summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/config-mode-dependencies.json35
-rw-r--r--data/config-mode-dependencies/vyos-1x.json39
-rw-r--r--data/configd-include.json127
-rw-r--r--data/op-mode-standardized.json3
-rw-r--r--data/templates/accel-ppp/config_chap_secrets_radius.j211
-rw-r--r--data/templates/accel-ppp/config_ip_pool.j236
-rw-r--r--data/templates/accel-ppp/config_shaper_radius.j22
-rw-r--r--data/templates/accel-ppp/ipoe.config.j241
-rw-r--r--data/templates/accel-ppp/l2tp.config.j2171
-rw-r--r--data/templates/accel-ppp/pppoe.config.j226
-rw-r--r--data/templates/accel-ppp/pptp.config.j2106
-rw-r--r--data/templates/accel-ppp/sstp.config.j28
-rw-r--r--data/templates/bcast-relay/udp-broadcast-relay.j22
-rw-r--r--data/templates/chrony/chrony.conf.j22
-rw-r--r--data/templates/conntrack/sysctl.conf.j22
-rw-r--r--data/templates/conntrack/vyos_nf_conntrack.conf.j23
-rw-r--r--data/templates/conntrackd/conntrackd.conf.j23
-rw-r--r--data/templates/container/containers.conf.j21418
-rw-r--r--data/templates/dhcp-client/ipv4.j224
-rw-r--r--data/templates/dhcp-relay/dhcrelay.conf.j24
-rw-r--r--data/templates/dhcp-relay/dhcrelay6.conf.j23
-rw-r--r--data/templates/dns-dynamic/ddclient.conf.j271
-rw-r--r--data/templates/dns-dynamic/override.conf.j22
-rw-r--r--data/templates/dns-forwarding/recursor.conf.j213
-rw-r--r--data/templates/dns-forwarding/recursor.conf.lua.j23
-rw-r--r--data/templates/dns-forwarding/recursor.zone.conf.j22
-rw-r--r--data/templates/ethernet/wpa_supplicant.conf.j23
-rw-r--r--data/templates/firewall/nftables-bridge.j235
-rw-r--r--data/templates/firewall/nftables-defines.j214
-rw-r--r--data/templates/firewall/nftables-nat.j22
-rw-r--r--data/templates/firewall/nftables-offload.j29
-rw-r--r--data/templates/firewall/nftables-policy.j210
-rw-r--r--data/templates/firewall/nftables-vrf-zones.j24
-rw-r--r--data/templates/firewall/nftables-zone.j277
-rw-r--r--data/templates/firewall/nftables.j2113
-rw-r--r--data/templates/frr/bgpd.frr.j276
-rw-r--r--data/templates/frr/daemons.frr.tmpl133
-rw-r--r--data/templates/frr/eigrpd.frr.j240
-rw-r--r--data/templates/frr/evpn.mh.frr.j216
-rw-r--r--data/templates/frr/igmp.frr.j241
-rw-r--r--data/templates/frr/isisd.frr.j250
-rw-r--r--data/templates/frr/ldpd.frr.j210
-rw-r--r--data/templates/frr/pim6d.frr.j281
-rw-r--r--data/templates/frr/pimd.frr.j2115
-rw-r--r--data/templates/frr/zebra.segment_routing.frr.j223
-rw-r--r--data/templates/grub/grub_common.j223
-rw-r--r--data/templates/grub/grub_compat.j263
-rw-r--r--data/templates/grub/grub_main.j27
-rw-r--r--data/templates/grub/grub_menu.j25
-rw-r--r--data/templates/grub/grub_modules.j23
-rw-r--r--data/templates/grub/grub_options.j252
-rw-r--r--data/templates/grub/grub_vars.j24
-rw-r--r--data/templates/grub/grub_vyos_version.j222
-rw-r--r--data/templates/high-availability/10-override.conf.j216
-rw-r--r--data/templates/https/nginx.default.j2109
-rw-r--r--data/templates/https/vyos-http-api.service.j23
-rw-r--r--data/templates/igmp-proxy/igmpproxy.conf.j22
-rw-r--r--data/templates/ipsec/swanctl/remote_access.j24
-rw-r--r--data/templates/lldp/lldpd.j24
-rw-r--r--data/templates/lldp/vyos.conf.j22
-rw-r--r--data/templates/load-balancing/haproxy.cfg.j217
-rw-r--r--data/templates/load-balancing/wlb.conf.j24
-rw-r--r--data/templates/login/authorized_keys.j23
-rw-r--r--data/templates/login/limits.j22
-rw-r--r--data/templates/login/nsswitch.conf.j23
-rw-r--r--data/templates/login/pam_radius_auth.conf.j22
-rw-r--r--data/templates/login/tacplus_servers.j23
-rw-r--r--data/templates/macsec/wpa_supplicant.conf.j22
-rw-r--r--data/templates/mdns-repeater/avahi-daemon.conf.j2 (renamed from data/templates/mdns-repeater/avahi-daemon.j2)8
-rw-r--r--data/templates/mdns-repeater/override.conf.j27
-rw-r--r--data/templates/ndppd/ndppd.conf.j271
-rw-r--r--data/templates/ocserv/ocserv_config.j219
-rw-r--r--data/templates/openvpn/auth.pw.j22
-rw-r--r--data/templates/openvpn/client.conf.j22
-rw-r--r--data/templates/openvpn/server.conf.j215
-rw-r--r--data/templates/pmacct/override.conf.j24
-rw-r--r--data/templates/pmacct/uacctd.conf.j22
-rw-r--r--data/templates/pppoe/peer.j24
-rw-r--r--data/templates/rsyslog/logrotate.j22
-rw-r--r--data/templates/rsyslog/rsyslog.conf.j212
-rw-r--r--data/templates/salt-minion/minion.j22
-rw-r--r--data/templates/snmp/etc.snmp.conf.j22
-rw-r--r--data/templates/snmp/etc.snmpd.conf.j212
-rw-r--r--data/templates/snmp/override.conf.j21
-rw-r--r--data/templates/snmp/usr.snmpd.conf.j22
-rw-r--r--data/templates/snmp/var.snmpd.conf.j22
-rw-r--r--data/templates/ssh/sshd_config.j22
-rw-r--r--data/templates/ssh/sshguard_config.j22
-rw-r--r--data/templates/ssh/sshguard_whitelist.j22
-rw-r--r--data/templates/sstp-client/peer.j22
-rw-r--r--data/templates/system/proxy.j22
-rw-r--r--data/templates/system/sysctl.conf.j214
-rw-r--r--data/templates/telegraf/telegraf.j22
-rw-r--r--data/templates/tftp-server/default.j22
-rw-r--r--data/templates/vpp/override.conf.j214
-rw-r--r--data/templates/vpp/startup.conf.j2116
-rw-r--r--data/templates/wifi/hostapd.conf.j22
-rw-r--r--data/templates/wifi/wpa_supplicant.conf.j22
98 files changed, 2108 insertions, 1587 deletions
diff --git a/data/config-mode-dependencies.json b/data/config-mode-dependencies.json
deleted file mode 100644
index 91a757c16..000000000
--- a/data/config-mode-dependencies.json
+++ /dev/null
@@ -1,35 +0,0 @@
-{
- "firewall": {"group_resync": ["nat", "policy-route"]},
- "http_api": {"https": ["https"]},
- "pki": {
- "ethernet": ["interfaces-ethernet"],
- "openvpn": ["interfaces-openvpn"],
- "https": ["https"],
- "ipsec": ["vpn_ipsec"],
- "openconnect": ["vpn_openconnect"],
- "sstp": ["vpn_sstp"]
- },
- "qos": {
- "bonding": ["interfaces-bonding"],
- "bridge": ["interfaces-bridge"],
- "dummy": ["interfaces-dummy"],
- "ethernet": ["interfaces-ethernet"],
- "geneve": ["interfaces-geneve"],
- "input": ["interfaces-input"],
- "l2tpv3": ["interfaces-l2tpv3"],
- "loopback": ["interfaces-loopback"],
- "macsec": ["interfaces-macsec"],
- "openvpn": ["interfaces-openvpn"],
- "pppoe": ["interfaces-pppoe"],
- "pseudo-ethernet": ["interfaces-pseudo-ethernet"],
- "tunnel": ["interfaces-tunnel"],
- "vti": ["interfaces-vti"],
- "vxlan": ["interfaces-vxlan"],
- "wireguard": ["interfaces-wireguard"],
- "wireless": ["interfaces-wireless"],
- "wwan": ["interfaces-wwan"]
- },
- "vpp": {
- "ethernet": ["interfaces-ethernet"]
- }
-}
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
new file mode 100644
index 000000000..50473a6a1
--- /dev/null
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -0,0 +1,39 @@
+{
+ "firewall": {
+ "group_resync": ["nat", "policy_route"]
+ },
+ "interfaces_bonding": {
+ "ethernet": ["interfaces_ethernet"]
+ },
+ "interfaces_bridge": {
+ "vxlan": ["interfaces_vxlan"]
+ },
+ "pki": {
+ "ethernet": ["interfaces_ethernet"],
+ "openvpn": ["interfaces_openvpn"],
+ "https": ["service_https"],
+ "ipsec": ["vpn_ipsec"],
+ "openconnect": ["vpn_openconnect"],
+ "sstp": ["vpn_sstp"]
+ },
+ "qos": {
+ "bonding": ["interfaces_bonding"],
+ "bridge": ["interfaces_bridge"],
+ "dummy": ["interfaces_dummy"],
+ "ethernet": ["interfaces_ethernet"],
+ "geneve": ["interfaces_geneve"],
+ "input": ["interfaces_input"],
+ "l2tpv3": ["interfaces_l2tpv3"],
+ "loopback": ["interfaces_loopback"],
+ "macsec": ["interfaces_macsec"],
+ "openvpn": ["interfaces_openvpn"],
+ "pppoe": ["interfaces_pppoe"],
+ "pseudo-ethernet": ["interfaces_pseudo-ethernet"],
+ "tunnel": ["interfaces_tunnel"],
+ "vti": ["interfaces_vti"],
+ "vxlan": ["interfaces_vxlan"],
+ "wireguard": ["interfaces_wireguard"],
+ "wireless": ["interfaces_wireless"],
+ "wwan": ["interfaces_wwan"]
+ }
+}
diff --git a/data/configd-include.json b/data/configd-include.json
index 84bc1f14e..fe27ae2b7 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -1,87 +1,110 @@
[
-"arp.py",
-"bcast_relay.py",
"container.py",
-"conntrack.py",
-"conntrack_sync.py",
-"dhcp_relay.py",
-"dhcp_server.py",
-"dhcpv6_relay.py",
-"dhcpv6_server.py",
-"dns_forwarding.py",
-"dns_dynamic.py",
"firewall.py",
-"flow_accounting_conf.py",
"high-availability.py",
-"host_name.py",
-"igmp_proxy.py",
-"intel_qat.py",
-"interfaces-bonding.py",
-"interfaces-bridge.py",
-"interfaces-dummy.py",
-"interfaces-ethernet.py",
-"interfaces-geneve.py",
-"interfaces-l2tpv3.py",
-"interfaces-loopback.py",
-"interfaces-macsec.py",
-"interfaces-openvpn.py",
-"interfaces-pppoe.py",
-"interfaces-pseudo-ethernet.py",
-"interfaces-sstpc.py",
-"interfaces-tunnel.py",
-"interfaces-vti.py",
-"interfaces-vxlan.py",
-"interfaces-wireguard.py",
-"interfaces-wireless.py",
-"interfaces-wwan.py",
-"lldp.py",
+"interfaces_bonding.py",
+"interfaces_bridge.py",
+"interfaces_dummy.py",
+"interfaces_ethernet.py",
+"interfaces_geneve.py",
+"interfaces_input.py",
+"interfaces_l2tpv3.py",
+"interfaces_loopback.py",
+"interfaces_macsec.py",
+"interfaces_openvpn.py",
+"interfaces_pppoe.py",
+"interfaces_pseudo-ethernet.py",
+"interfaces_sstpc.py",
+"interfaces_tunnel.py",
+"interfaces_virtual-ethernet.py",
+"interfaces_vti.py",
+"interfaces_vxlan.py",
+"interfaces_wireguard.py",
+"interfaces_wireless.py",
+"interfaces_wwan.py",
+"load-balancing_reverse-proxy.py",
+"load-balancing_wan.py",
"nat.py",
+"nat64.py",
"nat66.py",
"netns.py",
-"ntp.py",
"pki.py",
"policy.py",
-"policy-local-route.py",
+"policy_route.py",
+"policy_local-route.py",
+"protocols_babel.py",
"protocols_bfd.py",
"protocols_bgp.py",
-"protocols_igmp.py",
+"protocols_eigrp.py",
+"protocols_failover.py",
+"protocols_igmp-proxy.py",
"protocols_isis.py",
"protocols_mpls.py",
"protocols_nhrp.py",
"protocols_ospf.py",
"protocols_ospfv3.py",
"protocols_pim.py",
+"protocols_pim6.py",
"protocols_rip.py",
"protocols_ripng.py",
"protocols_rpki.py",
+"protocols_segment-routing.py",
"protocols_static.py",
+"protocols_static_arp.py",
"protocols_static_multicast.py",
+"protocols_static_neighbor-proxy.py",
"qos.py",
-"salt-minion.py",
+"service_broadcast-relay.py",
+"service_config-sync.py",
+"service_conntrack-sync.py",
"service_console-server.py",
-"service_ids_fastnetmon.py",
+"service_dhcp-relay.py",
+"service_dhcp-server.py",
+"service_dhcpv6-relay.py",
+"service_dhcpv6-server.py",
+"service_dns_dynamic.py",
+"service_dns_forwarding.py",
+"service_event-handler.py",
+"service_https.py",
+"service_ids_ddos-protection.py",
"service_ipoe-server.py",
-"service_mdns-repeater.py",
+"service_lldp.py",
+"service_mdns_repeater.py",
"service_monitoring_telegraf.py",
+"service_monitoring_zabbix-agent.py",
+"service_ndp-proxy.py",
+"service_ntp.py",
"service_pppoe-server.py",
"service_router-advert.py",
+"service_salt-minion.py",
+"service_sla.py",
+"service_ssh.py",
+"service_tftp-server.py",
"service_upnp.py",
-"ssh.py",
-"system-ip.py",
-"system-ipv6.py",
-"system-login-banner.py",
-"system-logs.py",
-"system-option.py",
-"system-proxy.py",
-"system_sflow.py",
-"system_sysctl.py",
-"system-syslog.py",
-"system-timezone.py",
+"service_webproxy.py",
+"system_acceleration.py",
+"system_config-management.py",
+"system_conntrack.py",
"system_console.py",
+"system_flow-accounting.py",
+"system_frr.py",
+"system_host-name.py",
+"system_ip.py",
+"system_ipv6.py",
"system_lcd.py",
-"task_scheduler.py",
-"tftp_server.py",
+"system_login_banner.py",
+"system_logs.py",
+"system_option.py",
+"system_proxy.py",
+"system_sflow.py",
+"system_sysctl.py",
+"system_syslog.py",
+"system_task-scheduler.py",
+"system_timezone.py",
+"system_update-check.py",
+"vpn_ipsec.py",
"vpn_l2tp.py",
+"vpn_openconnect.py",
"vpn_pptp.py",
"vpn_sstp.py",
"vrf.py",
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index 042c466ab..dfb7b023f 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -25,6 +25,5 @@
"storage.py",
"uptime.py",
"version.py",
-"vrf.py",
-"zone.py"
+"vrf.py"
]
diff --git a/data/templates/accel-ppp/config_chap_secrets_radius.j2 b/data/templates/accel-ppp/config_chap_secrets_radius.j2
index a498d8186..595e3a565 100644
--- a/data/templates/accel-ppp/config_chap_secrets_radius.j2
+++ b/data/templates/accel-ppp/config_chap_secrets_radius.j2
@@ -30,7 +30,16 @@ dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.r
{% endif %}
{% endif %}
{# Both chap-secrets and radius block required the gw-ip-address #}
-{% if gateway_address is vyos_defined %}
+{% if authentication.mode is vyos_defined('local') or authentication.mode is vyos_defined('radius') %}
+{% if gateway_address is vyos_defined %}
+{% if server_type == 'ipoe' %}
+{% for gw in gateway_address %}
+{% set host_address, _ = gw.split('/') %}
+gw-ip-address={{ host_address }}
+{% endfor %}
+{% else %}
gw-ip-address={{ gateway_address }}
+{% endif %}
+{% endif %}
{% endif %}
diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2
index f7511e445..6ac04e1a1 100644
--- a/data/templates/accel-ppp/config_ip_pool.j2
+++ b/data/templates/accel-ppp/config_ip_pool.j2
@@ -1,24 +1,28 @@
-{% if client_ip_pool is vyos_defined %}
+{% if ordered_named_pools is vyos_defined %}
[ip-pool]
{% if gateway_address is vyos_defined %}
+{% if server_type == 'ipoe' %}
+{% for gw in gateway_address %}
+{% set host_address, _ = gw.split('/') %}
+gw-ip-address={{ host_address }}
+{% endfor %}
+{% else %}
gw-ip-address={{ gateway_address }}
+{% endif %}
{% endif %}
-{% if client_ip_pool.start is vyos_defined and client_ip_pool.stop is vyos_defined %}
-{{ client_ip_pool.start }}-{{ client_ip_pool.stop.split('.')[3] }}
-{% endif %}
-{% if client_ip_pool.subnet is vyos_defined %}
-{% for subnet in client_ip_pool.subnet %}
-{{ subnet }}
-{% endfor %}
-{% endif %}
-{% if client_ip_pool.name is vyos_defined %}
