summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/accel-ppp/pppoe.config.tmpl2
-rw-r--r--data/templates/conserver/conserver.conf.tmpl37
-rw-r--r--data/templates/firewall/nftables-nat.tmpl27
-rw-r--r--data/templates/ntp/override.conf.tmpl8
-rw-r--r--data/templates/router-advert/radvd.conf.tmpl2
-rw-r--r--data/templates/snmp/override.conf.tmpl9
-rw-r--r--data/templates/system-login/pam_radius_auth.conf.tmpl15
-rw-r--r--data/templates/wwan/ip-down.script.tmpl23
-rw-r--r--data/templates/wwan/ip-up.script.tmpl22
9 files changed, 109 insertions, 36 deletions
diff --git a/data/templates/accel-ppp/pppoe.config.tmpl b/data/templates/accel-ppp/pppoe.config.tmpl
index 6c4ff89b1..370ca7946 100644
--- a/data/templates/accel-ppp/pppoe.config.tmpl
+++ b/data/templates/accel-ppp/pppoe.config.tmpl
@@ -129,6 +129,8 @@ verbose=1
check-ip=1
{% if ppp_ccp %}
ccp=1
+{% else %}
+ccp=0
{% endif %}
{% if ppp_min_mtu %}
min-mtu={{ ppp_min_mtu }}
diff --git a/data/templates/conserver/conserver.conf.tmpl b/data/templates/conserver/conserver.conf.tmpl
new file mode 100644
index 000000000..4e7b5d8d7
--- /dev/null
+++ b/data/templates/conserver/conserver.conf.tmpl
@@ -0,0 +1,37 @@
+### Autogenerated by service_console-server.py ###
+
+# See https://www.conserver.com/docs/conserver.cf.man.html for additional options
+
+config * {
+ primaryport 3109;
+ daemonmode false;
+}
+
+default * {
+ motd "VyOS Console Server";
+ rw *;
+}
+
+##
+## list of consoles we serve
+##
+{% for key, value in device.items() %}
+{# Depending on our USB serial console we could require a path adjustment #}
+{% set path = '/dev' if key.startswith('ttyS') else '/dev/serial/by-bus' %}
+console {{ key }} {
+ master localhost;
+ type device;
+ device {{ path }}/{{ key }};
+ baud {{ value.speed }};
+ parity {{ value.parity }};
+ options {{ "!" if value.stop_bits == "1" }}cstopb;
+}
+{% endfor %}
+
+##
+## list of clients we allow
+##
+access * {
+ trusted localhost;
+ allowed localhost;
+}
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 0a3dfa369..8108d5e0f 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -29,9 +29,22 @@ add rule ip raw NAT_CONNTRACK counter accept
{% macro nat_rule(rule, chain) %}
{% set src_addr = "ip saddr " + rule.source_address if rule.source_address %}
-{% set src_port = "sport " + rule.source_port if rule.source_port %}
{% set dst_addr = "ip daddr " + rule.dest_address if rule.dest_address %}
-{% set dst_port = "dport " + rule.dest_port if rule.dest_port %}
+
+{# negated port groups need special treatment, move != in front of { } group #}
+{% if rule.source_port.startswith('!=') %}
+{% set src_port = "sport != { " + rule.source_port.replace('!=','') +" }" if rule.source_port %}
+{% else %}
+{% set src_port = "sport { " + rule.source_port +" }" if rule.source_port %}
+{% endif %}
+
+{# negated port groups need special treatment, move != in front of { } group #}
+{% if rule.dest_port.startswith('!=') %}
+{% set dst_port = "dport != { " + rule.dest_port.replace('!=','') +" }" if rule.dest_port %}
+{% else %}
+{% set dst_port = "dport { " + rule.dest_port +" }" if rule.dest_port %}
+{% endif %}
+
{% set comment = "DST-NAT-" + rule.number %}
{% if chain == "PREROUTING" %}
@@ -39,9 +52,13 @@ add rule ip raw NAT_CONNTRACK counter accept
{% set trns_addr = "dnat to " + rule.translation_address %}
{% elif chain == "POSTROUTING" %}
{% set interface = " oifname \"" + rule.interface_out + "\"" %}
-{% set trns_addr = rule.translation_address %}
-{% if rule.translation_address != 'masquerade' %}
-{% set trns_addr = "snat to " + trns_addr %}
+{% if rule.translation_address == 'masquerade' %}
+{% set trns_addr = rule.translation_address %}
