diff options
Diffstat (limited to 'data')
| -rw-r--r-- | data/configd-include.json | 3 | ||||
| -rw-r--r-- | data/templates/dhcp-client/ipv4.tmpl | 7 | ||||
| -rw-r--r-- | data/templates/frr/bgp.frr.tmpl | 175 | ||||
| -rw-r--r-- | data/templates/frr/ldpd.frr.tmpl | 115 | ||||
| -rw-r--r-- | data/templates/https/nginx.default.tmpl | 2 | ||||
| -rw-r--r-- | data/templates/openvpn/client.conf.tmpl | 50 | ||||
| -rw-r--r-- | data/templates/openvpn/server.conf.tmpl | 363 | ||||
| -rw-r--r-- | data/templates/wifi/hostapd.conf.tmpl | 42 | ||||
| -rw-r--r-- | data/templates/wifi/wpa_supplicant.conf.tmpl | 70 | ||||
| -rw-r--r-- | data/templates/wwan/chat.tmpl | 4 | ||||
| -rw-r--r-- | data/templates/wwan/peer.tmpl | 6 |
11 files changed, 534 insertions, 303 deletions
diff --git a/data/configd-include.json b/data/configd-include.json index 95aef65ad..da6fb915f 100644 --- a/data/configd-include.json +++ b/data/configd-include.json @@ -48,7 +48,6 @@ "system-options.py", "system-syslog.py", "system-timezone.py", -"system-wifi-regdom.py", "system_console.py", "system_lcd.py", "task_scheduler.py", @@ -59,4 +58,4 @@ "vrf.py", "vrrp.py", "vyos_cert.py" -]
\ No newline at end of file +] diff --git a/data/templates/dhcp-client/ipv4.tmpl b/data/templates/dhcp-client/ipv4.tmpl index 8a44a9761..71b429db6 100644 --- a/data/templates/dhcp-client/ipv4.tmpl +++ b/data/templates/dhcp-client/ipv4.tmpl @@ -12,8 +12,13 @@ interface "{{ ifname }}" { {% if dhcp_options.vendor_class_id is defined and dhcp_options.vendor_class_id is not none %} send vendor-class-identifier "{{ dhcp_options.vendor_class_id }}"; {% endif %} - request subnet-mask, broadcast-address, routers, domain-name-servers, + # The request statement causes the client to request that any server responding to the + # client send the client its values for the specified options. + request subnet-mask, broadcast-address,{{ " routers," if dhcp_options.no_default_route is not defined }} domain-name-servers, rfc3442-classless-static-routes, domain-name, interface-mtu; + + # The require statement lists options that must be sent in order for an offer to be + # accepted. Offers that do not contain all the listed options will be ignored! require subnet-mask; } diff --git a/data/templates/frr/bgp.frr.tmpl b/data/templates/frr/bgp.frr.tmpl index d011a1e85..d0857ac2c 100644 --- a/data/templates/frr/bgp.frr.tmpl +++ b/data/templates/frr/bgp.frr.tmpl @@ -14,10 +14,9 @@ router bgp {{ asn }} {%- if type == "ipv4_unicast" %} ! address-family ipv4 unicast -{# need to check #} {%- if 'aggregate_address' in bgp_afi[type] %} {%- for ip in bgp_afi[type].aggregate_address %} -{%- if ( ('as_set' and 'summary_only') in bgp_afi[type].aggregate_address[ip] ) %} +{%- if ( ('as_set' in bgp_afi[type].aggregate_address[ip]) and ('summary_only' in bgp_afi[type].aggregate_address[ip] ) ) %} aggregate-address {{ ip }} as-set summary-only {%- elif 'as_set' in bgp_afi[type].aggregate_address[ip] %} aggregate-address {{ ip }} as-set @@ -28,23 +27,20 @@ router bgp {{ asn }} {%- endif %} {%- endfor %} {%- endif %} -{# END aggregate address#} -{#- redistribute #} -{# need to check. dont work. - 'metric' and 'route_map' match also only 'route_map' - 'table' parameter also include in protocol, its not what I want #} +{#- END aggregate address ipv4 #} + +{#- redistribute afi ipv4 #} {%- if 'redistribute' in bgp_afi[type] %} -{%- if 'table' in bgp_afi[type].redistribute %} - redistribute table {{bgp_afi[type].redistribute.table}} -{%- endif %} {%- for protocol in bgp_afi[type].redistribute %} -{%- if ( ('metric' and 'route_map') in bgp_afi[type].redistribute[protocol] ) %} +{%- if ( ('route_map' in bgp_afi[type].redistribute[protocol]) and ('metric' in bgp_afi[type].redistribute[protocol] ) ) %} redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} route-map {{bgp_afi[type].redistribute[protocol].route_map}} {%- elif 'metric' in bgp_afi[type].redistribute[protocol] %} - redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} + redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} {%- elif 'route_map' in bgp_afi[type].redistribute[protocol] %} redistribute {{protocol}} route-map {{bgp_afi[type].redistribute[protocol].route_map}} -{%- else %} +{%- elif 'table' in bgp_afi[type].redistribute %} + redistribute table {{bgp_afi[type].redistribute.table}} +{%- else %} redistribute {{protocol}} {%- endif %} {%- endfor %} @@ -65,7 +61,7 @@ router bgp {{ asn }} address-family ipv6 unicast {%- if 'aggregate_address' in bgp_afi[type] %} {%- for ip in bgp_afi[type].aggregate_address %} -{%- if ( ('as_set' and 'summary_only') in bgp_afi[type].aggregate_address[ip] ) %} +{%- if ( ('as_set' in bgp_afi[type].aggregate_address[ip]) and ('summary_only' in bgp_afi[type].aggregate_address[ip] ) ) %} aggregate-address {{ ip }} as-set summary-only {%- elif 'as_set' in bgp_afi[type].aggregate_address[ip] %} aggregate-address {{ ip }} as-set @@ -76,22 +72,20 @@ router bgp {{ asn }} {%- endif %} {%- endfor %} {%- endif %} -{# END aggregate address#} +{#- END aggregate address ipv6 #} -{#- redistribute #} -{# need to check. doesn't work. 'metric' and 'route_map' match also only 'route_map' #} +{#- redistribute afi ipv6 #} {%- if 'redistribute' in bgp_afi[type] %} -{%- if 'table' in bgp_afi[type].redistribute %} - redistribute table {{bgp_afi[type].redistribute.table}} -{%- endif %} {%- for protocol in bgp_afi[type].redistribute %} -{%- if ( ('metric' and 'route_map') in bgp_afi[type].redistribute[protocol] ) %} +{%- if ( ('route_map' in bgp_afi[type].redistribute[protocol]) and ('metric' in bgp_afi[type].redistribute[protocol] ) ) %} redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} route-map {{bgp_afi[type].redistribute[protocol].route_map}} {%- elif 'metric' in bgp_afi[type].redistribute[protocol] %} - redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} + redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} {%- elif 'route_map' in bgp_afi[type].redistribute[protocol] %} redistribute {{protocol}} route-map {{bgp_afi[type].redistribute[protocol].route_map}} -{%- else %} +{%- elif 'table' in bgp_afi[type].redistribute %} + redistribute table {{bgp_afi[type].redistribute.table}} +{%- else %} redistribute {{protocol}} {%- endif %} {%- endfor %} @@ -206,7 +200,7 @@ router bgp {{ asn }} neighbor {{ pr_group }} update-source {{ conf_peer_group.update_source }} {%- endif %} -{# START peer-group afi; set protocols bgp xxx peer-group FOO address-family #} +{#- START peer-group afi; set protocols bgp xxx peer-group FOO address-family #} {%- if 'address_family' in conf_peer_group %} {%- for afi in conf_peer_group.address_family %} {%- if afi == "ipv4_unicast" %} @@ -236,10 +230,19 @@ router bgp {{ asn }} {%- endif %} {#- END single params for peer-group #} -{#- Checks need to be done as-path|med|next-hop #} {%- if 'attribute_unchanged' in conf_peer_group.address_family.ipv4_unicast %} -{%- if 'as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %} +{%- if ( ('as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) and ('med' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged as-path med +{%- elif ( ('as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged as-path next-hop +{%- elif ( ('med' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged med next-hop +{%- elif 'as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %} neighbor {{ pr_group }} attribute-unchanged as-path +{%- elif 'med' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %} + neighbor {{ pr_group }} attribute-unchanged med +{%- elif 'next_hop' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %} + neighbor {{ pr_group }} attribute-unchanged next-hop {%- else %} neighbor {{ pr_group }} attribute-unchanged as-path next-hop med {%- endif %} @@ -247,11 +250,13 @@ router bgp {{ asn }} {#- END attribute-unchanged #} {%- if 'capability' in conf_peer_group.address_family.ipv4_unicast %} -{%- if 'receive' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %} +{%- if 'orf' in conf_peer_group.address_family.ipv4_unicast.capability %} +{%- if 'receive' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %} neighbor {{ pr_group }} capability orf prefix-list receive -{%- endif %} -{%- if 'send' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %} +{%- endif %} +{%- if 'send' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %} neighbor {{ pr_group }} capability orf prefix-list send +{%- endif %} {%- endif %} {%- endif %} @@ -322,7 +327,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Need to check. https://phabricator.vyos.net/T2387#73900 #} {%- if 'unsuppress_map' in conf_peer_group.address_family.ipv4_unicast %} neighbor {{ pr_group }} unsuppress-map {{conf_peer_group.address_family.ipv4_unicast.unsuppress_map}} {%- endif %} @@ -357,21 +361,39 @@ router bgp {{ asn }} {%- endif %} {#- END single params for peer-group afi6 #} -{#- Checks need to be done as-path|med|next-hop #} {%- if 'attribute_unchanged' in conf_peer_group.address_family.ipv6_unicast %} -{%- if 'as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %} +{%- if ( ('as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) and ('med' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged as-path med +{%- elif ( ('as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged as-path next-hop +{%- elif ( ('med' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ pr_group }} attribute-unchanged med next-hop +{%- elif 'as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %} neighbor {{ pr_group }} attribute-unchanged as-path +{%- elif 'med' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %} + neighbor {{ pr_group }} attribute-unchanged med +{%- elif 'next_hop' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %} + neighbor {{ pr_group }} attribute-unchanged next-hop {%- else %} neighbor {{ pr_group }} attribute-unchanged as-path next-hop med {%- endif %} {%- endif %} +{#- END attribute-unchanged ipv6 #} {%- if 'capability' in conf_peer_group.address_family.ipv6_unicast %} -{%- if 'receive' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %} +{%- if 'dynamic' in conf_peer_group.address_family.ipv6_unicast.capability %} +{#- exit from afi ipv6 unicast because 'dynamic' its a global parameter for peer-group in afi6. Other checks are ongoing in afi6. Also related T3037 #} + exit-address-family + neighbor {{ pr_group }} capability dynamic + address-family ipv6 unicast +{%- endif %} +{%- if 'orf' in conf_peer_group.address_family.ipv6_unicast.capability %} +{%- if 'receive' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %} neighbor {{ pr_group }} capability orf prefix-list receive {%- endif %} -{%- if 'send' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %} +{%- if 'send' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %} neighbor {{ pr_group }} capability orf prefix-list send +{%- endif %} {%- endif %} {%- endif %} @@ -442,7 +464,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Checks need to be done. https://phabricator.vyos.net/T2387#73900 #} {%- if 'unsuppress_map' in conf_peer_group.address_family.ipv6_unicast %} neighbor {{ pr_group }} unsuppress-map {{conf_peer_group.address_family.ipv6_unicast.unsuppress_map}} {%- endif %} @@ -453,7 +474,7 @@ router bgp {{ asn }} {%- endfor %} {%- endif %} -{# END peer-group afi; set protocols bgp xxx peer-group FOO address-family #} +{#- END peer-group afi; set protocols bgp xxx peer-group FOO address-family #} {%- endfor %} {%- endif %} @@ -464,7 +485,7 @@ router bgp {{ asn }} {#- set peer-group as conf_peer #} {%- set conf_peer = conf_bgp[asn].neighbor[peer] %} -{#- First parameter for peer-group - remote-as #} +{#- First parameter for peer neighbor - remote-as #} {%- if 'remote_as' in conf_peer %} neighbor {{ peer }} remote-as {{ conf_peer.remote_as }} {%- endif %} @@ -491,10 +512,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{%- if 'description' in conf_peer %} - neighbor {{ peer }} description {{ conf_peer.description }} -{%- endif %} - {%- if 'disable_capability_negotiation' in conf_peer %} neighbor {{ peer }} disable-capability-negotiation {%- endif %} @@ -564,17 +581,21 @@ router bgp {{ asn }} neighbor {{ peer }} strict-capability-match {%- endif %} -{#- Need to check #} +{#- set protocols bgp xxx neighbor x.x.x.x timers #} {%- if 'timers' in conf_peer %} -{%- if ( ('connect' and 'holdtime' and 'keepalive') in conf_peer.timers ) %} +{%- if ( ('connect' in conf_peer.timers) and ('holdtime' in conf_peer.timers) and ('keepalive' in conf_peer.timers ) ) %} neighbor {{ peer }} timers {{conf_peer.timers.keepalive}} {{conf_peer.timers.holdtime}} - neighbor {{ peer }} timers connect {{conf_peer.timers.connect}} + neighbor {{ peer }} timers connect {{conf_peer.timers.connect}} +{%- elif ( ('holdtime' in conf_peer.timers) and ('keepalive' in conf_peer.timers ) ) %} + neighbor {{ peer }} timers {{conf_peer.timers.keepalive}} {{conf_peer.timers.holdtime}} +{%- elif 'connect' in conf_peer.timers %} + neighbor {{ peer }} timers connect {{conf_peer.timers.connect}} {%- endif %} {%- endif %} {%- if 'ttl_security' in conf_peer %} {%- if 'hops' in conf_peer.ttl_security %} - neighbor {{ peer }} ttl-security hops {{conf_peer.ttl_security.hops}} + neighbor {{ peer }} ttl-security hops {{conf_peer.ttl_security.hops}} {%- endif %} {%- endif %} @@ -582,6 +603,10 @@ router bgp {{ asn }} neighbor {{ peer }} update-source {{ conf_peer.update_source }} {%- endif %} +{%- if 'description' in conf_peer %} + neighbor {{ peer }} description {{ conf_peer.description }} +{%- endif %} + {#- START address family for peer; set protocols bgp xxx neighbor x.x.x.x address-family ipvX-unicast #} {%- if 'address_family' in conf_peer %} {%- for afi in conf_peer.address_family %} @@ -615,10 +640,19 @@ router bgp {{ asn }} {%- endif %} {#- END single params for neighbor #} -{#- Checks need to be done as-path|med|next-hop #} {%- if 'attribute_unchanged' in conf_peer.address_family.ipv4_unicast %} -{%- if 'as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %} +{%- if ( ('as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) and ('med' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged as-path med +{%- elif ( ('as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged as-path next-hop +{%- elif ( ('med' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged med next-hop +{%- elif 'as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %} neighbor {{ peer }} attribute-unchanged as-path +{%- elif 'med' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %} + neighbor {{ peer }} attribute-unchanged med +{%- elif 'next_hop' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %} + neighbor {{ peer }} attribute-unchanged next-hop {%- else %} neighbor {{ peer }} attribute-unchanged as-path next-hop med {%- endif %} @@ -626,11 +660,13 @@ router bgp {{ asn }} {#- END attribute-unchanged #} {%- if 'capability' in conf_peer.address_family.ipv4_unicast %} -{%- if 'receive' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %} +{%- if 'orf' in conf_peer.address_family.ipv4_unicast.capability %} +{%- if 'receive' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %} neighbor {{ peer }} capability orf prefix-list receive -{%- endif %} -{%- if 'send' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %} +{%- endif %} +{%- if 'send' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %} neighbor {{ peer }} capability orf prefix-list send +{%- endif %} {%- endif %} {%- endif %} @@ -701,7 +737,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Checks need to be done. https://phabricator.vyos.net/T2387#73900 #} {%- if 'unsuppress_map' in conf_peer.address_family.ipv4_unicast %} neighbor {{ peer }} unsuppress-map {{conf_peer.address_family.ipv4_unicast.unsuppress_map}} {%- endif %} @@ -740,10 +775,19 @@ router bgp {{ asn }} {%- endif %} {#- END single params for neighbor #} -{#- Checks need to be done as-path|med|next-hop #} {%- if 'attribute_unchanged' in conf_peer.address_family.ipv6_unicast %} -{%- if 'as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %} +{%- if ( ('as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) and ('med' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged as-path med +{%- elif ( ('as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged as-path next-hop +{%- elif ( ('med' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) ) %} + neighbor {{ peer }} attribute-unchanged med next-hop +{%- elif 'as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %} neighbor {{ peer }} attribute-unchanged as-path +{%- elif 'med' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %} + neighbor {{ peer }} attribute-unchanged med +{%- elif 'next_hop' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %} + neighbor {{ peer }} attribute-unchanged next-hop {%- else %} neighbor {{ peer }} attribute-unchanged as-path next-hop med {%- endif %} @@ -751,11 +795,13 @@ router bgp {{ asn }} {#- END attribute-unchanged #} {%- if 'capability' in conf_peer.address_family.ipv6_unicast %} -{%- if 'receive' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %} +{%- if 'orf' in conf_peer.address_family.ipv6_unicast.capability %} +{%- if 'receive' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %} neighbor {{ peer }} capability orf prefix-list receive -{%- endif %} -{%- if 'send' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %} - neighbor {{ peer }} capability orf prefix-list send +{%- endif %} +{%- if 'send' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %} + neighbor {{ peer }} capability orf prefix-list send +{%- endif %} {%- endif %} {%- endif %} @@ -826,7 +872,6 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Checks need to be done. https://phabricator.vyos.net/T2387#73900 #} {%- if 'unsuppress_map' in conf_peer.address_family.ipv6_unicast %} neighbor {{ peer }} unsuppress-map {{conf_peer.address_family.ipv6_unicast.unsuppress_map}} {%- endif %} @@ -863,7 +908,7 @@ router bgp {{ asn }} {%- endif %} {%- endif %} {%- if 'med' in bgp_params.bestpath %} -{%- if ( ('confed' and 'missing_as_worst') in bgp_params.bestpath.med ) %} +{%- if ( ('confed' in bgp_params.bestpath.med) and ('missing_as_worst' in bgp_params.bestpath.med ) ) %} bgp bestpath med confed missing-as-worst {%- elif 'confed' in bgp_params.bestpath.med %} bgp bestpath med confed @@ -886,9 +931,9 @@ router bgp {{ asn }} {%- endif %} {%- endif %} -{#- Doesn't work in current FRR configuration (bgp dampening 16 751 2001 61) #} +{#- Doesn't work in current FRR configuration; vtysh (bgp dampening 16 751 2001 61) #} {%- if 'dampening' in bgp_params %} -{%- if ( ('half_life' and 'max_suppress_time' and 're_use' and 'start_suppress_time') in bgp_params.dampening ) %} +{%- if ( ('half_life' in bgp_params.dampening) and ('max_suppress_time' in bgp_params.dampening) and ('re_use' in bgp_params.dampening) and ('start_suppress_time' in bgp_params.dampening ) ) %} bgp dampening {{ bgp_params.dampening.half_life }} {{ bgp_params.dampening.re_use }} {{ bgp_params.dampening.start_suppress_time }} {{ bgp_params.dampening.max_suppress_time }} {%- endif %} {%- endif %} @@ -909,7 +954,7 @@ router bgp {{ asn }} {%- if 'distance' in bgp_params %} {%- if 'global' in bgp_params.distance %} -{%- if ( ('external' and 'internal' and 'local') in bgp_params.distance.global ) %} +{%- if ( ('external' in bgp_params.distance.global) and ('internal' in bgp_params.distance.global) and ('local' in bgp_params.distance.global ) ) %} ! address-family ipv4 unicast distance bgp {{ bgp_params.distance.global.external }} {{ bgp_params.distance.global.internal }} {{ bgp_params.distance.global.local }} @@ -950,10 +995,14 @@ router bgp {{ asn }} no bgp fast-external-failover {%- endif %} +{%- if 'router_id' in bgp_params %} + bgp router-id {{ bgp_params.router_id }} +{%- endif %} + {#- END parameters; set protocols bgp xxx parameters #} {%- if 'timers' in conf_bgp[asn] %} -{%- if ( ('holdtime' and 'keepalive') in conf_bgp[asn].timers ) %} +{%- if ( ('holdtime' in conf_bgp[asn].timers) and ('keepalive' in conf_bgp[asn].timers ) ) %} timers bgp {{conf_bgp[asn].timers.keepalive}} {{conf_bgp[asn].timers.holdtime}} {%- endif %} {%- endif %} diff --git a/data/templates/frr/ldpd.frr.tmpl b/data/templates/frr/ldpd.frr.tmpl index 5f080d75f..4b7e5c5ea 100644 --- a/data/templates/frr/ldpd.frr.tmpl +++ b/data/templates/frr/ldpd.frr.tmpl @@ -7,12 +7,45 @@ no router-id {{ old_router_id }} {% if router_id -%} router-id {{ router_id }} {% endif -%} +{% if old_ldp.cisco_interop_tlv -%} +no dual-stack cisco-interop +{% endif -%} +{% if ldp.cisco_interop_tlv -%} +dual-stack cisco-interop +{% endif -%} +{% if old_ldp.transport_prefer_ipv4 -%} +no dual-stack transport-connection prefer ipv4 +{% endif -%} +{% if ldp.transport_prefer_ipv4 -%} +dual-stack transport-connection prefer ipv4 +{% endif -%} {% for neighbor_id in old_ldp.neighbors -%} no neighbor {{neighbor_id}} password {{old_ldp.neighbors[neighbor_id].password}} +{% if 'ttl_security' is defined -%} +{% if 'disable' in old_ldp.neighbors[neighbor_id].ttl_security %} +no neighbor {{neighbor_id}} ttl-security disable +{% else -%} +no neighbor {{neighbor_id}} ttl-security hops {{old_ldp.neighbors[neighbor_id].ttl_security}} +{% endif -%} +{% endif -%} +{% if 'session_holdtime' is defined -%} +no neighbor {{neighbor_id}} session holdtime {{old_ldp.neighbors[neighbor_id].session_holdtime}} +{% endif -%} {% endfor -%} {% for neighbor_id in ldp.neighbors -%} neighbor {{neighbor_id}} password {{ldp.neighbors[neighbor_id].password}} +{% if 'ttl_security' is defined -%} +{% if 'disable' in ldp.neighbors[neighbor_id].ttl_security %} +neighbor {{neighbor_id}} ttl-security disable +{% else -%} +neighbor {{neighbor_id}} ttl-security hops {{ldp.neighbors[neighbor_id].ttl_security}} +{% endif -%} +{% endif -%} +{% if 'session_holdtime' is defined -%} +neighbor {{neighbor_id}} session holdtime {{ldp.neighbors[neighbor_id].session_holdtime}} +{% endif -%} {% endfor -%} +! address-family ipv4 label local allocate host-routes {% if old_ldp.export_ipv4_exp -%} @@ -27,24 +60,48 @@ no discovery transport-address {{ old_ldp.d_transp_ipv4 }} {% if ldp.d_transp_ipv4 -%} discovery transport-address {{ ldp.d_transp_ipv4 }} {% endif -%} -{% if old_ldp.hello_holdtime -%} -no discovery hello holdtime {{ old_ldp.hello_holdtime }} +{% if old_ldp.hello_ipv4_holdtime -%} +no discovery hello holdtime {{ old_ldp.hello_ipv4_holdtime }} {% endif -%} -{% if ldp.hello_holdtime -%} -discovery hello holdtime {{ ldp.hello_holdtime }} +{% if ldp.hello_ipv4_holdtime -%} +discovery hello holdtime {{ ldp.hello_ipv4_holdtime }} {% endif -%} -{% if old_ldp.hello_interval -%} -no discovery hello interval {{ old_ldp.hello_interval }} +{% if old_ldp.hello_ipv4_interval -%} +no discovery hello interval {{ old_ldp.hello_ipv4_interval }} {% endif -%} -{% if ldp.hello_interval -%} -discovery hello interval {{ ldp.hello_interval }} +{% if ldp.hello_ipv4_interval -%} +discovery hello interval {{ ldp.hello_ipv4_interval }} {% endif -%} {% if old_ldp.ses_ipv4_hold -%} -no session holdtime {{ old_ldp.ses_ipv4_hold }} +no session holdtime {{ old_ldp.ses_ipv4_hold }} {% endif -%} {% if ldp.ses_ipv4_hold -%} session holdtime {{ ldp.ses_ipv4_hold }} {% endif -%} +{% if old_ldp.target_ipv4_enable -%} +no discovery targeted-hello accept +{% endif -%} +{% if ldp.target_ipv4_enable -%} +discovery targeted-hello accept +{% endif -%} +{% if old_ldp.target_ipv4_hello_int -%} +no discovery targeted-hello interval {{ old_ldp.target_ipv4_hello_int }} +{% endif -%} +{% if ldp.target_ipv4_hello_int -%} +discovery targeted-hello interval {{ ldp.target_ipv4_hello_int }} +{% endif -%} +{% if old_ldp.target_ipv4_hello_hold -%} +no discovery targeted-hello holdtime {{ old_ldp.target_ipv4_hello_hold }} +{% endif -%} +{% if ldp.target_ipv4_hello_hold -%} +discovery targeted-hello holdtime {{ ldp.target_ipv4_hello_hold }} +{% endif -%} +{% for address in old_ldp.target_ipv4_addresses -%} +no neighbor {{address}} targeted +{% endfor -%} +{% for address in ldp.target_ipv4_addresses -%} +neighbor {{address}} targeted +{% endfor -%} {% for interface