diff options
Diffstat (limited to 'data')
| -rw-r--r-- | data/op-mode-standardized.json | 1 | ||||
| -rw-r--r-- | data/templates/firewall/nftables-nat66.j2 | 16 | ||||
| -rw-r--r-- | data/templates/firewall/upnpd.conf.j2 | 15 | ||||
| -rw-r--r-- | data/templates/frr/bgpd.frr.j2 | 5 | ||||
| -rw-r--r-- | data/templates/ipsec/swanctl/profile.j2 | 4 | ||||
| -rw-r--r-- | data/templates/macsec/wpa_supplicant.conf.j2 | 12 | ||||
| -rw-r--r-- | data/templates/monitoring/override.conf.j2 | 7 | ||||
| -rw-r--r-- | data/templates/monitoring/systemd_vyos_telegraf_service.j2 | 16 | ||||
| -rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 34 | ||||
| -rw-r--r-- | data/templates/telegraf/override.conf.j2 | 15 | ||||
| -rw-r--r-- | data/templates/telegraf/syslog_telegraf.j2 (renamed from data/templates/monitoring/syslog_telegraf.j2) | 0 | ||||
| -rw-r--r-- | data/templates/telegraf/telegraf.j2 (renamed from data/templates/monitoring/telegraf.j2) | 0 |
12 files changed, 68 insertions, 57 deletions
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json index 90ef804f3..db13eeb5a 100644 --- a/data/op-mode-standardized.json +++ b/data/op-mode-standardized.json @@ -6,6 +6,7 @@ "memory.py", "nat.py", "neighbor.py", +"openconnect.py", "route.py", "ipsec.py", "version.py", diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2 index 003b138b2..2fe04b4ff 100644 --- a/data/templates/firewall/nftables-nat66.j2 +++ b/data/templates/firewall/nftables-nat66.j2 @@ -3,8 +3,10 @@ {% macro nptv6_rule(rule,config, chain) %} {% set comment = '' %} {% set base_log = '' %} -{% set src_prefix = 'ip6 saddr ' ~ config.source.prefix if config.source.prefix is vyos_defined %} -{% set dest_address = 'ip6 daddr ' ~ config.destination.address if config.destination.address is vyos_defined %} +{% set dst_prefix = 'ip6 daddr ' ~ config.destination.prefix.replace('!','!= ') if config.destination.prefix is vyos_defined %} +{% set src_prefix = 'ip6 saddr ' ~ config.source.prefix.replace('!','!= ') if config.source.prefix is vyos_defined %} +{% set source_address = 'ip6 saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %} +{% set dest_address = 'ip6 daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %} {% if chain is vyos_defined('PREROUTING') %} {% set comment = 'DST-NAT66-' ~ rule %} {% set base_log = '[NAT66-DST-' ~ rule %} @@ -52,9 +54,19 @@ {% if src_prefix is vyos_defined %} {% set output = output ~ ' ' ~ src_prefix %} {% endif %} +{% if dst_prefix is vyos_defined %} +{% set output = output ~ ' ' ~ dst_prefix %} +{% endif %} +{% if source_address is vyos_defined %} +{% set output = output ~ ' ' ~ source_address %} +{% endif %} {% if dest_address is vyos_defined %} {% set output = output ~ ' ' ~ dest_address %} {% endif %} +{% if config.exclude is vyos_defined %} +{# rule has been marked as 'exclude' thus we simply return here #} +{% set trns_address = 'return' %} +{% endif %} {% if trns_address is vyos_defined %} {% set output = output ~ ' ' ~ trns_address %} {% endif %} diff --git a/data/templates/firewall/upnpd.conf.j2 b/data/templates/firewall/upnpd.conf.j2 index 27573cbf9..e964fc696 100644 --- a/data/templates/firewall/upnpd.conf.j2 +++ b/data/templates/firewall/upnpd.conf.j2 @@ -71,7 +71,7 @@ min_lifetime={{ pcp_lifetime.min }} {% if friendly_name is vyos_defined %} # Name of this service, default is "`uname -s` router" -friendly_name= {{ friendly_name }} +friendly_name={{ friendly_name }} {% endif %} # Manufacturer name, default is "`uname -s`" @@ -117,7 +117,10 @@ clean_ruleset_threshold=10 clean_ruleset_interval=600 # Anchor name in pf (default is miniupnpd) -anchor=VyOS +# Something wrong with this option "anchor", comment it out +# vyos@r14# miniupnpd -vv -f /run/upnp/miniupnp.conf +# invalid option in file /run/upnp/miniupnp.conf line 74 : anchor=VyOS +#anchor=VyOS uuid={{ uuid }} @@ -129,7 +132,7 @@ lease_file=/config/upnp.leases #serial=12345678 #model_number=1 -{% if rules is vyos_defined %} +{% if rule is vyos_defined %} # UPnP permission rules # (allow|deny) (external port range) IP/mask (internal port range) # A port range is <min port>-<max port> or <port> if there is only @@ -142,9 +145,9 @@ lease_file=/config/upnp.leases # modify the IP ranges to match their own internal networks, and # also consider implementing network-specific restrictions # CAUTION: failure to enforce any rules may permit insecure requests to be made! -{% for rule, config in rules.items() %} -{% if config.disable is vyos_defined %} -{{ config.action }} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} +{% for rule, config in rule.items() %} +{% if config.disable is not vyos_defined %} +{{ config.action }} {{ config.external_port_range }} {{ config.ip }}{{ '/32' if '/' not in config.ip else '' }} {{ config.internal_port_range }} {% endif %} {% endfor %} {% endif %} diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index 7029f39af..808e9dbe7 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -38,6 +38,9 @@ {% if config.disable_capability_negotiation is vyos_defined %} neighbor {{ neighbor }} dont-capability-negotiate {% endif %} +{% if config.disable_connected_check is vyos_defined %} + neighbor {{ neighbor }} disable-connected-check +{% endif %} {% if config.ebgp_multihop is vyos_defined %} neighbor {{ neighbor }} ebgp-multihop {{ config.ebgp_multihop }} {% endif %} @@ -231,7 +234,7 @@ {% endif %} {% endmacro %} ! -router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} +router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if parameters.ebgp_requires_policy is vyos_defined %} bgp ebgp-requires-policy {% else %} diff --git a/data/templates/ipsec/swanctl/profile.j2 b/data/templates/ipsec/swanctl/profile.j2 index d4f417378..8519a84f8 100644 --- a/data/templates/ipsec/swanctl/profile.j2 +++ b/data/templates/ipsec/swanctl/profile.j2 @@ -9,6 +9,10 @@ version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} rekey_time = {{ ike.lifetime }}s keyingtries = 0 +{% if ike.dead_peer_detection is vyos_defined %} + dpd_timeout = {{ ike.dead_peer_detection.timeout }} + dpd_delay = {{ ike.dead_peer_detection.interval }} +{% endif %} {% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} local { auth = psk diff --git a/data/templates/macsec/wpa_supplicant.conf.j2 b/data/templates/macsec/wpa_supplicant.conf.j2 index d2529c50d..1f7ba16f4 100644 --- a/data/templates/macsec/wpa_supplicant.conf.j2 +++ b/data/templates/macsec/wpa_supplicant.conf.j2 @@ -47,6 +47,12 @@ network={ # 1: Integrity only macsec_integ_only={{ '0' if security.encrypt is vyos_defined else '1' }} + # macsec_csindex: IEEE 802.1X/MACsec cipher suite + # 0 = GCM-AES-128 + # 1 = GCM-AES-256 +{# security.cipher is a mandatory key #} + macsec_csindex={{ '1' if security.cipher is vyos_defined('gcm-aes-256') else '0' }} + {% if security.encrypt is vyos_defined %} # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. @@ -62,12 +68,6 @@ network={ # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being # default priority mka_priority={{ security.mka.priority }} - - # macsec_csindex: IEEE 802.1X/MACsec cipher suite - # 0 = GCM-AES-128 - # 1 = GCM-AES-256 -{# security.cipher is a mandatory key #} - macsec_csindex={{ '1' if security.cipher is vyos_defined('gcm-aes-256') else '0' }} {% endif %} {% if security.replay_window is vyos_defined %} diff --git a/data/templates/monitoring/override.conf.j2 b/data/templates/monitoring/override.conf.j2 deleted file mode 100644 index 9f1b4ebec..000000000 --- a/data/templates/monitoring/override.conf.j2 +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -After=vyos-router.service -ConditionPathExists=/run/telegraf/vyos-telegraf.conf -[Service] -Environment=INFLUX_TOKEN={{ influxdb.authentication.token }} -CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN -AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN diff --git a/data/templates/monitoring/systemd_vyos_telegraf_service.j2 b/data/templates/monitoring/systemd_vyos_telegraf_service.j2 deleted file mode 100644 index 234ef5586..000000000 --- a/data/templates/monitoring/systemd_vyos_telegraf_service.j2 +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=The plugin-driven server agent for reporting metrics into InfluxDB -Documentation=https://github.com/influxdata/telegraf -After=network.target - -[Service] -EnvironmentFile=-/etc/default/telegraf -User=telegraf -ExecStart=/usr/bin/telegraf -config /run/telegraf/vyos-telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS -ExecReload=/bin/kill -HUP $MAINPID -Restart=on-failure -RestartForceExitStatus=SIGPIPE -KillMode=control-group - -[Install] -WantedBy=multi-user.target diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 8418a2185..e0cad5181 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -56,36 +56,32 @@ ban-reset-time = 300 # The name to use for the tun device device = sslvpn -# An alternative way of specifying the network: -{% if network_settings %} # DNS settings -{% if network_settings.name_server is string %} -dns = {{ network_settings.name_server }} -{% else %} -{% for dns in network_settings.name_server %} +{% if network_settings.name_server is vyos_defined %} +{% for dns in network_settings.name_server %} dns = {{ dns }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} + # IPv4 network pool -{% if network_settings.client_ip_settings %} -{% if network_settings.client_ip_settings.subnet %} +{% if network_settings.client_ip_settings.subnet is vyos_defined %} ipv4-network = {{ network_settings.client_ip_settings.subnet }} -{% endif %} -{% endif %} +{% endif %} + # IPv6 network pool -{% if network_settings.client_ipv6_pool %} -{% if network_settings.client_ipv6_pool.prefix %} +{% if network_settings.client_ipv6_pool.prefix is vyos_defined %} ipv6-network = {{ network_settings.client_ipv6_pool.prefix }} ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }} -{% endif %} -{% endif %} {% endif %} -{% if network_settings.push_route is string %} -route = {{ network_settings.push_route }} -{% else %} +{% if network_settings.push_route is vyos_defined %} {% for route in network_settings.push_route %} route = {{ route }} {% endfor %} {% endif %} +{% if network_settings.split_dns is vyos_defined %} +{% for tmp in network_settings.split_dns %} +split-dns = {{ tmp }} +{% endfor %} +{% endif %} diff --git a/data/templates/telegraf/override.conf.j2 b/data/templates/telegraf/override.conf.j2 new file mode 100644 index 000000000..d30bb19de --- /dev/null +++ b/data/templates/telegraf/override.conf.j2 @@ -0,0 +1,15 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +After= +After=vyos-router.service +ConditionPathExists=/run/telegraf/telegraf.conf + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/bin/telegraf --config /run/telegraf/telegraf.conf --config-directory /etc/telegraf/telegraf.d --pidfile /run/telegraf/telegraf.pid +PIDFile=/run/telegraf/telegraf.pid +EnvironmentFile= +Environment=INFLUX_TOKEN={{ influxdb.authentication.token }} +CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_BPF CAP_DAC_OVERRIDE +AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN + diff --git a/data/templates/monitoring/syslog_telegraf.j2 b/data/templates/telegraf/syslog_telegraf.j2 index cdcbd92a4..cdcbd92a4 100644 --- a/data/templates/monitoring/syslog_telegraf.j2 +++ b/data/templates/telegraf/syslog_telegraf.j2 diff --git a/data/templates/monitoring/telegraf.j2 b/data/templates/telegraf/telegraf.j2 index 6b395692b..6b395692b 100644 --- a/data/templates/monitoring/telegraf.j2 +++ b/data/templates/telegraf/telegraf.j2 |