source.port is vyos_defined %} {% if '-' in rule_config.source.port %} port-ipt "-m multiport --sports {{ rule_config.source.port | replace('-', ':') }}" +{% elif ',' in rule_config.destination.port %} + port-ipt "-m multiport --sports {{ rule_config.source.port }}" {% else %} port.ipt " --sport {{ rule_config.source.port }}" {% endif %} diff --git a/data/templates/login/default_motd.j2 b/data/templates/login/default_motd.j2 new file mode 100644 index 000000000..543c6f8e0 --- /dev/null +++ b/data/templates/login/default_motd.j2 @@ -0,0 +1,14 @@ +Welcome to VyOS! + + ┌── ┐ + . VyOS {{ version_data.version }} + └ ──┘ {{ version_data.release_train }} + + * Documentation: {{ version_data.documentation_url }} + * Project news: {{ version_data.project_news_url }} + * Bug reports: {{ version_data.bugtracker_url }} + +You can change this banner using "set system login banner post-login" command. + +VyOS is a free software distribution that includes multiple components, +you can check individual component licenses under /usr/share/doc/*/copyright diff --git a/data/templates/vyos-hostsd/hosts.j2 b/data/templates/vyos-hostsd/hosts.j2 index 5cad983b4..62ecf3ad0 100644 --- a/data/templates/vyos-hostsd/hosts.j2 +++ b/data/templates/vyos-hostsd/hosts.j2 @@ -4,7 +4,7 @@ # Local host 127.0.0.1 localhost -127.0.1.1 {{ host_name }}{% if domain_name %}.{{ domain_name }} {{ host_name }}{% endif %} +127.0.1.1 {{ host_name }} # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index 5a4e03015..3929edf0b 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -65,11 +65,9 @@ table inet vrf_zones { # Chain for inbound traffic chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; - counter ct original zone set iifname map @ct_iface_map } # Chain for locally-generated traffic chain vrf_zones_ct_out { type filter hook output priority raw; policy accept; - counter ct original zone set oifname map @ct_iface_map } } |