-{% for pool, pool_config in client_ip_pool.name.items() %}
-{% if pool_config.subnet is vyos_defined %}
-{{ pool_config.subnet }},name={{ pool }}
+{% for pool in ordered_named_pools %}
+{% for pool_name, pool_config in pool.items() %}
+{% set iprange_str = pool_config.range %}
+{% set iprange_list = pool_config.range.split('-') %}
+{% if iprange_list | length == 2 %}
+{% set last_ip_oct = iprange_list[1].split('.') %}
+{% set iprange_str = iprange_list[0] + '-' + last_ip_oct[last_ip_oct | length - 1] %}
{% endif %}
-{% if pool_config.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_config.gateway_address }}
+{% if pool_config.next_pool is vyos_defined %}
+{{ iprange_str }},name={{ pool_name }},next={{ pool_config.next_pool }}
+{% else %}
+{{ iprange_str }},name={{ pool_name }}
{% endif %}
{% endfor %}
-{% endif %}
+{% endfor %}
{% endif %} \ No newline at end of file
diff --git a/data/templates/accel-ppp/config_shaper_radius.j2 b/data/templates/accel-ppp/config_shaper_radius.j2
index 0cf6a6a92..fcd68f69e 100644
--- a/data/templates/accel-ppp/config_shaper_radius.j2
+++ b/data/templates/accel-ppp/config_shaper_radius.j2
@@ -1,6 +1,7 @@
{% if authentication.mode is vyos_defined('radius') or shaper is vyos_defined %}
[shaper]
verbose=1
+down-limiter=tbf
{% if authentication.radius.rate_limit.enable is vyos_defined %}
attr={{ authentication.radius.rate_limit.attribute }}
{% if authentication.radius.rate_limit.vendor is vyos_defined %}
@@ -13,7 +14,6 @@ rate-multiplier={{ authentication.radius.rate_limit.multiplier }}
{% if shaper is vyos_defined %}
{% if shaper.fwmark is vyos_defined %}
fwmark={{ shaper.fwmark }}
-down-limiter=htb
{% endif %}
{% endif %}
{% endif %} \ No newline at end of file
diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2
index f59428509..588f3d462 100644
--- a/data/templates/accel-ppp/ipoe.config.j2
+++ b/data/templates/accel-ppp/ipoe.config.j2
@@ -14,6 +14,11 @@ ippool
[core]
thread-count={{ thread_count }}
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
+
[log]
syslog=accel-ipoe,daemon
copy=1
@@ -50,38 +55,18 @@ noauth=1
username=ifname
password=csid
{% endif %}
-{% if client_ip_pool.name is vyos_defined %}
-{% if first_named_pool is vyos_defined %}
-ip-pool={{ first_named_pool }}
-{% else %}
-{% for pool, pool_options in client_ip_pool.name.items() %}
-{% if pool_options.subnet is vyos_defined %}
-ip-pool={{ pool }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% for pool, pool_options in client_ip_pool.name.items() %}
-{% if pool_options.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }}
-{% endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
+{% if gateway_address is vyos_defined %}
+{% for gw_addr in gateway_address %}
+gw-ip-address={{ gw_addr }}
{% endfor %}
{% endif %}
proxy-arp=1
-{% if ordered_named_pools is vyos_defined %}
-[ip-pool]
-{% for p in ordered_named_pools %}
-{% for pool, pool_options in p.items() %}
-{% set next_named_pool = ',next=' ~ pool_options.next_pool if pool_options.next_pool is vyos_defined else '' %}
-{{ pool_options.subnet }},name={{ pool }}{{ next_named_pool }}
-{% endfor %}
-{% endfor %}
-{% for p in ordered_named_pools %}
-{% for pool, pool_options in p.items() %}
-gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }}
-{% endfor %}
-{% endfor %}
-{% endif %}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
{# Common IPv6 pool definitions #}
{% include 'accel-ppp/config_ipv6_pool.j2' %}
diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2
index a2f9c9fc7..49755254a 100644
--- a/data/templates/accel-ppp/l2tp.config.j2
+++ b/data/templates/accel-ppp/l2tp.config.j2
@@ -2,46 +2,34 @@
[modules]
log_syslog
l2tp
-chap-secrets
-{% for proto in auth_proto %}
-{{ proto }}
-{% endfor %}
-
-{% if auth_mode == 'radius' %}
-radius
-{% endif %}
-
-ippool
shaper
-ipv6pool
-ipv6_nd
-ipv6_dhcp
+{# Common authentication backend definitions #}
+{% include 'accel-ppp/config_modules_auth_mode.j2' %}
+ippool
+{# Common IPv6 definitions #}
+{% include 'accel-ppp/config_modules_ipv6.j2' %}
+{# Common authentication protocols (pap, chap ...) #}
+{% include 'accel-ppp/config_modules_auth_protocols.j2' %}
[core]
-thread-count={{ thread_cnt }}
+thread-count={{ thread_count }}
+
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
[log]
syslog=accel-l2tp,daemon
copy=1
level=5
-{% if dnsv4 %}
-[dns]
-{% for dns in dnsv4 %}
-dns{{ loop.index }}={{ dns }}
-{% endfor %}
-{% endif %}
-
-{% if dnsv6 %}
-[ipv6-dns]
-{% for dns in dnsv6 %}
-{{ dns }}
-{% endfor %}
-{% endif %}
+{# Common DNS name-server definition #}
+{% include 'accel-ppp/config_name_server.j2' %}
-{% if wins %}
+{% if wins_server is vyos_defined %}
[wins]
-{% for server in wins %}
+{% for server in wins_server %}
wins{{ loop.index }}={{ server }}
{% endfor %}
{% endif %}
@@ -50,116 +38,59 @@ wins{{ loop.index }}={{ server }}
verbose=1
ifname=l2tp%d
ppp-max-mtu={{ mtu }}
-mppe={{ ppp_mppe }}
-{% if outside_addr %}
-bind={{ outside_addr }}
+mppe={{ ppp_options.mppe }}
+{% if outside_address is vyos_defined %}
+bind={{ outside_address }}
{% endif %}
-{% if lns_shared_secret %}
-secret={{ lns_shared_secret }}
+{% if lns.shared_secret is vyos_defined %}
+secret={{ lns.shared_secret }}
{% endif %}
-{% if lns_host_name %}
-host-name={{ lns_host_name }}
+{% if lns.host_name is vyos_defined %}
+host-name={{ lns.host_name }}
+{% endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
{% endif %}
[client-ip-range]
0.0.0.0/0
-{% if client_ip_pool or client_ip_subnets %}
-[ip-pool]
-{% if client_ip_pool %}
-{{ client_ip_pool }}
-{% endif %}
-{% if client_ip_subnets %}
-{% for sn in client_ip_subnets %}
-{{ sn }}
-{% endfor %}
-{% endif %}
-{% endif %}
-{% if gateway_address %}
-gw-ip-address={{ gateway_address }}
-{% endif %}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
-{% if auth_mode == 'local' %}
-[chap-secrets]
-chap-secrets={{ chap_secrets_file }}
-{% elif auth_mode == 'radius' %}
-[radius]
-verbose=1
-{% for r in radius_server %}
-server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }}
-{% endfor %}
-{% if radius_dynamic_author.server is vyos_defined %}
-dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }}
-{% endif %}
-{% if radius_acct_interim_interval is vyos_defined %}
-acct-interim-interval={{ radius_acct_interim_interval }}
-{% endif %}
-{% if radius_acct_inter_jitter %}
-acct-interim-jitter={{ radius_acct_inter_jitter }}
-{% endif %}
-acct-timeout={{ radius_acct_tmo }}
-timeout={{ radius_timeout }}
-max-try={{ radius_max_try }}
-{% if radius_nas_id %}
-nas-identifier={{ radius_nas_id }}
-{% endif %}
-{% if radius_nas_ip %}
-nas-ip-address={{ radius_nas_ip }}
-{% endif %}
-{% if radius_source_address %}
-bind={{ radius_source_address }}
-{% endif %}
-{% endif %}
-{% if gateway_address %}
-gw-ip-address={{ gateway_address }}
-{% endif %}
+{# Common chap-secrets and RADIUS server/option definitions #}
+{% include 'accel-ppp/config_chap_secrets_radius.j2' %}
[ppp]
verbose=1
check-ip=1
single-session=replace
-lcp-echo-timeout={{ ppp_echo_timeout }}
-lcp-echo-interval={{ ppp_echo_interval }}
-lcp-echo-failure={{ ppp_echo_failure }}
-{% if ccp_disable %}
+lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
+lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
+lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
+{# MTU #}
+mtu={{ mtu }}
+ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }}
+ipv4={{ ppp_options.ipv4 }}
+mppe={{ ppp_options.mppe }}
+{% if ccp_disable is vyos_defined %}
ccp=0
{% endif %}
-{% if ppp_ipv6 is vyos_defined %}
-ipv6={{ ppp_ipv6 }}
-{% else %}
-{{ 'ipv6=allow' if client_ipv6_pool_configured else '' }}
-{% endif %}
-{% if ppp_ipv6_intf_id is vyos_defined %}
-ipv6-intf-id={{ ppp_ipv6_intf_id }}
-{% endif %}
-{% if ppp_ipv6_peer_intf_id is vyos_defined %}
-ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }}
-{% endif %}
-ipv6-accept-peer-intf-id={{ "1" if ppp_ipv6_accept_peer_intf_id else "0" }}
+unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
-{% if client_ipv6_pool %}
-[ipv6-pool]
-{% for p in client_ipv6_pool %}
-{{ p.prefix }},{{ p.mask }}
-{% endfor %}
-{% for p in client_ipv6_delegate_prefix %}
-delegate={{ p.prefix }},{{ p.mask }}
-{% endfor %}
+{% if ppp_options.ipv6_intf_id is vyos_defined %}
+ipv6-intf-id={{ ppp_options.ipv6_intf_id }}
{% endif %}
-
-{% if client_ipv6_delegate_prefix %}
-[ipv6-dhcp]
-verbose=1
+{% if ppp_options.ipv6_peer_intf_id is vyos_defined %}
+ipv6-peer-intf-id={{ ppp_options.ipv6_peer_intf_id }}
{% endif %}
+ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is vyos_defined else "0" }}
-{% if radius_shaper_attr %}
-[shaper]
-verbose=1
-attr={{ radius_shaper_attr }}
-{% if radius_shaper_vendor %}
-vendor={{ radius_shaper_vendor }}
-{% endif %}
-{% endif %}
+{# Common IPv6 pool definitions #}
+{% include 'accel-ppp/config_ipv6_pool.j2' %}
+
+{# Common RADIUS shaper configuration #}
+{% include 'accel-ppp/config_shaper_radius.j2' %}
[cli]
tcp=127.0.0.1:2004
diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2
index dd53edd28..4bb1c4450 100644
--- a/data/templates/accel-ppp/pppoe.config.j2
+++ b/data/templates/accel-ppp/pppoe.config.j2
@@ -62,10 +62,13 @@ wins{{ loop.index }}={{ server }}
{# Common chap-secrets and RADIUS server/option definitions #}
{% include 'accel-ppp/config_chap_secrets_radius.j2' %}
-{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %}
[common]
+{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %}
single-session={{ session_control }}
{% endif %}
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
[ppp]
verbose=1
@@ -105,7 +108,6 @@ unit-cache={{ ppp_options.interface_cache }}
[pppoe]
verbose=1
ac-name={{ access_concentrator }}
-
{% if interface is vyos_defined %}
{% for iface, iface_config in interface.items() %}
{% if iface_config.vlan is not vyos_defined %}
@@ -118,11 +120,9 @@ vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }}
{% endif %}
{% endfor %}
{% endif %}
-
{% if service_name %}
service-name={{ service_name | join(',') }}
{% endif %}
-
{% if pado_delay %}
{% set pado_delay_param = namespace(value='0') %}
{% for delay in pado_delay | sort(attribute='0') %}
@@ -137,21 +137,11 @@ pado-delay={{ pado_delay_param.value }}
{% if authentication.radius.called_sid_format is vyos_defined %}
called-sid={{ authentication.radius.called_sid_format }}
{% endif %}
-
-{% if authentication.mode is vyos_defined("local") or authentication.mode is vyos_defined("noauth") %}
-{% if authentication.mode is vyos_defined("noauth") %}
+{% if authentication.mode is vyos_defined("noauth") %}
noauth=1
-{% endif %}
-{% if client_ip_pool.name is vyos_defined %}
-{% for pool, pool_config in client_ip_pool.name.items() %}
-{% if pool_config.subnet is vyos_defined %}
-ip-pool={{ pool }}
-{% endif %}
-{% if pool_config.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_config.gateway_address }}/{{ pool_config.subnet.split('/')[1] }}
-{% endif %}
-{% endfor %}
-{% endif %}
+{% endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
{% endif %}
{% if limits is vyos_defined %}
diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2
index 0082e55bf..daafd6e92 100644
--- a/data/templates/accel-ppp/pptp.config.j2
+++ b/data/templates/accel-ppp/pptp.config.j2
@@ -3,34 +3,39 @@
log_syslog
pptp
shaper
-{% if auth_mode == 'local' %}
-chap-secrets
-{% elif auth_mode == 'radius' %}
-radius
-{% endif %}
+{# Common authentication backend definitions #}
+{% include 'accel-ppp/config_modules_auth_mode.j2' %}
ippool
-{% for proto in auth_proto %}
-{{ proto }}
-{% endfor %}
+{# Common authentication protocols (pap, chap ...) #}
+{% if authentication.require is vyos_defined %}
+{% if authentication.require == 'chap' %}
+auth_chap_md5
+{% elif authentication.require == 'mschap' %}
+auth_mschap_v1
+{% else %}
+auth_{{ authentication.require.replace('-', '_') }}
+{% endif %}
+{% endif %}
[core]
-thread-count={{ thread_cnt }}
+thread-count={{ thread_count }}
+
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
[log]
syslog=accel-pptp,daemon
copy=1
level=5
-{% if dnsv4 %}
-[dns]
-{% for dns in dnsv4 %}
-dns{{ loop.index }}={{ dns }}
-{% endfor %}
-{% endif %}
+{# Common DNS name-server definition #}
+{% include 'accel-ppp/config_name_server.j2' %}
-{% if wins %}
+{% if wins_server is vyos_defined %}
[wins]
-{% for server in wins %}
+{% for server in wins_server %}
wins{{ loop.index }}={{ server }}
{% endfor %}
{% endif %}
@@ -38,77 +43,34 @@ wins{{ loop.index }}={{ server }}
[pptp]
ifname=pptp%d
-{% if outside_addr %}
-bind={{ outside_addr }}
+{% if outside_address is vyos_defined %}
+bind={{ outside_address }}
{% endif %}
verbose=1
ppp-max-mtu={{ mtu }}
-mppe={{ ppp_mppe }}
+mppe={{ authentication.mppe }}
echo-interval=10
echo-failure=3
-
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
[client-ip-range]
0.0.0.0/0
-[ip-pool]
-tunnel={{ client_ip_pool }}
-gw-ip-address={{ gw_ip }}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
[ppp]
verbose=5
check-ip=1
single-session=replace
-{% if auth_mode == 'local' %}
-[chap-secrets]
-chap-secrets={{ chap_secrets_file }}
-{% elif auth_mode == 'radius' %}
-[radius]
-verbose=1
-{% for r in radius_server %}
-server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }}
-{% endfor %}
-
-{% if radius_acct_interim_interval is vyos_defined %}
-acct-interim-interval={{ radius_acct_interim_interval }}
-{% endif %}
-{% if radius_acct_inter_jitter %}
-acct-interim-jitter={{ radius_acct_inter_jitter }}
-{% endif %}
-
-acct-timeout={{ radius_acct_tmo }}
-timeout={{ radius_timeout }}
-max-try={{ radius_max_try }}
+{# Common chap-secrets and RADIUS server/option definitions #}