in old_ldp.interfaces -%} no interface {{interface}} {% endfor -%} @@ -65,7 +122,7 @@ no label local advertise explicit-null label local advertise explicit-null {% endif -%} {% if old_ldp.ses_ipv6_hold -%} -no session holdtime {{ old_ldp.ses_ipv6_hold }} +no session holdtime {{ old_ldp.ses_ipv6_hold }} {% endif -%} {% if ldp.ses_ipv6_hold -%} session holdtime {{ ldp.ses_ipv6_hold }} @@ -76,6 +133,42 @@ no discovery transport-address {{ old_ldp.d_transp_ipv6 }} {% if ldp.d_transp_ipv6 -%} discovery transport-address {{ ldp.d_transp_ipv6 }} {% endif -%} +{% if old_ldp.hello_ipv6_holdtime -%} +no discovery hello holdtime {{ old_ldp.hello_ipv6_holdtime }} +{% endif -%} +{% if ldp.hello_ipv6_holdtime -%} +discovery hello holdtime {{ ldp.hello_ipv6_holdtime }} +{% endif -%} +{% if old_ldp.hello_ipv6_interval -%} +no discovery hello interval {{ old_ldp.hello_ipv6_interval }} +{% endif -%} +{% if ldp.hello_ipv6_interval -%} +discovery hello interval {{ ldp.hello_ipv6_interval }} +{% endif -%} +{% if old_ldp.target_ipv6_enable -%} +no discovery targeted-hello accept +{% endif -%} +{% if ldp.target_ipv6_enable -%} +discovery targeted-hello accept +{% endif -%} +{% if old_ldp.target_ipv6_hello_int -%} +no discovery targeted-hello interval {{ old_ldp.target_ipv6_hello_int }} +{% endif -%} +{% if ldp.target_ipv6_hello_int -%} +discovery targeted-hello interval {{ ldp.target_ipv6_hello_int }} +{% endif -%} +{% if old_ldp.target_ipv6_hello_hold -%} +no discovery targeted-hello holdtime {{ old_ldp.target_ipv6_hello_hold }} +{% endif -%} +{% if ldp.target_ipv6_hello_hold -%} +discovery targeted-hello holdtime {{ ldp.target_ipv6_hello_hold }} +{% endif -%} +{% for address in old_ldp.target_ipv6_addresses -%} +no neighbor {{address}} targeted +{% endfor -%} +{% for address in ldp.target_ipv6_addresses -%} +neighbor {{address}} targeted +{% endfor -%} {% for interface in old_ldp.interfaces -%} no interface {{interface}} {% endfor -%} @@ -91,4 +184,4 @@ no address-family ipv6 {% else -%} no mpls ldp {% endif -%} -! +!
\ No newline at end of file diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl index a20be45ae..855ebff4f 100644 --- a/data/templates/https/nginx.default.tmpl +++ b/data/templates/https/nginx.default.tmpl @@ -5,7 +5,7 @@ server { listen 80 default_server; listen [::]:80 default_server; server_name _; - return 301 https://$server_name$request_uri; + return 301 https://$host$request_uri; } {% for server in server_block_list %} diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.tmpl index 508d8da94..62387ef7c 100644 --- a/data/templates/openvpn/client.conf.tmpl +++ b/data/templates/openvpn/client.conf.tmpl @@ -1,35 +1,31 @@ ### Autogenerated by interfaces-openvpn.py ### -{% if ip -%} -ifconfig-push {{ ip[0] }} {{ remote_netmask }} -{% endif -%} - -{% for route in push_route -%} -push "route {{ route }}" -{% endfor -%} - -{% for net in subnet -%} -iroute {{ net }} -{% endfor -%} - +{% if ip %} +ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }} +{% endif %} +{% if push_route is defined and push_route is not none %} +{% for route in push_route %} +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" +{% endfor %} +{% endif %} +{% if subnet is defined and subnet is not none %} +{% for network in subnet %} +iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }} +{% endfor %} +{% endif %} {# ipv6_remote is only set when IPv6 server is enabled #} -{% if ipv6_remote -%} +{% if ipv6_remote %} # IPv6 - -{%- if ipv6_ip %} +{% if ipv6_ip %} ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }} -{%- endif %} - -{%- for route6 in ipv6_push_route %} +{% endif %} +{% for route6 in ipv6_push_route %} push "route-ipv6 {{ route6 }}" -{%- endfor %} - -{%- for net6 in ipv6_subnet %} +{% endfor %} +{% for net6 in ipv6_subnet %} iroute {{ net6 }} -{%- endfor %} - -{% endif -%} - -{% if disable -%} +{% endfor %} +{% endif %} +{% if disable is defined %} disable -{% endif -%} +{% endif %} diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index fea310236..a510c3a84 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -2,246 +2,238 @@ # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition - -{% if description -%} -# {{ description }} - -{% endif -%} +# +# {{ description if description is defined and description is not none }} +# verb 3 - -user {{ uid }} -group {{ gid }} - -dev-type {{ type }} -dev {{ intf }} +user {{ daemon_user }} +group {{ daemon_group }} +dev-type {{ device_type }} +dev {{ ifname }} persist-key iproute /usr/libexec/vyos/system/unpriv-ip - -proto {{ protocol_real }} - -{%- if local_host %} +{% if protocol == 'tcp-active' %} +proto tcp6-client +{% elif protocol == 'tcp-passive' %} +proto tcp6-server +{% else %} +proto udp6 +{% endif %} +{% if local_host is defined and local_host is not none %} local {{ local_host }} -{%- endif %} - -{%- if mode == 'server' and protocol == 'udp' and not local_host %} +{% endif %} +{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %} multihome -{%- endif %} - -{%- if local_port %} +{% endif %} +{% if local_port is defined and local_port is not none %} lport {{ local_port }} -{%- endif %} - -{% if remote_port -%} +{% endif %} +{% if remote_port is defined and remote_port is not none %} rport {{ remote_port }} {% endif %} - -{%- if remote_host %} -{%- for remote in remote_host -%} +{% if remote_host is defined and remote_host is not none %} +{% for remote in remote_host %} remote {{ remote }} -{% endfor -%} -{% endif -%} - -{% if shared_secret_file %} -secret {{ shared_secret_file }} -{%- endif %} - -{%- if persistent_tunnel %} +{% endfor %} +{% endif %} +{% if shared_secret_key_file is defined and shared_secret_key_file is not none %} +secret {{ shared_secret_key_file }} +{% endif %} +{% if persistent_tunnel is defined %} persist-tun -{%- endif %} - -{%- if redirect_gateway %} -push "redirect-gateway {{ redirect_gateway }}" -{%- endif %} - -{%- if compress_lzo %} +{% endif %} +{% if replace_default_route is defined and replace_default_route.local is