6 files changed, 97 insertions, 58 deletions

diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index a433c2522..6c86642c7 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,9 +1,23 @@
 {
-  "firewall": {"conntrack": ["conntrack"], "group_resync": ["conntrack", "nat", "policy-route"]},
+  "conntrack": {"conntrack_sync": ["conntrack_sync"]},
+  "firewall": {
+                "conntrack": ["conntrack"],
+                "conntrack_sync": ["conntrack_sync"],
+                "group_resync": ["conntrack", "nat", "policy-route"]
+              },
   "http_api": {"https": ["https"]},
-  "load_balancing_wan": {"conntrack": ["conntrack"]},
-  "nat": {"conntrack": ["conntrack"]},
-  "nat66": {"conntrack": ["conntrack"]},
+  "load_balancing_wan": {
+                          "conntrack": ["conntrack"],
+                          "conntrack_sync": ["conntrack_sync"]
+                        },
+  "nat": {
+           "conntrack": ["conntrack"],
+           "conntrack_sync": ["conntrack_sync"]
+         },
+  "nat66": {
+             "conntrack": ["conntrack"],
+             "conntrack_sync": ["conntrack_sync"]
+           },
   "pki": {
            "ethernet": ["interfaces-ethernet"],
            "openvpn": ["interfaces-openvpn"],
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index ded934bff..ed9bb6cad 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -26,6 +26,5 @@
 "storage.py",
 "uptime.py",
 "version.py",
-"vrf.py",
-"zone.py"
+"vrf.py"
 ]
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 895f61a55..1e0fc8065 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -1,5 +1,6 @@
 #!/usr/sbin/nft -f
 
+{% import 'conntrack/nftables-helpers.j2' as helper_tmpl %}
 {% import 'firewall/nftables-defines.j2' as group_tmpl %}
 
 {% if first_install is not vyos_defined %}
@@ -52,30 +53,7 @@ table ip vyos_conntrack {
         notrack
     }
 
-    ct helper rpc_tcp {
-        type "rpc" protocol tcp;
-    }
-
-    ct helper rpc_udp {
-        type "rpc" protocol udp;
-    }
-
-    ct helper tns_tcp {
-        type "tns" protocol tcp;
-    }
-
-    chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{%     if modules[module] is vyos_defined %}
-{%         if 'nftables' in module_conf %}
-{%             for rule in module_conf.nftables %}
-        {{ rule }}
-{%             endfor %}
-{%         endif %}
-{%     endif %}
-{% endfor %}
-        return
-    }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }}
 
     chain FW_CONNTRACK {
         {{ ipv4_firewall_action }}
@@ -140,30 +118,7 @@ table ip6 vyos_conntrack {
         notrack
     }
 
-    ct helper rpc_tcp {
-        type "rpc" protocol tcp;
-    }
-
-    ct helper rpc_udp {
-        type "rpc" protocol udp;
-    }
-
-    ct helper tns_tcp {
-        type "tns" protocol tcp;
-    }
-
-    chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{%     if modules[module] is vyos_defined %}
-{%         if 'nftables' in module_conf %}
-{%             for rule in module_conf.nftables %}
-        {{ rule }}
-{%             endfor %}
-{%         endif %}
-{%     endif %}
-{% endfor %}
-        return
-    }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }}
 
     chain FW_CONNTRACK {
         {{ ipv6_firewall_action }}
diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2
new file mode 100644
index 000000000..433931162
--- /dev/null
+++ b/data/templates/conntrack/nftables-helpers.j2
@@ -0,0 +1,70 @@
+{% macro conntrack_helpers(module_map, modules, ipv4=True) %}
+{% if modules.ftp is vyos_defined %}
+    ct helper ftp_tcp {
+        type "ftp" protocol tcp;
+    }
+{% endif %}
+
+{% if modules.h323 is vyos_defined %}
+    ct helper ras_udp {
+        type "RAS" protocol udp;
+    }
+
+    ct helper q931_tcp {
+        type "Q.931" protocol tcp;
+    }
+{% endif %}
+
+{% if modules.pptp is vyos_defined and ipv4 %}
+    ct helper pptp_tcp {
+        type "pptp" protocol tcp;
+    }
+{% endif %}
+
+{% if modules.nfs is vyos_defined %}
+    ct helper rpc_tcp {
+        type "rpc" protocol tcp;
+    }
+
+    ct helper rpc_udp {
+        type "rpc" protocol udp;
+    }
+{% endif %}
+
+{% if modules.sip is vyos_defined %}
+    ct helper sip_tcp {
+        type "sip" protocol tcp;
+    }
+
+    ct helper sip_udp {
+        type "sip" protocol udp;
+    }
+{% endif %}
+
+{% if modules.tftp is vyos_defined %}
+    ct helper tftp_udp {
+        type "tftp" protocol udp;
+    }
+{% endif %}
+
+{% if modules.sqlnet is vyos_defined %}
+    ct helper tns_tcp {
+        type "tns" protocol tcp;
+    }
+{% endif %}
+
+    chain VYOS_CT_HELPER {
+{% for module, module_conf in module_map.items() %}
+{%     if modules[module] is vyos_defined %}
+{%         if 'nftables' in module_conf %}
+{%             if module_conf.ipv4 is not vyos_defined or module_conf.ipv4 == ipv4 %}
+{%                 for rule in module_conf.nftables %}
+        {{ rule }}
+{%                 endfor %}
+{%             endif %}
+{%         endif %}
+{%     endif %}
+{% endfor %}
+        return
+    }
+{% endmacro %}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 111459485..197155d96 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,3 +1,2 @@
 # Autogenerated by conntrack.py
-options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1
-
+options nf_conntrack hashsize={{ hash_size }}
diff --git a/data/templates/mdns-repeater/avahi-daemon.j2 b/data/templates/mdns-repeater/avahi-daemon.conf.j2
index e0dfd897e..d562c048f 100644
--- a/data/templates/mdns-repeater/avahi-daemon.j2
+++ b/data/templates/mdns-repeater/avahi-daemon.conf.j2
@@ -1,7 +1,7 @@
 ### Autogenerated by service_mdns-repeater.py ###
 [server]
-use-ipv4=yes
-use-ipv6=yes
+use-ipv4={{ 'yes' if ip_version in ['ipv4', 'both'] else 'no' }}
+use-ipv6={{ 'yes' if ip_version in ['ipv6', 'both'] else 'no' }}
 allow-interfaces={{ interface | join(', ') }}
 {% if browse_domain is vyos_defined and browse_domain | length %}
 browse-domains={{ browse_domain | join(', ') }}
@@ -17,6 +17,8 @@ disable-user-service-publishing=yes
 publish-addresses=no
 publish-hinfo=no
 publish-workstation=no
+publish-aaaa-on-ipv4=no
+publish-a-on-ipv6=no
 
 [reflector]
 enable-reflector=yes