+{% include 'accel-ppp/config_chap_secrets_radius.j2' %}
-{% if radius_nas_id %}
-nas-identifier={{ radius_nas_id }}
-{% endif %}
-{% if radius_nas_ip %}
-nas-ip-address={{ radius_nas_ip }}
-{% endif %}
-{% if radius_source_address %}
-bind={{ radius_source_address }}
-{% endif %}
-{% endif %}
-{# Both chap-secrets and radius block required the gw-ip-address #}
-{% if gw_ip is defined and gw_ip is not none %}
-gw-ip-address={{ gw_ip }}
-{% endif %}
-
-{% if radius_shaper_enable %}
-[shaper]
-verbose=1
-{% if radius_shaper_attr %}
-attr={{ radius_shaper_attr }}
-{% endif %}
-{% if radius_shaper_multiplier %}
-rate-multiplier={{ radius_shaper_multiplier }}
-{% endif %}
-{% if radius_shaper_vendor %}
-vendor={{ radius_shaper_vendor }}
-{% endif %}
-{% endif %}
+{# Common RADIUS shaper configuration #}
+{% include 'accel-ppp/config_shaper_radius.j2' %}
[cli]
tcp=127.0.0.1:2003
diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2
index 7ee28dd21..014ae1235 100644
--- a/data/templates/accel-ppp/sstp.config.j2
+++ b/data/templates/accel-ppp/sstp.config.j2
@@ -16,6 +16,9 @@ thread-count={{ thread_count }}
[common]
single-session=replace
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
[log]
syslog=accel-sstp,daemon
@@ -33,6 +36,9 @@ accept=ssl
ssl-ca-file=/run/accel-pppd/sstp-ca.pem
ssl-pemfile=/run/accel-pppd/sstp-cert.pem
ssl-keyfile=/run/accel-pppd/sstp-cert.key
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
{# Common IP pool definitions #}
{% include 'accel-ppp/config_ip_pool.j2' %}
@@ -51,9 +57,9 @@ verbose=1
check-ip=1
{# MTU #}
mtu={{ mtu }}
+unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }}
ipv4={{ ppp_options.ipv4 }}
-
mppe={{ ppp_options.mppe }}
lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
diff --git a/data/templates/bcast-relay/udp-broadcast-relay.j2 b/data/templates/bcast-relay/udp-broadcast-relay.j2
index 75740e04c..3f5b5bbe3 100644
--- a/data/templates/bcast-relay/udp-broadcast-relay.j2
+++ b/data/templates/bcast-relay/udp-broadcast-relay.j2
@@ -1,4 +1,4 @@
-### Autogenerated by bcast_relay.py ###
+### Autogenerated by service_broadcast-relay.py ###
# UDP broadcast relay configuration for instance {{ id }}
{{ '# ' ~ description if description is vyos_defined }}
diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2
index 0daec8fb8..d02fbf71d 100644
--- a/data/templates/chrony/chrony.conf.j2
+++ b/data/templates/chrony/chrony.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ntp.py ###
+### Autogenerated by service_ntp.py ###
# This would step the system clock if the adjustment is larger than 0.1 seconds,
# but only in the first three clock updates.
diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2
index 075402c04..9ea1ed2d8 100644
--- a/data/templates/conntrack/sysctl.conf.j2
+++ b/data/templates/conntrack/sysctl.conf.j2
@@ -1,4 +1,4 @@
-# Autogenerated by conntrack.py
+# Autogenerated by system_conntrack.py
{# all values have defaults - thus no checking required #}
net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 111459485..290607662 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,3 +1,2 @@
-# Autogenerated by conntrack.py
+# Autogenerated by system_conntrack.py
options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1
-
diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2
index 808a77759..8f56c8171 100644
--- a/data/templates/conntrackd/conntrackd.conf.j2
+++ b/data/templates/conntrackd/conntrackd.conf.j2
@@ -1,4 +1,4 @@
-# autogenerated by conntrack_sync.py
+### autogenerated by service_conntrack-sync.py ###
# Synchronizer settings
Sync {
@@ -111,4 +111,3 @@ General {
}
{% endif %}
}
-
diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2
index c635ca213..c8b54dfbb 100644
--- a/data/templates/container/containers.conf.j2
+++ b/data/templates/container/containers.conf.j2
@@ -1,709 +1,709 @@
-### Autogenerated by container.py ###
-
-# The containers configuration file specifies all of the available configuration
-# command-line options/flags for container engine tools like Podman & Buildah,
-# but in a TOML format that can be easily modified and versioned.
-
-# Please refer to containers.conf(5) for details of all configuration options.
-# Not all container engines implement all of the options.
-# All of the options have hard coded defaults and these options will override
-# the built in defaults. Users can then override these options via the command
-# line. Container engines will read containers.conf files in up to three
-# locations in the following order:
-# 1. /usr/share/containers/containers.conf
-# 2. /etc/containers/containers.conf
-# 3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)
-# Items specified in the latter containers.conf, if they exist, override the
-# previous containers.conf settings, or the default settings.
-
-[containers]
-
-# List of annotation. Specified as
-# "key = value"
-# If it is empty or commented out, no annotations will be added
-#
-#annotations = []
-
-# Used to change the name of the default AppArmor profile of container engine.
-#
-#apparmor_profile = "container-default"
-
-# The hosts entries from the base hosts file are added to the containers hosts
-# file. This must be either an absolute path or as special values "image" which
-# uses the hosts file from the container image or "none" which means
-# no base hosts file is used. The default is "" which will use /etc/hosts.
-#
-#base_hosts_file = ""
-
-# Default way to to create a cgroup namespace for the container
-# Options are:
-# `private` Create private Cgroup Namespace for the container.
-# `host` Share host Cgroup Namespace with the container.
-#
-#cgroupns = "private"
-
-# Control container cgroup configuration
-# Determines whether the container will create CGroups.
-# Options are:
-# `enabled` Enable cgroup support within container
-# `disabled` Disable cgroup support, will inherit cgroups from parent
-# `no-conmon` Do not create a cgroup dedicated to conmon.
-#
-#cgroups = "enabled"
-
-# List of default capabilities for containers. If it is empty or commented out,
-# the default capabilities defined in the container engine will be added.
-#
-default_capabilities = [
- "CHOWN",
- "DAC_OVERRIDE",
- "FOWNER",
- "FSETID",
- "KILL",
- "NET_BIND_SERVICE",
- "SETFCAP",
- "SETGID",
- "SETPCAP",
- "SETUID",
- "SYS_CHROOT"
-]
-
-# A list of sysctls to be set in containers by default,
-# specified as "name=value",
-# for example:"net.ipv4.ping_group_range=0 0".
-#
-default_sysctls = [
- "net.ipv4.ping_group_range=0 0",
-]
-
-# A list of ulimits to be set in containers by default, specified as
-# "<ulimit name>=<soft limit>:<hard limit>", for example:
-# "nofile=1024:2048"
-# See setrlimit(2) for a list of resource names.
-# Any limit not specified here will be inherited from the process launching the
-# container engine.
-# Ulimits has limits for non privileged container engines.
-#
-#default_ulimits = [
-# "nofile=1280:2560",
-#]
-
-# List of devices. Specified as
-# "<device-on-host>:<device-on-container>:<permissions>", for example:
-# "/dev/sdc:/dev/xvdc:rwm".
-# If it is empty or commented out, only the default devices will be used
-#
-#devices = []
-
-# List of default DNS options to be added to /etc/resolv.conf inside of the container.
-#
-#dns_options = []
-
-# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.
-#
-#dns_searches = []
-
-# Set default DNS servers.
-# This option can be used to override the DNS configuration passed to the
-# container. The special value "none" can be specified to disable creation of
-# /etc/resolv.conf in the container.
-# The /etc/resolv.conf file in the image will be used without changes.
-#
-#dns_servers = []
-
-# Environment variable list for the conmon process; used for passing necessary
-# environment variables to conmon or the runtime.
-#
-#env = [
-# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-# "TERM=xterm",
-#]
-
-# Pass all host environment variables into the container.
-#
-#env_host = false
-
-# Set the ip for the host.containers.internal entry in the containers /etc/hosts
-# file. This can be set to "none" to disable adding this entry. By default it
-# will automatically choose the host ip.
-#
-# NOTE: When using podman machine this entry will never be added to the containers
-# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
-# it is not possible to disable the entry in this case.
-#
-#host_containers_internal_ip = ""
-
-# Default proxy environment variables passed into the container.
-# The environment variables passed in include:
-# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
-# these. This option is needed when host system uses a proxy but container
-# should not use proxy. Proxy environment variables specified for the container
-# in any other way will override the values passed from the host.
-#
-#http_proxy = true
-
-# Run an init inside the container that forwards signals and reaps processes.
-#
-#init = false
-
-# Container init binary, if init=true, this is the init binary to be used for containers.
-#
-#init_path = "/usr/libexec/podman/catatonit"
-
-# Default way to to create an IPC namespace (POSIX SysV IPC) for the container
-# Options are:
-# "host" Share host IPC Namespace with the container.
-# "none" Create shareable IPC Namespace for the container without a private /dev/shm.
-# "private" Create private IPC Namespace for the container, other containers are not allowed to share it.
-# "shareable" Create shareable IPC Namespace for the container.
-#
-#ipcns = "shareable"
-
-# keyring tells the container engine whether to create
-# a kernel keyring for use within the container.
-#
-#keyring = true
-
-# label tells the container engine whether to use container separation using
-# MAC(SELinux) labeling or not.
-# The label flag is ignored on label disabled systems.
-#
-#label = true
-
-# Logging driver for the container. Available options: k8s-file and journald.
-#
-#log_driver = "k8s-file"
-
-# Maximum size allowed for the container log file. Negative numbers indicate
-# that no size limit is imposed. If positive, it must be >= 8192 to match or
-# exceed conmon's read buffer. The file is truncated and re-opened so the
-# limit is never exceeded.
-#
-#log_size_max = -1
-
-# Specifies default format tag for container log messages.
-# This is useful for creating a specific tag for container log messages.
-# Containers logs default to truncated container ID as a tag.
-#
-#log_tag = ""
-
-# Default way to to create a Network namespace for the container
-# Options are:
-# `private` Create private Network Namespace for the container.
-# `host` Share host Network Namespace with the container.
-# `none` Containers do not use the network
-#
-#netns = "private"
-
-# Create /etc/hosts for the container. By default, container engine manage
-# /etc/hosts, automatically adding the container's own IP address.
-#
-#no_hosts = false
-
-# Default way to to create a PID namespace for the container
-# Options are:
-# `private` Create private PID Namespace for the container.
-# `host` Share host PID Namespace with the container.
-#
-#pidns = "private"
-
-# Maximum number of processes allowed in a container.
-#
-#pids_limit = 2048
-
-# Copy the content from the underlying image into the newly created volume
-# when the container is created instead of when it is started. If false,
-# the container engine will not copy the content until the container is started.
-# Setting it to true may have negative performance implications.
-#
-#prepare_volume_on_create = false
-
-# Path to the seccomp.json profile which is used as the default seccomp profile
-# for the runtime.
-#
-#seccomp_profile = "/usr/share/containers/seccomp.json"
-
-# Size of /dev/shm. Specified as <number><unit>.
-# Unit is optional, values:
-# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
-# If the unit is omitted, the system uses bytes.
-#
-#shm_size = "65536k"
-
-# Set timezone in container. Takes IANA timezones as well as "local",
-# which sets the timezone in the container to match the host machine.
-#
-#tz = ""
-
-# Set umask inside the container
-#
-#umask = "0022"
-
-# Default way to to create a User namespace for the container
-# Options are:
-# `auto` Create unique User Namespace for the container.
-# `host` Share host User Namespace with the container.
-#
-#userns = "host"
-
-# Number of UIDs to allocate for the automatic container creation.
-# UIDs are allocated from the "container" UIDs listed in
-# /etc/subuid & /etc/subgid
-#
-#userns_size = 65536
-
-# Default way to to create a UTS namespace for the container
-# Options are:
-# `private` Create private UTS Namespace for the container.
-# `host` Share host UTS Namespace with the container.
-#
-#utsns = "private"
-
-# List of volumes. Specified as
-# "<directory-on-host>:<directory-in-container>:<options>", for example:
-# "/db:/var/lib/db:ro".
-# If it is empty or commented out, no volumes will be added
-#
-#volumes = []
-
-[secrets]
-#driver = "file"
-
-[secrets.opts]
-#root = "/example/directory"
-
-[network]
-
-# Network backend determines what network driver will be used to set up and tear down container networks.
-# Valid values are "cni" and "netavark".
-# The default value is empty which means that it will automatically choose CNI or netavark. If there are
-# already containers/images or CNI networks preset it will choose CNI.
-#
-# Before changing this value all containers must be stopped otherwise it is likely that
-# iptables rules and network interfaces might leak on the host. A reboot will fix this.