+{% if rule.translation_port %}
+{% set trns_addr = trns_addr + " to " %}
+{% endif %}
+{% else %}
+{% set trns_addr = "snat to " + rule.translation_address %}
{% endif %}
{% endif %}
{% set trns_port = ":" + rule.translation_port if rule.translation_port %}
diff --git a/data/templates/ntp/override.conf.tmpl b/data/templates/ntp/override.conf.tmpl
new file mode 100644
index 000000000..69a73b128
--- /dev/null
+++ b/data/templates/ntp/override.conf.tmpl
@@ -0,0 +1,8 @@
+[Service]
+ExecStart=
+{% if vrf %}
+ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/lib/ntp/ntp-systemd-wrapper
+{% else %}
+ExecStart=/usr/lib/ntp/ntp-systemd-wrapper
+{% endif %}
+
diff --git a/data/templates/router-advert/radvd.conf.tmpl b/data/templates/router-advert/radvd.conf.tmpl
index 2768f6f2e..073623eac 100644
--- a/data/templates/router-advert/radvd.conf.tmpl
+++ b/data/templates/router-advert/radvd.conf.tmpl
@@ -1,4 +1,4 @@
-### Autogenerated by service-router-advert.py ###
+### Autogenerated by service_router-advert.py ###
{% for i in interfaces -%}
interface {{ i.name }} {
diff --git a/data/templates/snmp/override.conf.tmpl b/data/templates/snmp/override.conf.tmpl
new file mode 100644
index 000000000..1eb8f20a9
--- /dev/null
+++ b/data/templates/snmp/override.conf.tmpl
@@ -0,0 +1,9 @@
+[Service]
+Environment=
+Environment="MIBSDIR=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/mibs/site:/usr/share/snmp/mibs:/usr/share/mibs/iana:/usr/share/mibs/ietf:/usr/share/mibs/netsnmp"
+ExecStart=
+{% if vrf %}
+ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid
+{% else %}
+ExecStart=/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid
+{% endif %}
diff --git a/data/templates/system-login/pam_radius_auth.conf.tmpl b/data/templates/system-login/pam_radius_auth.conf.tmpl
index ad196fa3d..ec2d6df95 100644
--- a/data/templates/system-login/pam_radius_auth.conf.tmpl
+++ b/data/templates/system-login/pam_radius_auth.conf.tmpl
@@ -1,12 +1,11 @@
-# Automatically generated by VyOS
+# Automatically generated by system-login.py
# RADIUS configuration file
-{%- if radius_server %}
-# server[:port] shared_secret timeout (s) source_ip
-{% for s in radius_server %}
-{%- if not s.disabled -%}
-{{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if radius_source_address -%}{{ radius_source_address }}{% endif %}
-{% endif %}
-{%- endfor %}
+{% if radius_server %}
+# server[:port] shared_secret timeout source_ip
+{% for s in radius_server|sort(attribute='priority') if not s.disabled %}
+{% set addr_port = s.address + ":" + s.port %}
+{{ "%-22s" | format(addr_port) }} {{ "%-25s" | format(s.key) }} {{ "%-10s" | format(s.timeout) }} {{ radius_source_address if radius_source_address }}
+{% endfor %}
priv-lvl 15
mapped_priv_user radius_priv_user
diff --git a/data/templates/wwan/ip-down.script.tmpl b/data/templates/wwan/ip-down.script.tmpl
index 194f8d863..f7b38cbc5 100644
--- a/data/templates/wwan/ip-down.script.tmpl
+++ b/data/templates/wwan/ip-down.script.tmpl
@@ -1,26 +1,27 @@
#!/bin/sh
-tty=$2
+# Script parameters will be like:
+# wlm0 /dev/serial/by-bus/usb0b1.3p1.3 115200 10.100.118.91 10.64.64.64 wlm0
# Only applicable for Wireless Modems (WWAN)
-if [ -z "$(echo $tty | egrep "tty(USB|ACM)")" ]; then
+if [ -z $(echo $2 | egrep "(ttyS[0-9]+|usb[0-9]+b.*)$") ]; then
exit 0
fi
-# Determine if we are enslaved to a VRF, this is needed to properly insert
-# the default route
-VRF_NAME=""
+# Determine if we are running inside a VRF or not, required for proper routing table
+# NOTE: the down script can not be properly templated as we need the VRF name,
+# which is not present on deletion, thus we read it from the operating system.