defined %} +push "redirect-gateway local def1" +{% elif replace_default_route is defined %} +push "redirect-gateway def1" +{% endif %} +{% if use_lzo_compression is defined %} compress lzo -{%- endif %} +{% endif %} -{% if 'client' in mode -%} +{% if 'client' in mode %} # # OpenVPN Client mode # client nobind - -{% elif 'server' in mode -%} +{% elif 'server' in mode %} # # OpenVPN Server mode # - -{%- if server_topology %} -topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topology }}{% endif %} -{%- endif %} - -{%- if is_bridge_member %} mode server tls-server -{%- else %} -server {{ server_subnet[0] }} nopool -{%- endif %} - -{%- if server_pool %} -ifconfig-pool {{ server_pool_start }} {{ server_pool_stop }}{% if server_pool_netmask %} {{ server_pool_netmask }}{% endif %} -{%- endif %} - -{%- if server_max_conn %} -max-clients {{ server_max_conn }} -{%- endif %} - -{%- if client %} -client-config-dir /run/openvpn/ccd/{{ intf }} -{%- endif %} - -{%- if server_reject_unconfigured %} -ccd-exclusive -{%- endif %} - -keepalive {{ ping_interval }} {{ ping_restart }} +{% if server is defined and server is not none %} +{% if server.subnet is defined and server.subnet is not none %} +{% if server.topology is defined and server.topology == 'point-to-point' %} +topology p2p +{% elif server.topology is defined and server.topology is not none %} +topology {{ server.topology }} +{% endif %} +{% for subnet in server.subnet if subnet | is_ipv4 %} +server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool +{# OpenVPN assigns the first IP address to its local interface so the pool used #} +{# in net30 topology - where each client receives a /30 must start from the second subnet #} +{% if server.topology is defined and server.topology == 'net30' %} +ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} +{% else %} +{# OpenVPN assigns the first IP address to its local interface so the pool must #} +{# start from the second address and end on the last address #} +ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }} +{% endif %} +{% endfor %} +{% endif %} +{% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %} +ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }} +{% endif %} +{% if server.max_connections is defined and server.max_connections is not none %} +max-clients {{ server.max_connections }} +{% endif %} +{% if server.client is defined and server.client is not none %} +client-config-dir /run/openvpn/ccd/{{ ifname }} +{% endif %} +{% endif %} +keepalive {{ keep_alive.interval }} {{ keep_alive.failure_count }} management /run/openvpn/openvpn-mgmt-intf unix - -{% for route in server_push_route -%} +{% if server is defined and server is not none %} +{% if server.reject_unconfigured_clients is defined %} +ccd-exclusive +{% endif %} +{% if server.push_route is defined and server.push_route is not none %} +{% for route in server.push_route %} push "route {{ route }}" -{% endfor -%} - -{% for ns in server_dns_nameserver -%} -push "dhcp-option DNS {{ ns }}" -{% endfor -%} - -{%- if server_domain -%} -push "dhcp-option DOMAIN {{ server_domain }}" -{% endif -%} - -{%- if server_ipv6_local %} +{% endfor %} +{% endif %} +{% if server.name_server is defined and server.name_server is not none %} +{% for nameserver in server.name_server %} +push "dhcp-option DNS {{ nameserver }}" +{% endfor %} +{% endif %} +{% if server.domain_name is defined and server.domain_name is not none %} +push "dhcp-option DOMAIN {{ server.domain_name }}" +{% endif %} +{% endif %} + +{% if subnet_v6 is defined and subnet_v6 is not none %} # IPv6 push "tun-ipv6" ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }} - -{%- if server_ipv6_pool %} +{% if server_ipv6_pool %} ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }} -{%- endif %} - -{%- for route6 in server_ipv6_push_route %} +{% endif %} +{% for route6 in server_ipv6_push_route %} push "route-ipv6 {{ route6 }}" -{%- endfor %} - -{%- for ns6 in server_ipv6_dns_nameserver %} +{% endfor %} +{% for ns6 in server_ipv6_dns_nameserver %} push "dhcp-option DNS6 {{ ns6 }}" -{%- endfor %} - -{%- endif %} - -{% else -%} +{% endfor %} +{% endif %} +{% else %} # # OpenVPN site-2-site mode # -ping {{ ping_interval }} -ping-restart {{ ping_restart }} - -{% if local_address_subnet -%} -ifconfig {{ local_address[0] }} {{ local_address_subnet }} -{%- elif remote_address -%} -ifconfig {{ local_address[0] }} {{ remote_address[0] }} -{%- endif %} - -{% if ipv6_local_address -%} -ifconfig-ipv6 {{ ipv6_local_address[0] }} {{ ipv6_remote_address[0] }} -{%- endif %} - -{% endif -%} +ping {{ keep_alive.interval }} +ping-restart {{ keep_alive.failure_count }} + +{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} +{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %} +ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} +{% else %} +{% for raddr in remote_address %} +{% if raddr | is_ipv4 %} +ifconfig {{ laddr }} {{ raddr }} +{% else %} +ifconfig-ipv6 {{ laddr }} {{ raddr }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} -{% if tls -%} +{% if tls is defined and tls is not none %} # TLS options -{%- if tls_ca_cert %} -ca {{ tls_ca_cert }} -{%- endif %} - -{%- if tls_cert %} -cert {{ tls_cert }} -{%- endif %} - -{%- if tls_key %} -key {{ tls_key }} -{%- endif %} - -{%- if tls_crypt %} -tls-crypt {{ tls_crypt }} -{%- endif %} - -{%- if tls_crl %} -crl-verify {{ tls_crl }} -{%- endif %} - -{%- if tls_version_min %} -tls-version-min {{tls_version_min}} -{%- endif %} - -{%- if tls_dh %} -dh {{ tls_dh }} -{%- endif %} - -{%- if tls_auth %} -{%- if mode == 'client' %} -tls-auth {{tls_auth}} 1 -{%- elif mode == 'server' %} -tls-auth {{tls_auth}} 0 -{%- endif %} -{%- endif %} - -{%- if tls_role %} -{%- if 'active' in tls_role %} +{% if tls.ca_cert_file is defined and tls.ca_cert_file is not none %} +ca {{ tls.ca_cert_file }} +{% endif %} +{% if tls.cert_file is defined and tls.cert_file is not none %} +cert {{ tls.cert_file }} +{% endif %} +{% if tls.key_file is defined and tls.key_file is not