-#
-network_backend = "netavark"
-
-# Path to directory where CNI plugin binaries are located.
-#
-#cni_plugin_dirs = [
-# "/usr/local/libexec/cni",
-# "/usr/libexec/cni",
-# "/usr/local/lib/cni",
-# "/usr/lib/cni",
-# "/opt/cni/bin",
-#]
-
-# The network name of the default network to attach pods to.
-#
-#default_network = "podman"
-
-# The default subnet for the default network given in default_network.
-# If a network with that name does not exist, a new network using that name and
-# this subnet will be created.
-# Must be a valid IPv4 CIDR prefix.
-#
-#default_subnet = "10.88.0.0/16"
-
-# DefaultSubnetPools is a list of subnets and size which are used to
-# allocate subnets automatically for podman network create.
-# It will iterate through the list and will pick the first free subnet
-# with the given size. This is only used for ipv4 subnets, ipv6 subnets
-# are always assigned randomly.
-#
-#default_subnet_pools = [
-# {"base" = "10.89.0.0/16", "size" = 24},
-# {"base" = "10.90.0.0/15", "size" = 24},
-# {"base" = "10.92.0.0/14", "size" = 24},
-# {"base" = "10.96.0.0/11", "size" = 24},
-# {"base" = "10.128.0.0/9", "size" = 24},
-#]
-
-# Path to the directory where network configuration files are located.
-# For the CNI backend the default is "/etc/cni/net.d" as root
-# and "$HOME/.config/cni/net.d" as rootless.
-# For the netavark backend "/etc/containers/networks" is used as root
-# and "$graphroot/networks" as rootless.
-#
-#network_config_dir = "/etc/cni/net.d/"
-
-# Port to use for dns forwarding daemon with netavark in rootful bridge
-# mode and dns enabled.
-# Using an alternate port might be useful if other dns services should
-# run on the machine.
-#
-#dns_bind_port = 53
-
-[engine]
-# Index to the active service
-#
-#active_service = production
-
-# The compression format to use when pushing an image.
-# Valid options are: `gzip`, `zstd` and `zstd:chunked`.
-#
-#compression_format = "gzip"
-
-
-# Cgroup management implementation used for the runtime.
-# Valid options "systemd" or "cgroupfs"
-#
-#cgroup_manager = "systemd"
-
-# Environment variables to pass into conmon
-#
-#conmon_env_vars = [
-# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-#]
-
-# Paths to look for the conmon container manager binary
-#
-#conmon_path = [
-# "/usr/libexec/podman/conmon",
-# "/usr/local/libexec/podman/conmon",
-# "/usr/local/lib/podman/conmon",
-# "/usr/bin/conmon",
-# "/usr/sbin/conmon",
-# "/usr/local/bin/conmon",
-# "/usr/local/sbin/conmon"
-#]
-
-# Enforces using docker.io for completing short names in Podman's compatibility
-# REST API. Note that this will ignore unqualified-search-registries and
-# short-name aliases defined in containers-registries.conf(5).
-#compat_api_enforce_docker_hub = true
-
-# Specify the keys sequence used to detach a container.
-# Format is a single character [a-Z] or a comma separated sequence of
-# `ctrl-<value>`, where `<value>` is one of:
-# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
-#
-#detach_keys = "ctrl-p,ctrl-q"
-
-# Determines whether engine will reserve ports on the host when they are
-# forwarded to containers. When enabled, when ports are forwarded to containers,
-# ports are held open by as long as the container is running, ensuring that
-# they cannot be reused by other programs on the host. However, this can cause
-# significant memory usage if a container has many ports forwarded to it.
-# Disabling this can save memory.
-#
-#enable_port_reservation = true
-
-# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
-# For example "http_proxy=internal.proxy.company.com".
-# Note these environment variables will not be used within the container.
-# Set the env section under [containers] table, if you want to set environment variables for the container.
-#
-#env = []
-
-# Define where event logs will be stored, when events_logger is "file".
-#events_logfile_path=""
-
-# Sets the maximum size for events_logfile_path.
-# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
-# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
-# If no unit is included then the size will be read in bytes.
-# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
-# If the maximum size is set to 0, then no limit will be applied,
-# and the logfile will not be rotated.
-#events_logfile_max_size = "1m"
-
-# Selects which logging mechanism to use for container engine events.
-# Valid values are `journald`, `file` and `none`.
-#
-#events_logger = "journald"
-
-# A is a list of directories which are used to search for helper binaries.
-#
-#helper_binaries_dir = [
-# "/usr/local/libexec/podman",
-# "/usr/local/lib/podman",
-# "/usr/libexec/podman",
-# "/usr/lib/podman",
-#]
-
-# Path to OCI hooks directories for automatically executed hooks.
-#
-#hooks_dir = [
-# "/usr/share/containers/oci/hooks.d",
-#]
-
-# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
-# container images. By default image pulled and pushed match the format of the
-# source image. Building/committing defaults to OCI.
-#
-#image_default_format = ""
-
-# Default transport method for pulling and pushing for images
-#
-#image_default_transport = "docker://"
-
-# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
-# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
-#
-#image_parallel_copies = 0
-
-# Tells container engines how to handle the builtin image volumes.
-# * bind: An anonymous named volume will be created and mounted
-# into the container.
-# * tmpfs: The volume is mounted onto the container as a tmpfs,
-# which allows users to create content that disappears when
-# the container is stopped.
-# * ignore: All volumes are just ignored and no action is taken.
-#
-#image_volume_mode = ""
-
-# Default command to run the infra container
-#
-#infra_command = "/pause"
-
-# Infra (pause) container image name for pod infra containers. When running a
-# pod, we start a `pause` process in a container to hold open the namespaces
-# associated with the pod. This container does nothing other then sleep,
-# reserving the pods resources for the lifetime of the pod. By default container
-# engines run a builtin container using the pause executable. If you want override
-# specify an image to pull.
-#
-#infra_image = ""
-
-# Specify the locking mechanism to use; valid values are "shm" and "file".
-# Change the default only if you are sure of what you are doing, in general
-# "file" is useful only on platforms where cgo is not available for using the
-# faster "shm" lock type. You may need to run "podman system renumber" after
-# you change the lock type.
-#
-#lock_type** = "shm"
-
-# MultiImageArchive - if true, the container engine allows for storing archives
-# (e.g., of the docker-archive transport) with multiple images. By default,
-# Podman creates single-image archives.
-#
-#multi_image_archive = "false"
-
-# Default engine namespace
-# If engine is joined to a namespace, it will see only containers and pods
-# that were created in the same namespace, and will create new containers and
-# pods in that namespace.
-# The default namespace is "", which corresponds to no namespace. When no
-# namespace is set, all containers and pods are visible.
-#
-#namespace = ""
-
-# Path to the slirp4netns binary
-#
-#network_cmd_path = ""
-
-# Default options to pass to the slirp4netns binary.
-# Valid options values are:
-#
-# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).
-# Default is false.
-# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).
-# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
-# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).
-# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
-# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
-# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
-# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
-# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
-# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container
-# network namespace, usually `10.0.2.100`. If your application requires the real source IP address,
-# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for
-# rootless containers when connected to user-defined networks.
-# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but
-# preserves the correct source IP address. This port handler cannot be used for user-defined networks.
-#
-#network_cmd_options = []
-
-# Whether to use chroot instead of pivot_root in the runtime
-#
-#no_pivot_root = false
-
-# Number of locks available for containers and pods.
-# If this is changed, a lock renumber must be performed (e.g. with the
-# 'podman system renumber' command).
-#
-#num_locks = 2048
-
-# Set the exit policy of the pod when the last container exits.
-#pod_exit_policy = "continue"
-
-# Whether to pull new image before running a container
-#
-#pull_policy = "missing"
-
-# Indicates whether the application should be running in remote mode. This flag modifies the
-# --remote option on container engines. Setting the flag to true will default
-# `podman --remote=true` for access to the remote Podman service.
-#
-#remote = false
-
-# Default OCI runtime
-#
-#runtime = "crun"
-
-# List of the OCI runtimes that support --format=json. When json is supported
-# engine will use it for reporting nicer errors.
-#
-#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]
-
-# List of the OCI runtimes that supports running containers with KVM Separation.
-#
-#runtime_supports_kvm = ["kata", "krun"]
-
-# List of the OCI runtimes that supports running containers without cgroups.
-#
-#runtime_supports_nocgroups = ["crun", "krun"]
-
-# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment
-# variable. If you specify "storage", then the location of the
-# container/storage tmp directory will be used.
-# image_copy_tmp_dir="/var/tmp"
-
-# Number of seconds to wait without a connection
-# before the `podman system service` times out and exits
-#
-#service_timeout = 5
-
-# Directory for persistent engine files (database, etc)
-# By default, this will be configured relative to where the containers/storage
-# stores containers
-# Uncomment to change location from this default
-#
-#static_dir = "/var/lib/containers/storage/libpod"
-
-# Number of seconds to wait for container to exit before sending kill signal.
-#
-#stop_timeout = 10
-
-# Number of seconds to wait before exit command in API process is given to.
-# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).
-#
-#exit_command_delay = 300
-
-# map of service destinations
-#
-#[service_destinations]
-# [service_destinations.production]
-# URI to access the Podman service
-# Examples:
-# rootless "unix://run/user/$UID/podman/podman.sock" (Default)
-# rootful "unix://run/podman/podman.sock (Default)
-# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
-# remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock
-#
-# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
-# Path to file containing ssh identity key
-# identity = "~/.ssh/id_rsa"
-
-# Directory for temporary files. Must be tmpfs (wiped after reboot)
-#
-#tmp_dir = "/run/libpod"
-
-# Directory for libpod named volumes.
-# By default, this will be configured relative to where containers/storage
-# stores containers.
-# Uncomment to change location from this default.
-#
-#volume_path = "/var/lib/containers/storage/volumes"
-
-# Default timeout (in seconds) for volume plugin operations.
-# Plugins are external programs accessed via a REST API; this sets a timeout
-# for requests to that API.
-# A value of 0 is treated as no timeout.
-#volume_plugin_timeout = 5
-
-# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
-[engine.runtimes]
-#crun = [
-# "/usr/bin/crun",
-# "/usr/sbin/crun",
-# "/usr/local/bin/crun",
-# "/usr/local/sbin/crun",
-# "/sbin/crun",
-# "/bin/crun",
-# "/run/current-system/sw/bin/crun",
-#]
-
-#kata = [
-# "/usr/bin/kata-runtime",
-# "/usr/sbin/kata-runtime",
-# "/usr/local/bin/kata-runtime",
-# "/usr/local/sbin/kata-runtime",
-# "/sbin/kata-runtime",
-# "/bin/kata-runtime",
-# "/usr/bin/kata-qemu",
-# "/usr/bin/kata-fc",
-#]
-
-#runc = [
-# "/usr/bin/runc",
-# "/usr/sbin/runc",
-# "/usr/local/bin/runc",
-# "/usr/local/sbin/runc",
-# "/sbin/runc",
-# "/bin/runc",
-# "/usr/lib/cri-o-runc/sbin/runc",
-#]
-
-#runsc = [
-# "/usr/bin/runsc",
-# "/usr/sbin/runsc",
-# "/usr/local/bin/runsc",
-# "/usr/local/sbin/runsc",
-# "/bin/runsc",
-# "/sbin/runsc",
-# "/run/current-system/sw/bin/runsc",
-#]
-
-#krun = [
-# "/usr/bin/krun",
-# "/usr/local/bin/krun",
-#]
-
-[engine.volume_plugins]
-#testplugin = "/run/podman/plugins/test.sock"
-
-[machine]
-# Number of CPU's a machine is created with.
-#
-#cpus=1
-
-# The size of the disk in GB created when init-ing a podman-machine VM.
-#
-#disk_size=10
-
-# Default image URI when creating a new VM using `podman machine init`.
-# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major
-# version of the OS (e.g `36`) for Fedora 36. For all platforms you can
-# alternatively specify a custom download URL to an image. Container engines
-# translate URIs $OS and $ARCH to the native OS and ARCH. URI
-# "https://example.com/$OS/$ARCH/foobar.ami" becomes
-# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
-# The default value is `testing`.
-#
-# image = "testing"
-
-# Memory in MB a machine is created with.
-#
-#memory=2048
-
-# The username to use and create on the podman machine OS for rootless
-# container access.
-#
-#user = "core"
-
-# Host directories to be mounted as volumes into the VM by default.
-# Environment variables like $HOME as well as complete paths are supported for
-# the source and destination. An optional third field `:ro` can be used to
-# tell the container engines to mount the volume readonly.
-#
-# volumes = [
-# "$HOME:$HOME",
-#]
-
-# The [machine] table MUST be the last entry in this file.
-# (Unless another table is added)
-# TOML does not provide a way to end a table other than a further table being
-# defined, so every key hereafter will be part of [machine] and not the
-# main config.
+### Autogenerated by container.py ###
+
+# The containers configuration file specifies all of the available configuration
+# command-line options/flags for container engine tools like Podman & Buildah,
+# but in a TOML format that can be easily modified and versioned.
+
+# Please refer to containers.conf(5) for details of all configuration options.
+# Not all container engines implement all of the options.
+# All of the options have hard coded defaults and these options will override
+# the built in defaults. Users can then override these options via the command
+# line. Container engines will read containers.conf files in up to three
+# locations in the following order:
+# 1. /usr/share/containers/containers.conf
+# 2. /etc/containers/containers.conf
+# 3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)
+# Items specified in the latter containers.conf, if they exist, override the
+# previous containers.conf settings, or the default settings.
+
+[containers]
+
+# List of annotation. Specified as
+# "key = value"
+# If it is empty or commented out, no annotations will be added
+#
+#annotations = []
+
+# Used to change the name of the default AppArmor profile of container engine.
+#
+#apparmor_profile = "container-default"
+
+# The hosts entries from the base hosts file are added to the containers hosts
+# file. This must be either an absolute path or as special values "image" which
+# uses the hosts file from the container image or "none" which means
+# no base hosts file is used. The default is "" which will use /etc/hosts.
+#
+#base_hosts_file = ""
+
+# Default way to to create a cgroup namespace for the container
+# Options are:
+# `private` Create private Cgroup Namespace for the container.
+# `host` Share host Cgroup Namespace with the container.
+#
+#cgroupns = "private"
+
+# Control container cgroup configuration
+# Determines whether the container will create CGroups.
+# Options are:
+# `enabled` Enable cgroup support within container
+# `disabled` Disable cgroup support, will inherit cgroups from parent
+# `no-conmon` Do not create a cgroup dedicated to conmon.
+#
+#cgroups = "enabled"
+
+# List of default capabilities for containers. If it is empty or commented out,
+# the default capabilities defined in the container engine will be added.
+#
+default_capabilities = [
+ "CHOWN",
+ "DAC_OVERRIDE",
+ "FOWNER",
+ "FSETID",
+ "KILL",
+ "NET_BIND_SERVICE",
+ "SETFCAP",
+ "SETGID",
+ "SETPCAP",
+ "SETUID",
+ "SYS_CHROOT"
+]
+
+# A list of sysctls to be set in containers by default,
+# specified as "name=value",
+# for example:"net.ipv4.ping_group_range=0 0".
+#
+default_sysctls = [
+ "net.ipv4.ping_group_range=0 0",
+]
+
+# A list of ulimits to be set in containers by default, specified as
+# "<ulimit name>=<soft limit>:<hard limit>", for example:
+# "nofile=1024:2048"
+# See setrlimit(2) for a list of resource names.