if [ -d /sys/class/net/{{ intf }}/upper_* ]; then
# Determine upper (VRF) interface
VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*))
# Remove upper_ prefix from result string
- VRF=${VRF#"upper_"}
- # Populate variable to run in VR context
- VRF_NAME=" -c vrf ${VRF_NAME} "
+ VRF_NAME=${VRF#"upper_"}
+ # Remove default route from VRF routing table
+ vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "no ip route 0.0.0.0/0 {{ intf }}"
+else
+ # Remove default route from GRT (global routing table)
+ vtysh -c "conf t" -c "no ip route 0.0.0.0/0 {{ intf }}"
fi
-# Remove default route to either default or VRF routing table
-vtysh -c "conf t" ${VRF_NAME} -c "no ip route 0.0.0.0/0 {{ intf }} {{ metric }}"
-
DIALER_PID=$(cat /var/run/{{ intf }}.pid)
logger -t pppd[$DIALER_PID] "removed default route via {{ intf }} metric {{ metric }}"
diff --git a/data/templates/wwan/ip-up.script.tmpl b/data/templates/wwan/ip-up.script.tmpl
index 89e42a23a..3a7eec800 100644
--- a/data/templates/wwan/ip-up.script.tmpl
+++ b/data/templates/wwan/ip-up.script.tmpl
@@ -1,25 +1,25 @@
#!/bin/sh
-tty=$2
+# Script parameters will be like:
+# wlm0 /dev/serial/by-bus/usb0b1.3p1.3 115200 10.100.118.91 10.64.64.64 wlm0
# Only applicable for Wireless Modems (WWAN)
-if [ -z "$(echo $tty | egrep "tty(USB|ACM)")" ]; then
+if [ -z $(echo $2 | egrep "(ttyS[0-9]+|usb[0-9]+b.*)$") ]; then
exit 0
fi
-DIALER_PID=$(cat /var/run/{{ intf }}.pid)
-
-# Determine if we are enslaved to a VRF, this is needed to properly insert
-# the default route
-VRF_NAME=""
+# Determine if we are running inside a VRF or not, required for proper routing table
if [ -d /sys/class/net/{{ intf }}/upper_* ]; then
# Determine upper (VRF) interface
VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*))
# Remove upper_ prefix from result string
- VRF=${VRF#"upper_"}
- VRF_NAME="vrf ${VRF}"
+ VRF_NAME=${VRF#"upper_"}
+ # Remove default route from VRF routing table
+ vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "ip route 0.0.0.0/0 {{ intf }} {{ metric }}"
+else
+ # Remove default route from GRT (global routing table)
+ vtysh -c "conf t" -c "ip route 0.0.0.0/0 {{ intf }} {{ metric }}"
fi
-# Apply default route to either default or VRF routing table
-vtysh -c "conf t" -c "ip route 0.0.0.0/0 {{ intf }} ${VRF_NAME} {{ metric }}"
+DIALER_PID=$(cat /var/run/{{ intf }}.pid)
logger -t pppd[$DIALER_PID] "added default route via {{ intf }} metric {{ metric }} ${VRF_NAME}"
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-25 03:19:04 +0000