none %} +key {{ tls.key_file }} +{% endif %} +{% if tls.crypt_file is defined and tls.crypt_file is not none %} +tls-crypt {{ tls.crypt_file }} +{% endif %} +{% if tls.crl_file is defined and tls.crl_file is not none %} +crl-verify {{ tls.crl_file }} +{% endif %} +{% if tls.tls_version_min is defined and tls.tls_version_min is not none %} +tls-version-min {{ tls.tls_version_min }} +{% endif %} +{% if tls.dh_file is defined and tls.dh_file is not none %} +dh {{ tls.dh_file }} +{% endif %} +{% if tls.auth_file is defined and tls.auth_file is not none %} +{% if mode == 'client' %} +tls-auth {{ tls.auth_file }} 1 +{% elif mode == 'server' %} +tls-auth {{ tls.auth_file }} 0 +{% endif %} +{% endif %} +{% if tls.role is defined and tls.role is not none %} +{% if tls.role == 'active' %} tls-client -{%- elif 'passive' in tls_role %} +{% elif tls.role == 'passive' %} tls-server -{%- endif %} -{%- endif %} - -{%- endif %} +{% endif %} +{% endif %} +{% endif %} # Encryption options -{%- if encryption %} -{% if encryption == 'none' -%} +{% if encryption is defined and encryption is not none %} +{% if encryption.cipher is defined and encryption.cipher is not none %} +{% if encryption.cipher == 'none' %} cipher none -{%- elif encryption == 'des' -%} +{% elif encryption.cipher == 'des' %} cipher des-cbc -{%- elif encryption == '3des' -%} +{% elif encryption.cipher == '3des' %} cipher des-ede3-cbc -{%- elif encryption == 'bf128' -%} +{% elif encryption.cipher == 'bf128' %} cipher bf-cbc keysize 128 -{%- elif encryption == 'bf256' -%} +{% elif encryption.cipher == 'bf256' %} cipher bf-cbc keysize 25 -{%- elif encryption == 'aes128gcm' -%} +{% elif encryption.cipher == 'aes128gcm' %} cipher aes-128-gcm -{%- elif encryption == 'aes128' -%} +{% elif encryption.cipher == 'aes128' %} cipher aes-128-cbc -{%- elif encryption == 'aes192gcm' -%} +{% elif encryption.cipher == 'aes192gcm' %} cipher aes-192-gcm -{%- elif encryption == 'aes192' -%} +{% elif encryption.cipher == 'aes192' %} cipher aes-192-cbc -{%- elif encryption == 'aes256gcm' -%} +{% elif encryption.cipher == 'aes256gcm' %} cipher aes-256-gcm -{%- elif encryption == 'aes256' -%} +{% elif encryption.cipher == 'aes256' %} cipher aes-256-cbc -{%- endif -%} -{%- endif %} - -{%- if ncp_ciphers %} -ncp-ciphers {{ncp_ciphers}} -{%- endif %} -{%- if disable_ncp %} +{% endif %} +{% endif %} +{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} +ncp-ciphers {{ encryption.ncp_ciphers | join(':') }} +{% elif encryption.disable_ncp is defined %} ncp-disable -{%- endif %} +{% endif %} +{% endif %} -{% if hash -%} +{% if hash is defined and hash is not none %} auth {{ hash }} -{%- endif -%} +{% endif %} -{%- if auth %} +{% if authentication is defined and authentication is not none %} auth-user-pass {{ auth_user_pass_file }} auth-retry nointeract -{%- endif %} +{% endif %} # DEPRECATED This option will be removed in OpenVPN 2.5 # Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: @@ -257,12 +249,11 @@ auth-retry nointeract # See https://phabricator.vyos.net/T1512 compat-names -{% if options -%} +{% if openvpn_option is defined and openvpn_option is not none %} # # Custom options added by user (not validated) # - -{% for option in options -%} +{% for option in openvpn_option %} {{ option }} -{% endfor -%} -{%- endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/wifi/hostapd.conf.tmpl b/data/templates/wifi/hostapd.conf.tmpl index c5e4240d1..16d9f7c98 100644 --- a/data/templates/wifi/hostapd.conf.tmpl +++ b/data/templates/wifi/hostapd.conf.tmpl @@ -23,7 +23,10 @@ interface={{ ifname }} # added to the bridge automatically (brctl may refuse to do this before hostapd # has been started to change the interface mode). If needed, the bridge # interface is also created. -bridge={{ is_bridge_member }} +{# as there can only be one bridge interface it is save to loop #} +{% for bridge in is_bridge_member %} +bridge={{ bridge }} +{% endfor %} {% endif %} # Driver interface type (hostap/wired/none/nl80211/bsd); @@ -69,18 +72,18 @@ ssid={{ ssid }} channel={{ channel }} {% endif %} -{% if mode %} +{% if mode is defined and mode is not none %} # Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), # g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used # with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this -# needs to be set to hw_mode=a. For IEEE 802.11ax (HE) on 6 GHz this needs -# to be set to hw_mode=a. When using ACS (see channel parameter), a +# needs to be set to hw_mode a. For IEEE 802.11ax (HE) on 6 GHz this needs +# to be set to hw_mode a. When using ACS (see channel parameter), a # special value "any" can be used to indicate that any support band can be used. # This special case is currently supported only with drivers with which # offloaded ACS is used. -{% if 'n' in mode %} +{% if mode == 'n' %} hw_mode=g -{% elif 'ac' in mode %} +{% elif mode == 'ac' %} hw_mode=a ieee80211h=1 ieee80211ac=1 @@ -529,10 +532,13 @@ wep_key{{ loop.index -1 }}={{ security.wep.key }} # and/or WPA2 (full IEEE 802.11i/RSN): # bit0 = WPA # bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) +# Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2. +# In other words, for WPA3, wpa 2 is used the configuration (and +# wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK). {% if security.wpa.mode is defined %} -{% if security.wpa.mode == 'both' %} +{% if security.wpa.mode == 'wpa+wpa2' %} wpa=3 -{% elif security.wpa.mode == 'wpa2' %} +{% elif security.wpa.mode == 'wpa2' or security.wpa.mode == 'wpa3' %} wpa=2 {% elif security.wpa.mode == 'wpa' %} wpa=1 @@ -592,7 +598,15 @@ wpa_passphrase={{ security.wpa.passphrase }} # added to enable SHA256-based stronger algorithms. # WPA-PSK = WPA-Personal / WPA2-Personal # WPA-PSK-SHA256 = WPA2-Personal using SHA256 -wpa_key_mgmt=WPA-PSK +# WPA-EAP = WPA-Enterprise / WPA2-Enterprise +# WPA-EAP-SHA256 = WPA2-Enterprise using SHA256 +# SAE = SAE (WPA3-Personal) +# WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite +{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %} +wpa_key_mgmt=SAE +{% else %} +wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 +{% endif %} {% elif security.wpa.radius is defined %} ##### IEEE 802.1X-2004 related configuration ################################## @@ -602,9 +616,17 @@ ieee8021x=1 # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The # entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be # added to enable SHA256-based stronger algorithms. +# WPA-PSK = WPA-Personal / WPA2-Personal +# WPA-PSK-SHA256 = WPA2-Personal using SHA256 # WPA-EAP = WPA-Enterprise / WPA2-Enterprise # WPA-EAP-SHA256 = WPA2-Enterprise using SHA256 -wpa_key_mgmt=WPA-EAP +# SAE = SAE (WPA3-Personal) +# WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite +{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %} +wpa_key_mgmt=WPA-EAP-SUITE-B-192 +{% else %} +wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256 +{% endif %} {% if security.wpa.radius.server is defined %} # RADIUS client forced local IP address for the access point diff --git a/data/templates/wifi/wpa_supplicant.conf.tmpl b/data/templates/wifi/wpa_supplicant.conf.tmpl index f84892dc0..20b4f7976 100644 --- a/data/templates/wifi/wpa_supplicant.conf.tmpl +++ b/data/templates/wifi/wpa_supplicant.conf.tmpl @@ -4,10 +4,78 @@ # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf network={ + # ssid: SSID (mandatory); network name in one of the optional formats: + # - an ASCII string with double quotation + # - a hex string (two characters per octet of SSID) + # - a printf-escaped ASCII string P"<escaped string>" + # ssid="{{ ssid }}" + + # scan_ssid: + # 0 = do not scan this SSID with specific Probe Request frames (default) + # 1 = scan with SSID-specific Probe Request frames (this can be used to + # find APs that do not accept broadcast SSID or use multiple SSIDs; + # this will add latency to scanning, so enable this only when needed) scan_ssid=1 + {% if security is defined and security.wpa is defined and security.wpa.passphrase is defined %} - key_mgmt=WPA-PSK + # ieee80211w: whether management frame protection is enabled + # 0 = disabled (default unless changed with the global pmf parameter) + # 1 = optional + # 2 = required + # The most common configuration options for this based on the PMF (protected + # management frames) certification program are: + # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 + # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 + # (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used) + # WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE + ieee80211w=1 + + # key_mgmt: list of accepted authenticated key management protocols + # WPA-PSK = WPA pre-shared key (this requires 'psk' field) + # WPA-EAP = WPA using EAP authentication + # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically + # generated WEP keys + # NONE = WPA is not used; plaintext or static WEP could be used + # WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK + # instead) + # FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key + # FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication + # FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication + # and using SHA384 + # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms + # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms + # SAE = Simultaneous authentication of equals; pre-shared key/password -based + # authentication with stronger security than WPA-PSK especially when using + # not that strong password; a.k.a. WPA3-Personal + # FT-SAE = SAE with FT + # WPA-EAP-SUITE-B = Suite B 128-bit level + # WPA-EAP-SUITE-B-192 = Suite B 192-bit level + # OSEN = Hotspot 2.0 Rel 2 online signup connection + # FILS-SHA256 = Fast Initial Link Setup with SHA256 + # FILS-SHA384 = Fast Initial Link Setup with SHA384 + # FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256 + # FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384 + # OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open) + # DPP = Device Provisioning Protocol + # If not set, this defaults to: WPA-PSK WPA-EAP +{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %} + key_mgmt=SAE +{% else %} + key_mgmt=WPA-PSK WPA-PSK-SHA256 +{% endif %} + + # psk: WPA preshared key; 256-bit pre-shared key + # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., + # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be + # generated using the passphrase and SSID). ASCII passphrase must be between + # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can + # be used to indicate that the PSK/passphrase is stored in external storage. + # This field is not needed, if WPA-EAP is used. + # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys + # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant + # startup and reconfiguration time can be optimized by generating the PSK only + # only when the passphrase or SSID has actually changed. psk="{{ security.wpa.passphrase }}" {% else %} key_mgmt=NONE diff --git a/data/templates/wwan/chat.tmpl b/data/templates/wwan/chat.tmpl index a3395c057..386af37e6 100644 --- a/data/templates/wwan/chat.tmpl +++ b/data/templates/wwan/chat.tmpl @@ -1,6 +1,10 @@ ABORT 'NO DIAL TONE' ABORT 'NO ANSWER' ABORT 'NO CARRIER' ABORT DELAYED '' AT OK ATZ +{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined %} +OK 'AT+CGDCONT=1,"IPV4V6","{{ apn }}"' +{% else %} OK 'AT+CGDCONT=1,"IP","{{ apn }}"' +{% endif %} OK ATD*99# CONNECT '' diff --git a/data/templates/wwan/peer.tmpl b/data/templates/wwan/peer.tmpl index e23881bf8..2807a79a4 100644 --- a/data/templates/wwan/peer.tmpl +++ b/data/templates/wwan/peer.tmpl @@ -4,15 +4,19 @@ ifname {{ ifname }} ipparam {{ ifname }} linkname {{ ifname }} + {{ "usepeerdns" if no_peer_dns is defined }} # physical device {{ device }} lcp-echo-failure 0 115200 debug -debug mtu {{ mtu }} mru {{ mtu }} +{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined %} ++ipv6 +ipv6cp-use-ipaddr +{% endif %} nodefaultroute ipcp-max-failure 4 ipcp-accept-local |