+# Any limit not specified here will be inherited from the process launching the
+# container engine.
+# Ulimits has limits for non privileged container engines.
+#
+#default_ulimits = [
+# "nofile=1280:2560",
+#]
+
+# List of devices. Specified as
+# "<device-on-host>:<device-on-container>:<permissions>", for example:
+# "/dev/sdc:/dev/xvdc:rwm".
+# If it is empty or commented out, only the default devices will be used
+#
+#devices = []
+
+# List of default DNS options to be added to /etc/resolv.conf inside of the container.
+#
+#dns_options = []
+
+# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.
+#
+#dns_searches = []
+
+# Set default DNS servers.
+# This option can be used to override the DNS configuration passed to the
+# container. The special value "none" can be specified to disable creation of
+# /etc/resolv.conf in the container.
+# The /etc/resolv.conf file in the image will be used without changes.
+#
+#dns_servers = []
+
+# Environment variable list for the conmon process; used for passing necessary
+# environment variables to conmon or the runtime.
+#
+#env = [
+# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+# "TERM=xterm",
+#]
+
+# Pass all host environment variables into the container.
+#
+#env_host = false
+
+# Set the ip for the host.containers.internal entry in the containers /etc/hosts
+# file. This can be set to "none" to disable adding this entry. By default it
+# will automatically choose the host ip.
+#
+# NOTE: When using podman machine this entry will never be added to the containers
+# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
+# it is not possible to disable the entry in this case.
+#
+#host_containers_internal_ip = ""
+
+# Default proxy environment variables passed into the container.
+# The environment variables passed in include:
+# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
+# these. This option is needed when host system uses a proxy but container
+# should not use proxy. Proxy environment variables specified for the container
+# in any other way will override the values passed from the host.
+#
+#http_proxy = true
+
+# Run an init inside the container that forwards signals and reaps processes.
+#
+#init = false
+
+# Container init binary, if init=true, this is the init binary to be used for containers.
+#
+#init_path = "/usr/libexec/podman/catatonit"
+
+# Default way to to create an IPC namespace (POSIX SysV IPC) for the container
+# Options are:
+# "host" Share host IPC Namespace with the container.
+# "none" Create shareable IPC Namespace for the container without a private /dev/shm.
+# "private" Create private IPC Namespace for the container, other containers are not allowed to share it.
+# "shareable" Create shareable IPC Namespace for the container.
+#
+#ipcns = "shareable"
+
+# keyring tells the container engine whether to create
+# a kernel keyring for use within the container.
+#
+#keyring = true
+
+# label tells the container engine whether to use container separation using
+# MAC(SELinux) labeling or not.
+# The label flag is ignored on label disabled systems.
+#
+#label = true
+
+# Logging driver for the container. Available options: k8s-file and journald.
+#
+#log_driver = "k8s-file"
+
+# Maximum size allowed for the container log file. Negative numbers indicate
+# that no size limit is imposed. If positive, it must be >= 8192 to match or
+# exceed conmon's read buffer. The file is truncated and re-opened so the
+# limit is never exceeded.
+#
+#log_size_max = -1
+
+# Specifies default format tag for container log messages.
+# This is useful for creating a specific tag for container log messages.
+# Containers logs default to truncated container ID as a tag.
+#
+#log_tag = ""
+
+# Default way to to create a Network namespace for the container
+# Options are:
+# `private` Create private Network Namespace for the container.
+# `host` Share host Network Namespace with the container.
+# `none` Containers do not use the network
+#
+#netns = "private"
+
+# Create /etc/hosts for the container. By default, container engine manage
+# /etc/hosts, automatically adding the container's own IP address.
+#
+#no_hosts = false
+
+# Default way to to create a PID namespace for the container
+# Options are:
+# `private` Create private PID Namespace for the container.
+# `host` Share host PID Namespace with the container.
+#
+#pidns = "private"
+
+# Maximum number of processes allowed in a container.
+#
+#pids_limit = 2048
+
+# Copy the content from the underlying image into the newly created volume
+# when the container is created instead of when it is started. If false,
+# the container engine will not copy the content until the container is started.
+# Setting it to true may have negative performance implications.
+#
+#prepare_volume_on_create = false
+
+# Path to the seccomp.json profile which is used as the default seccomp profile
+# for the runtime.
+#
+#seccomp_profile = "/usr/share/containers/seccomp.json"
+
+# Size of /dev/shm. Specified as <number><unit>.
+# Unit is optional, values:
+# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# If the unit is omitted, the system uses bytes.
+#
+#shm_size = "65536k"
+
+# Set timezone in container. Takes IANA timezones as well as "local",
+# which sets the timezone in the container to match the host machine.
+#
+#tz = ""
+
+# Set umask inside the container
+#
+#umask = "0022"
+
+# Default way to to create a User namespace for the container
+# Options are:
+# `auto` Create unique User Namespace for the container.
+# `host` Share host User Namespace with the container.
+#
+#userns = "host"
+
+# Number of UIDs to allocate for the automatic container creation.
+# UIDs are allocated from the "container" UIDs listed in
+# /etc/subuid & /etc/subgid
+#
+#userns_size = 65536
+
+# Default way to to create a UTS namespace for the container
+# Options are:
+# `private` Create private UTS Namespace for the container.
+# `host` Share host UTS Namespace with the container.
+#
+#utsns = "private"
+
+# List of volumes. Specified as
+# "<directory-on-host>:<directory-in-container>:<options>", for example:
+# "/db:/var/lib/db:ro".
+# If it is empty or commented out, no volumes will be added
+#
+#volumes = []
+
+[secrets]
+#driver = "file"
+
+[secrets.opts]
+#root = "/example/directory"
+
+[network]
+
+# Network backend determines what network driver will be used to set up and tear down container networks.
+# Valid values are "cni" and "netavark".
+# The default value is empty which means that it will automatically choose CNI or netavark. If there are
+# already containers/images or CNI networks preset it will choose CNI.
+#
+# Before changing this value all containers must be stopped otherwise it is likely that
+# iptables rules and network interfaces might leak on the host. A reboot will fix this.
+#
+network_backend = "netavark"
+
+# Path to directory where CNI plugin binaries are located.
+#
+#cni_plugin_dirs = [
+# "/usr/local/libexec/cni",
+# "/usr/libexec/cni",
+# "/usr/local/lib/cni",
+# "/usr/lib/cni",
+# "/opt/cni/bin",
+#]
+
+# The network name of the default network to attach pods to.
+#
+#default_network = "podman"
+
+# The default subnet for the default network given in default_network.
+# If a network with that name does not exist, a new network using that name and
+# this subnet will be created.
+# Must be a valid IPv4 CIDR prefix.
+#
+#default_subnet = "10.88.0.0/16"
+
+# DefaultSubnetPools is a list of subnets and size which are used to
+# allocate subnets automatically for podman network create.
+# It will iterate through the list and will pick the first free subnet
+# with the given size. This is only used for ipv4 subnets, ipv6 subnets
+# are always assigned randomly.
+#
+#default_subnet_pools = [
+# {"base" = "10.89.0.0/16", "size" = 24},
+# {"base" = "10.90.0.0/15", "size" = 24},
+# {"base" = "10.92.0.0/14", "size" = 24},
+# {"base" = "10.96.0.0/11", "size" = 24},
+# {"base" = "10.128.0.0/9", "size" = 24},
+#]
+
+# Path to the directory where network configuration files are located.
+# For the CNI backend the default is "/etc/cni/net.d" as root
+# and "$HOME/.config/cni/net.d" as rootless.
+# For the netavark backend "/etc/containers/networks" is used as root
+# and "$graphroot/networks" as rootless.
+#
+#network_config_dir = "/etc/cni/net.d/"
+
+# Port to use for dns forwarding daemon with netavark in rootful bridge
+# mode and dns enabled.
+# Using an alternate port might be useful if other dns services should
+# run on the machine.
+#
+#dns_bind_port = 53
+
+[engine]
+# Index to the active service
+#
+#active_service = production
+
+# The compression format to use when pushing an image.
+# Valid options are: `gzip`, `zstd` and `zstd:chunked`.
+#
+#compression_format = "gzip"
+
+
+# Cgroup management implementation used for the runtime.
+# Valid options "systemd" or "cgroupfs"
+#
+#cgroup_manager = "systemd"
+
+# Environment variables to pass into conmon
+#
+#conmon_env_vars = [
+# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+#]
+
+# Paths to look for the conmon container manager binary
+#
+#conmon_path = [
+# "/usr/libexec/podman/conmon",
+# "/usr/local/libexec/podman/conmon",
+# "/usr/local/lib/podman/conmon",
+# "/usr/bin/conmon",
+# "/usr/sbin/conmon",
+# "/usr/local/bin/conmon",
+# "/usr/local/sbin/conmon"
+#]
+
+# Enforces using docker.io for completing short names in Podman's compatibility
+# REST API. Note that this will ignore unqualified-search-registries and
+# short-name aliases defined in containers-registries.conf(5).
+#compat_api_enforce_docker_hub = true
+
+# Specify the keys sequence used to detach a container.
+# Format is a single character [a-Z] or a comma separated sequence of
+# `ctrl-<value>`, where `<value>` is one of:
+# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
+#
+#detach_keys = "ctrl-p,ctrl-q"
+
+# Determines whether engine will reserve ports on the host when they are
+# forwarded to containers. When enabled, when ports are forwarded to containers,
+# ports are held open by as long as the container is running, ensuring that
+# they cannot be reused by other programs on the host. However, this can cause
+# significant memory usage if a container has many ports forwarded to it.
+# Disabling this can save memory.
+#
+#enable_port_reservation = true
+
+# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
+# For example "http_proxy=internal.proxy.company.com".
+# Note these environment variables will not be used within the container.
+# Set the env section under [containers] table, if you want to set environment variables for the container.
+#
+#env = []
+
+# Define where event logs will be stored, when events_logger is "file".
+#events_logfile_path=""
+
+# Sets the maximum size for events_logfile_path.
+# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
+# If no unit is included then the size will be read in bytes.
+# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
+# If the maximum size is set to 0, then no limit will be applied,
+# and the logfile will not be rotated.
+#events_logfile_max_size = "1m"
+
+# Selects which logging mechanism to use for container engine events.
+# Valid values are `journald`, `file` and `none`.
+#
+#events_logger = "journald"
+
+# A is a list of directories which are used to search for helper binaries.
+#
+#helper_binaries_dir = [
+# "/usr/local/libexec/podman",
+# "/usr/local/lib/podman",
+# "/usr/libexec/podman",
+# "/usr/lib/podman",
+#]
+
+# Path to OCI hooks directories for automatically executed hooks.
+#
+#hooks_dir = [
+# "/usr/share/containers/oci/hooks.d",
+#]
+
+# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
+# container images. By default image pulled and pushed match the format of the
+# source image. Building/committing defaults to OCI.
+#
+#image_default_format = ""
+
+# Default transport method for pulling and pushing for images
+#
+#image_default_transport = "docker://"
+
+# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+#
+#image_parallel_copies = 0
+
+# Tells container engines how to handle the builtin image volumes.
+# * bind: An anonymous named volume will be created and mounted
+# into the container.
+# * tmpfs: The volume is mounted onto the container as a tmpfs,
+# which allows users to create content that disappears when
+# the container is stopped.
+# * ignore: All volumes are just ignored and no action is taken.
+#
+#image_volume_mode = ""
+
+# Default command to run the infra container
+#
+#infra_command = "/pause"
+
+# Infra (pause) container image name for pod infra containers. When running a
+# pod, we start a `pause` process in a container to hold open the namespaces
+# associated with the pod. This container does nothing other then sleep,
+# reserving the pods resources for the lifetime of the pod. By default container
+# engines run a builtin container using the pause executable. If you want override
+# specify an image to pull.
+#
+#infra_image = ""
+
+# Specify the locking mechanism to use; valid values are "shm" and "file".
+# Change the default only if you are sure of what you are doing, in general
+# "file" is useful only on platforms where cgo is not available for using the
+# faster "shm" lock type. You may need to run "podman system renumber" after
+# you change the lock type.
+#
+#lock_type** = "shm"
+
+# MultiImageArchive - if true, the container engine allows for storing archives
+# (e.g., of the docker-archive transport) with multiple images. By default,
+# Podman creates single-image archives.
+#
+#multi_image_archive = "false"
+
+# Default engine namespace
+# If engine is joined to a namespace, it will see only containers and pods
+# that were created in the same namespace, and will create new containers and
+# pods in that namespace.
+# The default namespace is "", which corresponds to no namespace. When no
+# namespace is set, all containers and pods are visible.
+#
+#namespace = ""
+
+# Path to the slirp4netns binary
+#
+#network_cmd_path = ""
+
+# Default options to pass to the slirp4netns binary.
+# Valid options values are:
+#
+# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).
+# Default is false.
+# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).
+# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
+# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).
+# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
+# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
+# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
+# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
+# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
+# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container
+# network namespace, usually `10.0.2.100`. If your application requires the real source IP address,
+# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for
+# rootless containers when connected to user-defined networks.
+# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but
+# preserves the correct source IP address. This port handler cannot be used for user-defined networks.
+#
+#network_cmd_options = []
+
+# Whether to use chroot instead of pivot_root in the runtime
+#
+#no_pivot_root = false
+
+# Number of locks available for containers and pods.
+# If this is changed, a lock renumber must be performed (e.g. with the
+# 'podman system renumber' command).
+#
+#num_locks = 2048
+
+# Set the exit policy of the pod when the last container exits.
+#pod_exit_policy = "continue"
+
+# Whether to pull new image before running a container
+#
+#pull_policy = "missing"
+
+# Indicates whether the application should be running in remote mode. This flag modifies the
+# --remote option on container engines. Setting the flag to true will default
+# `podman --remote=true` for access to the remote Podman service.
+#
+#remote = false
+
+# Default OCI runtime
+#
+#runtime = "crun"
+
+# List of the OCI runtimes that support --format=json. When json is supported
+# engine will use it for reporting nicer errors.
+#
+#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]
+
+# List of the OCI runtimes that supports running containers with KVM Separation.
+#
+#runtime_supports_kvm = ["kata", "krun"]
+
+# List of the OCI runtimes that supports running containers without cgroups.
+#
+#runtime_supports_nocgroups = ["crun", "krun"]
+
+# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment
+# variable. If you specify "storage", then the location of the
+# container/storage tmp directory will be used.
+# image_copy_tmp_dir="/var/tmp"
+
+# Number of seconds to wait without a connection
+# before the `podman system service` times out and exits
+#
+#service_timeout = 5
+
+# Directory for persistent engine files (database, etc)
+# By default, this will be configured relative to where the containers/storage
+# stores containers
+# Uncomment to change location from this default
+#
+#static_dir = "/var/lib/containers/storage/libpod"
+
+# Number of seconds to wait for container to exit before sending kill signal.
+#
+#stop_timeout = 10
+
+# Number of seconds to wait before exit command in API process is given to.
+# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).
+#
+#exit_command_delay = 300
+
+# map of service destinations
+#
+#[service_destinations]
+# [service_destinations.production]
+# URI to access the Podman service
+# Examples:
+# rootless "unix://run/user/$UID/podman/podman.sock" (Default)
+# rootful "unix://run/podman/podman.sock (Default)
+# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
+# remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock
+#
+# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
+# Path to file containing ssh identity key
+# identity = "~/.ssh/id_rsa"
+
+# Directory for temporary files. Must be tmpfs (wiped after reboot)
+#
+#tmp_dir = "/run/libpod"
+
+# Directory for libpod named volumes.
+# By default, this will be configured relative to where containers/storage
+# stores containers.
+# Uncomment to change location from this default.
+#
+#volume_path = "/var/lib/containers/storage/volumes"
+
+# Default timeout (in seconds) for volume plugin operations.
+# Plugins are external programs accessed via a REST API; this sets a timeout
+# for requests to that API.
+# A value of 0 is treated as no timeout.
+#volume_plugin_timeout = 5
+
+# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
+[engine.runtimes]
+#crun = [
+# "/usr/bin/crun",
+# "/usr/sbin/crun",
+# "/usr/local/bin/crun",
+# "/usr/local/sbin/crun",
+# "/sbin/crun",
+# "/bin/crun",
+# "/run/current-system/sw/bin/crun",
+#]
+
+#kata = [
+# "/usr/bin/kata-runtime",
+# "/usr/sbin/kata-runtime",
+# "/usr/local/bin/kata-runtime",
+# "/usr/local/sbin/kata-runtime",
+# "/sbin/kata-runtime",
+# "/bin/kata-runtime",
+# "/usr/bin/kata-qemu",
+# "/usr/bin/kata-fc",
+#]
+
+#runc = [
+# "/usr/bin/runc",
+# "/usr/sbin/runc",
+# "/usr/local/bin/runc",
+# "/usr/local/sbin/runc",
+# "/sbin/runc",
+# "/bin/runc",
+# "/usr/lib/cri-o-runc/sbin/runc",
+#]
+
+#runsc = [
+# "/usr/bin/runsc",
+# "/usr/sbin/runsc",
+# "/usr/local/bin/runsc",
+# "/usr/local/sbin/runsc",
+# "/bin/runsc",
+# "/sbin/runsc",
+# "/run/current-system/sw/bin/runsc",
+#]
+
+#krun = [
+# "/usr/bin/krun",
+# "/usr/local/bin/krun",
+#]
+
+[engine.volume_plugins]
+#testplugin = "/run/podman/plugins/test.sock"
+
+[machine]
+# Number of CPU's a machine is created with.
+#
+#cpus=1
+
+# The size of the disk in GB created when init-ing a podman-machine VM.
+#
+#disk_size=10
+
+# Default image URI when creating a new VM using `podman machine init`.
+# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major
+# version of the OS (e.g `36`) for Fedora 36. For all platforms you can
+# alternatively specify a custom download URL to an image. Container engines
+# translate URIs $OS and $ARCH to the native OS and ARCH. URI
+# "https://example.com/$OS/$ARCH/foobar.ami" becomes
+# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
+# The default value is `testing`.
+#
+# image = "testing"
+
+# Memory in MB a machine is created with.
+#
+#memory=2048
+
+# The username to use and create on the podman machine OS for rootless
+# container access.
+#
+#user = "core"
+
+# Host directories to be mounted as volumes into the VM by default.
+# Environment variables like $HOME as well as complete paths are supported for
+# the source and destination. An optional third field `:ro` can be used to
+# tell the container engines to mount the volume readonly.
+#
+# volumes = [
+# "$HOME:$HOME",
+#]
+
+# The [machine] table MUST be the last entry in this file.
+# (Unless another table is added)
+# TOML does not provide a way to end a table other than a further table being
+# defined, so every key hereafter will be part of [machine] and not the
+# main config.
diff --git a/data/templates/dhcp-client/ipv4.j2 b/data/templates/dhcp-client/ipv4.j2
index cc5ddf09c..77905e054 100644
--- a/data/templates/dhcp-client/ipv4.j2
+++ b/data/templates/dhcp-client/ipv4.j2
@@ -9,14 +9,30 @@ interface "{{ ifname }}" {
send host-name "{{ dhcp_options.host_name }}";
{% if dhcp_options.client_id is vyos_defined %}
{% set client_id = dhcp_options.client_id %}
-{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. If not HEX, use double quotes ASCII format #}
-{% if not dhcp_options.client_id.split(':') | length >= 5 %}
-{% set client_id = '"' + dhcp_options.client_id + '"' %}
+{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{# If not HEX, use double quotes ASCII format #}
+{% if not client_id.split(':') | length >= 3 %}
+{% set client_id = '"' ~ dhcp_options.client_id ~ '"' %}
{% endif %}
send dhcp-client-identifier {{ client_id }};
{% endif %}
{% if dhcp_options.vendor_class_id is vyos_defined %}
- send vendor-class-identifier "{{ dhcp_options.vendor_class_id }}";
+{% set vendor_class_id = dhcp_options.vendor_class_id %}
+{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{# If not HEX, use double quotes ASCII format #}
+{% if not vendor_class_id.split(':') | length >= 3 %}
+{% set vendor_class_id = '"' ~ dhcp_options.vendor_class_id ~ '"' %}
+{% endif %}
+ send vendor-class-identifier {{ vendor_class_id }};
+{% endif %}
+{% if dhcp_options.user_class is vyos_defined %}
+{% set user_class = dhcp_options.user_class %}
+{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{# If not HEX, use double quotes ASCII format #}
+{% if not user_class.split(':') | length >= 3 %}
+{% set user_class = '"' ~ dhcp_options.user_class ~ '"' %}
+{% endif %}
+ send user-class {{ user_class }};
{% endif %}
# The request statement causes the client to request that any server responding to the
# client send the client its values for the specified options.
diff --git a/data/templates/dhcp-relay/dhcrelay.conf.j2 b/data/templates/dhcp-relay/dhcrelay.conf.j2
index c26c263fd..71a395454 100644
--- a/data/templates/dhcp-relay/dhcrelay.conf.j2
+++ b/data/templates/dhcp-relay/dhcrelay.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by dhcp_relay.py ###
+### Autogenerated by service_dhcp-relay.py ###
{% set max_size = '-A ' ~ relay_options.max_size if relay_options.max_size is vyos_defined %}
{# hop_count and relay_agents_packets is a default option, thus it is always present #}
@@ -6,4 +6,4 @@
OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -i {{ interface | join(' -i ') }} {{ server | join(' ') }}"
{% else %}
OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -id {{ listen_interface | join(' -id ') }} -iu {{ upstream_interface | join(' -iu ') }} {{ server | join(' ') }}"
-{% endif %} \ No newline at end of file
+{% endif %}
diff --git a/data/templates/dhcp-relay/dhcrelay6.conf.j2 b/data/templates/dhcp-relay/dhcrelay6.conf.j2
index 6365346b4..25f7671b3 100644
--- a/data/templates/dhcp-relay/dhcrelay6.conf.j2
+++ b/data/templates/dhcp-relay/dhcrelay6.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by dhcpv6_relay.py ###
+### Autogenerated by service_dhcpv6-relay.py ###
{# upstream_interface is mandatory so it's always present #}
{% set upstream = namespace(value='') %}
@@ -18,4 +18,3 @@
{% endfor %}
OPTIONS="{{ listen.value }} {{ upstream.value }} -c {{ max_hop_count }} {{ '-I' if use_interface_id_option is vyos_defined }}"
-
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
index 3446a9d1b..6c0653a55 100644
--- a/data/templates/dns-dynamic/ddclient.conf.j2
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -13,63 +13,44 @@ web-skip{{ ipv }}='{{ web_options.skip }}', \
if{{ ipv }}={{ address }}, \
{% endif %}
{% endfor %}
-{# Other service options #}
-{% for k,v in kwargs.items() %}
-{% if v is vyos_defined %}
-{{ k }}={{ v }}{{ ',' if not loop.last }} \
-{% endif %}
+{# Other service options with special treatment for password #}
+{% for k,v in kwargs.items() if v is vyos_defined %}
+{{ k | replace('_', '-') }}={{ "'%s'" % (v) if k == 'password' else v }}{{ ',' if not loop.last }} \
{% endfor %}
{# Actual hostname for the service #}
{{ host }}
{% endmacro %}
-### Autogenerated by dns_dynamic.py ###
-daemon={{ timeout }}
+### Autogenerated by service_dns_dynamic.py ###
+daemon={{ interval }}
syslog=yes
ssl=yes
pid={{ config_file | replace('.conf', '.pid') }}
cache={{ config_file | replace('.conf', '.cache') }}
-{# Explicitly override global options for reliability #}
-web=googledomains {# ddclient default ('dyndns') doesn't support ssl and results in process lockup #}
-use=no {# ddclient default ('ip') results in confusing warning message in log #}
-
-{% if address is vyos_defined %}
-{% for address, service_cfg in address.items() %}
-{% if service_cfg.rfc2136 is vyos_defined %}
-{% for name, config in service_cfg.rfc2136.items() %}
-{% if config.description is vyos_defined %}
-# {{ config.description }}
+{# ddclient default (web=dyndns) doesn't support ssl and results in process lockup #}
+web=googledomains
+{# ddclient default (use=ip) results in confusing warning message in log #}
+use=no
-{% endif %}
-{% for host in config.host_name if config.host_name is vyos_defined %}
-# RFC2136 dynamic DNS configuration for {{ name }}: [{{ config.zone }}, {{ host }}]
-{# Don't append 'new-style' compliant suffix ('usev4', 'usev6', 'ifv4', 'ifv6' etc.)
- to the properties since 'nsupdate' doesn't support that yet. #}
-{{ render_config(host, address, service_cfg.web_options,
- protocol='nsupdate', server=config.server, zone=config.zone,
- password=config.key, ttl=config.ttl) }}
+{% if name is vyos_defined %}
+{% for service, config in name.items() %}
+{% if config.description is vyos_defined %}
-{% endfor %}
-{% endfor %}
-{% endif %}
-{% if service_cfg.service is vyos_defined %}
-{% for name, config in service_cfg.service.items() %}
-{% if config.description is vyos_defined %}
# {{ config.description }}
+{% endif %}
+{% for host in config.host_name if config.host_name is vyos_defined %}
+{# ip_suffixes can be either of ['v4'], ['v6'], ['v4', 'v6'] for all protocols except 'nsupdate'
+ ip_suffixes must be [''] for nsupdate since it doesn't support usevX/wantipvX yet #}
+{% set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
+ else ([config.ip_version[2:]] if config.protocol != 'nsupdate'
+ else ['']) %}
+{% set password = config.key if config.protocol == 'nsupdate'
+ else config.password %}
-{% endif %}
-{% for host in config.host_name if config.host_name is vyos_defined %}
-{% set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
- else (['v6'] if config.ip_version == 'ipv6' else ['']) %}
-# Web service dynamic DNS configuration for {{ name }}: [{{ config.protocol }}, {{ host }}]
-{# For ipv4 only setup or legacy ipv6 setup, don't append 'new-style' compliant suffix
- ('usev4', 'ifv4', 'webv4' etc.) to the properties and instead live through the
- deprecation warnings for better compatibility with most ddclient protocols. #}
-{{ render_config(host, address, service_cfg.web_options, ip_suffixes,
+# Web service dynamic DNS configuration for {{ service }}: [{{ config.protocol }}, {{ host }}]
+{{ render_config(host, config.address, config.web_options, ip_suffixes,
protocol=config.protocol, server=config.server, zone=config.zone,
- login=config.username, password=config.password) }}
-
-{% endfor %}
-{% endfor %}
-{% endif %}
+ login=config.username, password=password, ttl=config.ttl,
+ min_interval=config.wait_time, max_interval=config.expiry_time) }}
+{% endfor %}
{% endfor %}
{% endif %}
diff --git a/data/templates/dns-dynamic/override.conf.j2 b/data/templates/dns-dynamic/override.conf.j2
index 6ca1b8a45..4a6851cef 100644
--- a/data/templates/dns-dynamic/override.conf.j2
+++ b/data/templates/dns-dynamic/override.conf.j2
@@ -7,4 +7,4 @@ After=vyos-router.service
PIDFile={{ config_file | replace('.conf', '.pid') }}
EnvironmentFile=
ExecStart=
-ExecStart=/usr/bin/ddclient -file {{ config_file }}
+ExecStart={{ vrf_command }}/usr/bin/ddclient -file {{ config_file }}
diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index e02e6c13d..55b37732b 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -1,5 +1,5 @@
{# j2lint: disable=single-statement-per-line #}
-### Autogenerated by dns_forwarding.py ###
+### Autogenerated by service_dns_forwarding.py ###
# XXX: pdns recursor doesn't like whitespace near entry separators,
# especially in the semicolon-separated lists of name servers.
@@ -40,6 +40,16 @@ dnssec={{ dnssec }}
dns64-prefix={{ dns64_prefix }}
{% endif %}
+{% if exclude_throttle_address is vyos_defined %}
+# dont-throttle-netmasks
+dont-throttle-netmasks={{ exclude_throttle_address | join(',') }}
+{% endif %}
+
+{% if serve_stale_extension is vyos_defined %}
+# serve-stale-extensions
+serve-stale-extensions={{ serve_stale_extension }}
+{% endif %}
+
# serve rfc1918 records
serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
@@ -47,4 +57,3 @@ serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
forward-zones-file=recursor.forward-zones.conf
-
diff --git a/data/templates/dns-forwarding/recursor.conf.lua.j2 b/data/templates/dns-forwarding/recursor.conf.lua.j2
index e2506238d..816f69160 100644
--- a/data/templates/dns-forwarding/recursor.conf.lua.j2
+++ b/data/templates/dns-forwarding/recursor.conf.lua.j2
@@ -1,4 +1,4 @@
--- Autogenerated by VyOS (dns_forwarding.py) --
+-- Autogenerated by VyOS (service_dns_forwarding.py) --
-- Do not edit, your changes will get overwritten --
-- Load DNSSEC root keys from dns-root-data package.
@@ -6,4 +6,3 @@ dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
-- Load lua from vyos-hostsd --
dofile("recursor.vyos-hostsd.conf.lua")
-
diff --git a/data/templates/dns-forwarding/recursor.zone.conf.j2 b/data/templates/dns-forwarding/recursor.zone.conf.j2
index 25193c2ec..797068c49 100644
--- a/data/templates/dns-forwarding/recursor.zone.conf.j2
+++ b/data/templates/dns-forwarding/recursor.zone.conf.j2
@@ -1,5 +1,5 @@
;
-; Autogenerated by dns_forwarding.py
+; Autogenerated by service_dns_forwarding.py
;
{% for r in records %}
{{ r.name }} {{ r.ttl }} {{ r.type }} {{ r.value }}
diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2
index cd35d6d1e..6da2fa5e0 100644
--- a/data/templates/ethernet/wpa_supplicant.conf.j2
+++ b/data/templates/ethernet/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-ethernet.py ###
+### Autogenerated by interfaces_ethernet.py ###
# see full documentation:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
@@ -74,4 +74,3 @@ network={
# does not work for VyOS' git builds of wpa_supplicant.
phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
}
-
diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2
new file mode 100644
index 000000000..1a4ad2ed9
--- /dev/null
+++ b/data/templates/firewall/nftables-bridge.j2
@@ -0,0 +1,35 @@
+{% macro bridge(bridge) %}
+{% set ns = namespace(sets=[]) %}
+{% if bridge.forward is vyos_defined %}
+{% for prior, conf in bridge.forward.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_FORWARD_{{ prior }} {
+ type filter hook forward priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
+ }
+{% endfor %}
+{% endif %}
+
+{% if bridge.name is vyos_defined %}
+{% for name_text, conf in bridge.name.items() %}
+ chain NAME_{{ name_text }} {
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'bri') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule(name_text) }}
+ }
+{% endfor %}
+{% endif %}
+{% endmacro %} \ No newline at end of file
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index 0a7e79edd..a20c399ae 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -1,7 +1,7 @@
-{% macro groups(group, is_ipv6) %}
+{% macro groups(group, is_ipv6, is_l3) %}
{% if group is vyos_defined %}
{% set ip_type = 'ipv6_addr' if is_ipv6 else 'ipv4_addr' %}
-{% if group.address_group is vyos_defined and not is_ipv6 %}
+{% if group.address_group is vyos_defined and not is_ipv6 and is_l3 %}
{% for group_name, group_conf in group.address_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set A_{{ group_name }} {
@@ -14,7 +14,7 @@
}
{% endfor %}
{% endif %}
-{% if group.ipv6_address_group is vyos_defined and is_ipv6 %}
+{% if group.ipv6_address_group is vyos_defined and is_ipv6 and is_l3 %}
{% for group_name, group_conf in group.ipv6_address_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set A6_{{ group_name }} {
@@ -27,7 +27,7 @@
}
{% endfor %}
{% endif %}
-{% if group.domain_group is vyos_defined %}
+{% if group.domain_group is vyos_defined and is_l3 %}
{% for name, name_config in group.domain_group.items() %}
set D_{{ name }} {
type {{ ip_type }}
@@ -46,7 +46,7 @@
}
{% endfor %}
{% endif %}
-{% if group.network_group is vyos_defined and not is_ipv6 %}
+{% if group.network_group is vyos_defined and not is_ipv6 and is_l3 %}
{% for group_name, group_conf in group.network_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set N_{{ group_name }} {
@@ -59,7 +59,7 @@
}
{% endfor %}
{% endif %}
-{% if group.ipv6_network_group is vyos_defined and is_ipv6 %}
+{% if group.ipv6_network_group is vyos_defined and is_ipv6 and is_l3 %}
{% for group_name, group_conf in group.ipv6_network_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set N6_{{ group_name }} {
@@ -72,7 +72,7 @@
}
{% endfor %}
{% endif %}
-{% if group.port_group is vyos_defined %}
+{% if group.port_group is vyos_defined and is_l3 %}
{% for group_name, group_conf in group.port_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set P_{{ group_name }} {
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
index f0be3cf5d..dcf28da88 100644
--- a/data/templates/firewall/nftables-nat.j2
+++ b/data/templates/firewall/nftables-nat.j2
@@ -62,6 +62,6 @@ table ip vyos_nat {
return
}
-{{ group_tmpl.groups(firewall_group, False) }}
+{{ group_tmpl.groups(firewall_group, False, True) }}
}
{% endif %}
diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2
new file mode 100644
index 000000000..087fd141c
--- /dev/null
+++ b/data/templates/firewall/nftables-offload.j2
@@ -0,0 +1,9 @@
+{% macro flowtable(name, config) %}
+ flowtable VYOS_FLOWTABLE_{{ name }} {
+ hook ingress priority 0; devices = { {{ config.interface | join(', ') }} };
+{% if config.offload is vyos_defined('hardware') %}
+ flags offload;
+{% endif %}
+ counter
+ }
+{% endmacro %} \ No newline at end of file
diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index 699349e2b..9e28899b0 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -28,11 +28,14 @@ table ip vyos_mangle {
{{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }}
{% endfor %}
{% endif %}
+{% if conf.default_log is vyos_defined %}
+ counter log prefix "[ipv4-{{ (route_text)[:19] }}-default]"
+{% endif %}
}
{% endfor %}
{% endif %}
-{{ group_tmpl.groups(firewall_group, False) }}
+{{ group_tmpl.groups(firewall_group, False, True) }}
}
table ip6 vyos_mangle {
@@ -57,9 +60,12 @@ table ip6 vyos_mangle {
{{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }}
{% endfor %}
{% endif %}
+{% if conf.default_log is vyos_defined %}
+ counter log prefix "[ipv6-{{ (route_text)[:19] }}-default]"
+{% endif %}
}
{% endfor %}
{% endif %}
-{{ group_tmpl.groups(firewall_group, True) }}
+{{ group_tmpl.groups(firewall_group, True, True) }}
}
diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2
index eecf47b78..3bce7312d 100644
--- a/data/templates/firewall/nftables-vrf-zones.j2
+++ b/data/templates/firewall/nftables-vrf-zones.j2
@@ -7,11 +7,11 @@ table inet vrf_zones {
# Chain for inbound traffic
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
- counter ct zone set iifname map @ct_iface_map
+ counter ct original zone set iifname map @ct_iface_map
}
# Chain for locally-generated traffic
chain vrf_zones_ct_out {
type filter hook output priority raw; policy accept;
- counter ct zone set oifname map @ct_iface_map
+ counter ct original zone set oifname map @ct_iface_map
}
}
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
new file mode 100644
index 000000000..506ad815e
--- /dev/null
+++ b/data/templates/firewall/nftables-zone.j2
@@ -0,0 +1,77 @@
+{% macro zone_chains(zone, ipv6=False, state_policy=False) %}
+{% set fw_name = 'ipv6_name' if ipv6 else 'name' %}
+{% set suffix = '6' if ipv6 else '' %}
+ chain VYOS_ZONE_FORWARD {
+ type filter hook forward priority 1; policy accept;
+{% if state_policy %}
+ jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{% if 'local_zone' not in zone_conf %}
+ oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
+{% endif %}
+{% endfor %}
+ }
+ chain VYOS_ZONE_LOCAL {
+ type filter hook input priority 1; policy accept;
+{% if state_policy %}
+ jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{% if 'local_zone' in zone_conf %}
+ counter jump VZONE_{{ zone_name }}_IN
+{% endif %}
+{% endfor %}
+ }
+ chain VYOS_ZONE_OUTPUT {
+ type filter hook output priority 1; policy accept;
+{% if state_policy %}
+ jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{% if 'local_zone' in zone_conf %}
+ counter jump VZONE_{{ zone_name }}_OUT
+{% endif %}
+{% endfor %}
+ }
+{% for zone_name, zone_conf in zone.items() %}
+{% if zone_conf.local_zone is vyos_defined %}
+ chain VZONE_{{ zone_name }}_IN {
+ iifname lo counter return
+{% if zone_conf.from is vyos_defined %}
+{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+ iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+ iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{% endfor %}
+{% endif %}
+ {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+ }
+ chain VZONE_{{ zone_name }}_OUT {
+ oifname lo counter return
+{% if zone_conf.from_local is vyos_defined %}
+{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %}
+ oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+ oifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{% endfor %}
+{% endif %}
+ {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+ }
+{% else %}
+ chain VZONE_{{ zone_name }} {
+ iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6) }}
+{% if zone_conf.intra_zone_filtering is vyos_defined %}
+ iifname { {{ zone_conf.interface | join(",") }} } counter return
+{% endif %}
+{% if zone_conf.from is vyos_defined %}
+{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+{% if zone[from_zone].local_zone is not defined %}
+ iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+ iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{% endif %}
+{% endfor %}
+{% endif %}
+ {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+ }
+{% endif %}
+{% endfor %}
+{% endmacro %} \ No newline at end of file
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index a82a5537b..4851e3a05 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,6 +1,9 @@
#!/usr/sbin/nft -f
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %}
+{% import 'firewall/nftables-offload.j2' as offload_tmpl %}
+{% import 'firewall/nftables-zone.j2' as zone_tmpl %}
flush chain raw FW_CONNTRACK
flush chain ip6 raw FW_CONNTRACK
@@ -43,12 +46,20 @@ delete table ip vyos_filter
{% endif %}
table ip vyos_filter {
{% if ipv4 is vyos_defined %}
+{% if flowtable is vyos_defined %}
+{% for name, flowtable_conf in flowtable.items() %}
+{{ offload_tmpl.flowtable(name, flowtable_conf) }}
+{% endfor %}
+{% endif %}
+
{% set ns = namespace(sets=[]) %}
{% if ipv4.forward is vyos_defined %}
{% for prior, conf in ipv4.forward.items() %}
-{% set def_action = conf.default_action %}
chain VYOS_FORWARD_{{ prior }} {
- type filter hook forward priority {{ prior }}; policy {{ def_action }};
+ type filter hook forward priority {{ prior }}; policy accept;
+{% if global_options.state_policy is vyos_defined %}
+ jump VYOS_STATE_POLICY
+{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('FWD', prior, rule_id) }}
@@ -57,15 +68,18 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
+ {{ conf | nft_default_rule('FWD-filter') }}
}
{% endfor %}
{% endif %}
{% if ipv4.input is vyos_defined %}
{% for prior, conf in ipv4.input.items() %}
-{% set def_action = conf.default_action %}
chain VYOS_INPUT_{{ prior }} {
- type filter hook input priority {{ prior }}; policy {{ def_action }};
+ type filter hook input priority {{ prior }}; policy accept;
+{% if global_options.state_policy is vyos_defined %}
+ jump VYOS_STATE_POLICY
+{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('INP',prior, rule_id) }}
@@ -74,15 +88,18 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
+ {{ conf | nft_default_rule('INP-filter') }}
}
{% endfor %}
{% endif %}
{% if ipv4.output is vyos_defined %}
{% for prior, conf in ipv4.output.items() %}
-{% set def_action = conf.default_action %}
chain VYOS_OUTPUT_{{ prior }} {
- type filter hook output priority {{ prior }}; policy {{ def_action }};
+ type filter hook output priority {{ prior }}; policy accept;
+{% if global_options.state_policy is vyos_defined %}
+ jump VYOS_STATE_POLICY
+{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('OUT', prior, rule_id) }}
@@ -91,6 +108,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
+ {{ conf | nft_default_rule('OUT-filter') }}
}
{% endfor %}
{% endif %}
@@ -100,9 +118,8 @@ table ip vyos_filter {
}
{% if ipv4.prerouting is vyos_defined %}
{% for prior, conf in ipv4.prerouting.items() %}
-{% set def_action = conf.default_action %}
chain VYOS_PREROUTING_{{ prior }} {
- type filter hook prerouting priority {{ prior }}; policy {{ def_action }};
+ type filter hook prerouting priority {{ prior }}; policy accept;
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('PRE', prior, rule_id) }}
@@ -111,7 +128,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule(prior) }}
+ {{ conf | nft_default_rule('PRE-filter') }}
}
{% endfor %}
{% endif %}
@@ -154,7 +171,25 @@ table ip vyos_filter {
{% endfor %}
{% endif %}
{% endif %}
-{{ group_tmpl.groups(group, False) }}
+{{ group_tmpl.groups(group, False, True) }}
+
+{% if zone is vyos_defined %}
+{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+ chain VYOS_STATE_POLICY {
+{% if global_options.state_policy.established is vyos_defined %}
+ {{ global_options.state_policy.established | nft_state_policy('established') }}
+{% endif %}
+{% if global_options.state_policy.invalid is vyos_defined %}
+ {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{% endif %}
+{% if global_options.state_policy.related is vyos_defined %}
+ {{ global_options.state_policy.related | nft_state_policy('related') }}
+{% endif %}
+ return
+ }
+{% endif %}
}
{% if first_install is not vyos_defined %}
@@ -162,12 +197,20 @@ delete table ip6 vyos_filter
{% endif %}
table ip6 vyos_filter {
{% if ipv6 is vyos_defined %}
+{% if flowtable is vyos_defined %}
+{% for name, flowtable_conf in flowtable.items() %}
+{{ offload_tmpl.flowtable(name, flowtable_conf) }}
+{% endfor %}
+{% endif %}
+
{% set ns = namespace(sets=[]) %}
{% if ipv6.forward is vyos_defined %}
{% for prior, conf in ipv6.forward.items() %}
-{% set def_action = conf.default_action %}
chain VYOS_IPV6_FORWARD_{{ prior }} {
- type filter hook forward priority {{ prior }}; policy {{ def_action }};
+ type filter hook forward priority {{ prior }}; policy accept;
+{% if global_options.state_policy is vyos_defined %}
+ jump VYOS_STATE_POLICY6
+{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
@@ -176,15 +219,18 @@ table ip6 vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
+ {{ conf | nft_default_rule('FWD-filter', ipv6=True) }}
}
{% endfor %}
{% endif %}
{% if ipv6.input is vyos_defined %}
{% for prior, conf in ipv6.input.items() %}
-{% set def_action = conf.default_action %}
chain VYOS_IPV6_INPUT_{{ prior }} {
- type filter hook input priority {{ prior }}; policy {{ def_action }};
+ type filter hook input priority {{ prior }}; policy accept;
+{% if global_options.state_policy is vyos_defined %}
+ jump VYOS_STATE_POLICY6
+{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
@@ -193,15 +239,18 @@ table ip6 vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
+ {{ conf | nft_default_rule('INP-filter', ipv6=True) }}
}
{% endfor %}
{% endif %}
{% if ipv6.output is vyos_defined %}
{% for prior, conf in ipv6.output.items() %}
-{% set def_action = conf.default_action %}
chain VYOS_IPV6_OUTPUT_{{ prior }} {
- type filter hook output priority {{ prior }}; policy {{ def_action }};
+ type filter hook output priority {{ prior }}; policy accept;
+{% if global_options.state_policy is vyos_defined %}
+ jump VYOS_STATE_POLICY6
+{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
@@ -210,6 +259,7 @@ table ip6 vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
+ {{ conf | nft_default_rule('OUT-filter', ipv6=True) }}
}
{% endfor %}
{% endif %}
@@ -257,5 +307,34 @@ table ip6 vyos_filter {
{% endfor %}
{% endif %}
{% endif %}
-{{ group_tmpl.groups(group, True) }}
+{{ group_tmpl.groups(group, True, True) }}
+
+{% if zone is vyos_defined %}
+{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+ chain VYOS_STATE_POLICY6 {
+{% if global_options.state_policy.established is vyos_defined %}
+ {{ global_options.state_policy.established | nft_state_policy('established') }}
+{% endif %}
+{% if global_options.state_policy.invalid is vyos_defined %}
+ {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{% endif %}
+{% if global_options.state_policy.related is vyos_defined %}
+ {{ global_options.state_policy.related | nft_state_policy('related') }}
+{% endif %}
+ return
+ }
+{% endif %}
+
+}
+
+## Bridge Firewall
+{% if first_install is not vyos_defined %}
+delete table bridge vyos_filter
+{% endif %}
+table bridge vyos_filter {
+{{ bridge_tmpl.bridge(bridge) }}
+{{ group_tmpl.groups(group, False, False) }}
+
} \ No newline at end of file
diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index 7fa974254..679ba8b04 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -29,13 +29,14 @@
neighbor {{ neighbor }} bfd profile {{ config.bfd.profile }}
{% endif %}
{% endif %}
-{% if config.capability is vyos_defined %}
-{% if config.capability.dynamic is vyos_defined %}
+{% if config.capability.dynamic is vyos_defined %}
neighbor {{ neighbor }} capability dynamic
-{% endif %}
-{% if config.capability.extended_nexthop is vyos_defined %}
+{% endif %}
+{% if config.capability.extended_nexthop is vyos_defined %}
neighbor {{ neighbor }} capability extended-nexthop
-{% endif %}
+{% endif %}
+{% if config.capability.software_version is vyos_defined %}
+ neighbor {{ neighbor }} capability software-version
{% endif %}
{% if config.description is vyos_defined %}
neighbor {{ neighbor }} description {{ config.description }}
@@ -77,6 +78,9 @@
{% if config.path_attribute.discard is vyos_defined %}
neighbor {{ neighbor }} path-attribute discard {{ config.path_attribute.discard }}
{% endif %}
+{% if config.path_attribute.treat_as_withdraw is vyos_defined %}
+ neighbor {{ neighbor }} path-attribute treat-as-withdraw {{ config.path_attribute.treat_as_withdraw }}
+{% endif %}
{% if config.port is vyos_defined %}
neighbor {{ neighbor }} port {{ config.port }}
{% endif %}
@@ -170,7 +174,7 @@
{% endif %}
{% endif %}
{% if afi_config.remove_private_as is vyos_defined %}
- neighbor {{ neighbor }} remove-private-AS
+ neighbor {{ neighbor }} remove-private-AS {{ 'all' if afi_config.remove_private_as.all is vyos_defined }}
{% endif %}
{% if afi_config.route_reflector_client is vyos_defined %}
neighbor {{ neighbor }} route-reflector-client
@@ -369,6 +373,26 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
{% if afi_config.advertise_svi_ip is vyos_defined %}
advertise-svi-ip
{% endif %}
+{% if afi_config.default_originate.ipv4 is vyos_defined %}
+ default-originate ipv4
+{% endif %}
+{% if afi_config.default_originate.ipv6 is vyos_defined %}
+ default-originate ipv6
+{% endif %}
+{% if afi_config.disable_ead_evi_rx is vyos_defined %}
+ disable-ead-evi-rx
+{% endif %}
+{% if afi_config.disable_ead_evi_tx is vyos_defined %}
+ disable-ead-evi-tx
+{% endif %}
+{% if afi_config.ead_es_frag.evi_limit is vyos_defined %}
+ ead-es-frag evi-limit {{ afi_config.ead_es_frag.evi_limit }}
+{% endif %}
+{% if afi_config.ead_es_route_target.export is vyos_defined %}
+{% for route_target in afi_config.ead_es_route_target.export %}
+ ead-es-route-target export {{ route_target }}
+{% endfor %}
+{% endif %}
{% if afi_config.rt_auto_derive is vyos_defined %}
autort rfc8365-compatible
{% endif %}
@@ -446,6 +470,38 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
{% endfor %}
{% endif %}
!
+{% if bmp is vyos_defined %}
+{% if bmp.mirror_buffer_limit is vyos_defined %}
+ bmp mirror buffer-limit {{ bmp.mirror_buffer_limit }}
+ !
+{% endif %}
+{% if bmp.target is vyos_defined %}
+{% for bmp, bmp_config in bmp.target.items() %}
+ bmp targets {{ bmp }}
+{% if bmp_config.mirror is vyos_defined %}
+ bmp mirror
+{% endif %}
+{% if bmp_config.monitor is vyos_defined %}
+{% if bmp_config.monitor.ipv4_unicast.pre_policy is vyos_defined %}
+ bmp monitor ipv4 unicast pre-policy
+{% endif %}
+{% if bmp_config.monitor.ipv4_unicast.post_policy is vyos_defined %}
+ bmp monitor ipv4 unicast post-policy
+{% endif %}
+{% if bmp_config.monitor.ipv6_unicast.pre_policy is vyos_defined %}
+ bmp monitor ipv6 unicast pre-policy
+{% endif %}
+{% if bmp_config.monitor.ipv6_unicast.post_policy is vyos_defined %}
+ bmp monitor ipv6 unicast post-policy
+{% endif %}
+{% endif %}
+{% if bmp_config.address is vyos_defined %}
+ bmp connect {{ bmp_config.address }} port {{ bmp_config.port }} min-retry {{ bmp_config.min_retry }} max-retry {{ bmp_config.max_retry }}
+{% endif %}
+{% endfor %}
+ exit
+{% endif %}
+{% endif %}
{% if peer_group is vyos_defined %}
{% for peer, config in peer_group.items() %}
{{ bgp_neighbor(peer, config, true) }}
@@ -564,6 +620,14 @@ bgp route-reflector allow-outbound-policy
{% if parameters.tcp_keepalive.idle is vyos_defined and parameters.tcp_keepalive.interval is vyos_defined and parameters.tcp_keepalive.probes is vyos_defined %}
bgp tcp-keepalive {{ parameters.tcp_keepalive.idle }} {{ parameters.tcp_keepalive.interval }} {{ parameters.tcp_keepalive.probes }}
{% endif %}
+{% if srv6.locator is vyos_defined %}
+ segment-routing srv6
+ locator {{ srv6.locator }}
+ exit
+{% endif %}
+{% if sid.vpn.per_vrf.export is vyos_defined %}
+ sid vpn per-vrf export {{ sid.vpn.per_vrf.export }}
+{% endif %}
{% if timers.keepalive is vyos_defined and timers.holdtime is vyos_defined %}
timers bgp {{ timers.keepalive }} {{ timers.holdtime }}
{% endif %}
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl
index 3aad8e8dd..339b4e52f 100644
--- a/data/templates/frr/daemons.frr.tmpl
+++ b/data/templates/frr/daemons.frr.tmpl
@@ -1,4 +1,26 @@
-zebra=yes
+#
+# The watchfrr, zebra, mgmtd and staticd daemons are always started.
+#
+# Note: The following FRR-services must be kept disabled because they are replaced by other packages in VyOS:
+#
+# pimd Replaced by package igmpproxy.
+# nhrpd Replaced by package opennhrp.
+# pbrd Replaced by PBR in nftables.
+# vrrpd Replaced by package keepalived.
+#
+# And these must be disabled aswell since they are currently missing a VyOS CLI:
+#
+# eigrp
+# sharpd
+# fabricd
+# pathd
+#
+# The zebra, mgmtd and staticd daemons are always started and can not be disabled
+#
+#zebra=yes
+#mgmtd=yes
+#staticd=yes
+
bgpd=yes
ospfd=yes
ospf6d=yes
@@ -6,49 +28,86 @@ ripd=yes
ripngd=yes
isisd=yes
pimd=no
+pim6d=yes
ldpd=yes
nhrpd=no
-eigrpd=yes
+eigrpd=no
babeld=yes
sharpd=no
pbrd=no
bfdd=yes
-staticd=yes
+fabricd=no
+vrrpd=no
+pathd=no
-vtysh_enable=yes
-zebra_options=" -s 90000000 --daemon -A 127.0.0.1
-{%- if irdp is defined %} -M irdp{% endif -%}
-{%- if snmp is defined and snmp.zebra is defined %} -M snmp{% endif -%}
-"
-bgpd_options=" --daemon -A 127.0.0.1
-{%- if bmp is defined %} -M bmp{% endif -%}
-{%- if snmp is defined and snmp.bgpd is defined %} -M snmp{% endif -%}
-"
-ospfd_options=" --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ospfd is defined %} -M snmp{% endif -%}
-"
-ospf6d_options=" --daemon -A ::1
-{%- if snmp is defined and snmp.ospf6d is defined %} -M snmp{% endif -%}
-"
-ripd_options=" --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ripd is defined %} -M snmp{% endif -%}
-"
+#
+# Define defaults for all services even those who shall be kept disabled.
+#
+
+zebra_options=" --daemon -A 127.0.0.1 -s 90000000{{ ' -M snmp' if snmp.zebra is vyos_defined }}{{ ' -M irdp' if irdp is vyos_defined }}"
+mgmtd_options=" --daemon -A 127.0.0.1"
+staticd_options="--daemon -A 127.0.0.1"
+bgpd_options=" --daemon -A 127.0.0.1 -M rpki{{ ' -M snmp' if snmp.bgpd is vyos_defined }}{{ ' -M bmp' if bmp is vyos_defined }}"
+ospfd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ospfd is vyos_defined }}"
+ospf6d_options=" --daemon -A ::1{{ ' -M snmp' if snmp.ospf6d is vyos_defined }}"
+ripd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ripd is vyos_defined }}"
ripngd_options=" --daemon -A ::1"
-isisd_options=" --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.isisd is defined %} -M snmp{% endif -%}
-"
-pimd_options=" --daemon -A 127.0.0.1"
-ldpd_options=" --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%}
-"
-mgmtd_options=" --daemon -A 127.0.0.1"
+isisd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.isisd is vyos_defined }}"
+pimd_options=" --daemon -A 127.0.0.1"
+pim6d_options=" --daemon -A ::1"
+ldpd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ldpd is vyos_defined }}"
nhrpd_options=" --daemon -A 127.0.0.1"
-eigrpd_options=" --daemon -A 127.0.0.1"
-babeld_options=" --daemon -A 127.0.0.1"
-sharpd_options=" --daemon -A 127.0.0.1"
-pbrd_options=" --daemon -A 127.0.0.1"
-staticd_options=" --daemon -A 127.0.0.1"
-bfdd_options=" --daemon -A 127.0.0.1"
-
-watchfrr_enable=no
+eigrpd_options=" --daemon -A 127.0.0.1"
+babeld_options=" --daemon -A 127.0.0.1"
+sharpd_options=" --daemon -A 127.0.0.1"
+pbrd_options=" --daemon -A 127.0.0.1"
+bfdd_options=" --daemon -A 127.0.0.1"
+fabricd_options="--daemon -A 127.0.0.1"
+vrrpd_options=" --daemon -A 127.0.0.1"
+pathd_options=" --daemon -A 127.0.0.1"
+
+#frr_global_options=""
+
+#zebra_wrap=""
+#mgmtd_wrap=""
+#staticd_wrap=""
+#bgpd_wrap=""
+#ospfd_wrap=""
+#ospf6d_wrap=""
+#ripd_wrap=""
+#ripngd_wrap=""
+#isisd_wrap=""
+#pimd_wrap=""
+#pim6d_wrap=""
+#ldpd_wrap=""
+#nhrpd_wrap=""
+#eigrpd_wrap=""
+#babeld_wrap=""
+#sharpd_wrap=""
+#pbrd_wrap=""
+#bfdd_wrap=""
+#fabricd_wrap=""
+#vrrpd_wrap=""
+#pathd_wrap=""
+
+#all_wrap=""
+
+#
+# Other options.
+#
+# For more information see:
+# https://github.com/FRRouting/frr/blob/stable/9.0/tools/etc/frr/daemons
+# https://docs.frrouting.org/en/stable-9.0/setup.html
+#
+
+vtysh_enable=yes
+watchfrr_enable=yes
valgrind_enable=no
+
+#watchfrr_options=""
+
+frr_profile="traditional"
+
+MAX_FDS={{ descriptors }}
+
+#FRR_NO_ROOT="yes"
diff --git a/data/templates/frr/eigrpd.frr.j2 b/data/templates/frr/eigrpd.frr.j2
index 67f8a3ad1..3038a0b1d 100644
--- a/data/templates/frr/eigrpd.frr.j2
+++ b/data/templates/frr/eigrpd.frr.j2
@@ -1,21 +1,21 @@
-!
-router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
-{% if maximum_paths is vyos_defined %}
-maximum-paths {{ maximum_paths }}
-{% endif %}
-{% if metric.weights is vyos_defined %}
-metric weights {{ metric.weights }}
-{% endif %}
-{% if network is vyos_defined %}
-{% for net in network %}
-network {{ net }}
-{% endfor %}
-{% endif %}
-{% if redistribute is vyos_defined %}
-{% for protocol in redistribute %}
-redistribute {{ protocol }}
-{% endfor %}
-{% endif %}
-{% if variance is vyos_defined %}
-variance {{ variance }}
+!
+router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
+{% if maximum_paths is vyos_defined %}
+maximum-paths {{ maximum_paths }}
+{% endif %}
+{% if metric.weights is vyos_defined %}
+metric weights {{ metric.weights }}
+{% endif %}
+{% if network is vyos_defined %}
+{% for net in network %}
+network {{ net }}
+{% endfor %}
+{% endif %}
+{% if redistribute is vyos_defined %}
+{% for protocol in redistribute %}
+redistribute {{ protocol }}
+{% endfor %}
+{% endif %}
+{% if variance is vyos_defined %}
+variance {{ variance }}
{% endif %} \ No newline at end of file
diff --git a/data/templates/frr/evpn.mh.frr.j2 b/data/templates/frr/evpn.mh.frr.j2
new file mode 100644
index 000000000..03aaac44b
--- /dev/null
+++ b/data/templates/frr/evpn.mh.frr.j2
@@ -0,0 +1,16 @@
+!
+interface {{ ifname }}
+{% if evpn.es_df_pref is vyos_defined %}
+ evpn mh es-df-pref {{ evpn.es_df_pref }}
+{% endif %}
+{% if evpn.es_id is vyos_defined %}
+ evpn mh es-id {{ evpn.es_id }}
+{% endif %}
+{% if evpn.es_sys_mac is vyos_defined %}
+ evpn mh es-sys-mac {{ evpn.es_sys_mac }}
+{% endif %}
+{% if evpn.uplink is vyos_defined %}
+ evpn mh uplink
+{% endif %}
+exit
+!
diff --git a/data/templates/frr/igmp.frr.j2 b/data/templates/frr/igmp.frr.j2
deleted file mode 100644
index b75884484..000000000
--- a/data/templates/frr/igmp.frr.j2
+++ /dev/null
@@ -1,41 +0,0 @@
-!
-{% for iface in old_ifaces %}
-interface {{ iface }}
-{% for group in old_ifaces[iface].gr_join %}
-{% if old_ifaces[iface].gr_join[group] %}
-{% for source in old_ifaces[iface].gr_join[group] %}
- no ip igmp join {{ group }} {{ source }}
-{% endfor %}
-{% else %}
- no ip igmp join {{ group }}
-{% endif %}
-{% endfor %}
- no ip igmp
-!
-{% endfor %}
-{% for interface, interface_config in ifaces.items() %}
-interface {{ interface }}
-{% if interface_config.version %}
- ip igmp version {{ interface_config.version }}
-{% else %}
-{# IGMP default version 3 #}
- ip igmp
-{% endif %}
-{% if interface_config.query_interval %}
- ip igmp query-interval {{ interface_config.query_interval }}
-{% endif %}
-{% if interface_config.query_max_resp_time %}
- ip igmp query-max-response-time {{ interface_config.query_max_resp_time }}
-{% endif %}
-{% for group, sources in interface_config.gr_join.items() %}
-{% if sources is vyos_defined %}
-{% for source in sources %}
- ip igmp join {{ group }} {{ source }}
-{% endfor %}
-{% else %}
- ip igmp join {{ group }}
-{% endif %}
-{% endfor %}
-!
-{% endfor %}
-!
diff --git a/data/templates/frr/isisd.frr.j2 b/data/templates/frr/isisd.frr.j2
index 3c37e28b9..1e1cc3c27 100644
--- a/data/templates/frr/isisd.frr.j2
+++ b/data/templates/frr/isisd.frr.j2
@@ -58,6 +58,12 @@ exit
!
router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
net {{ net }}
+{% if advertise_high_metrics is vyos_defined %}
+advertise-high-metrics
+{% endif %}
+{% if advertise_passive_only is vyos_defined %}
+advertise-passive-only
+{% endif %}
{% if dynamic_hostname is vyos_defined %}
hostname dynamic
{% endif %}
@@ -159,6 +165,48 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
{% endfor %}
{% endfor %}
{% endif %}
+{% if fast_reroute.lfa is vyos_defined %}
+{% if fast_reroute.lfa.local is vyos_defined %}
+{% if fast_reroute.lfa.local.load_sharing.disable.level_1 is vyos_defined %}
+ fast-reroute load-sharing disable level-1
+{% elif fast_reroute.lfa.local.load_sharing.disable.level_2 is vyos_defined %}
+ fast-reroute load-sharing disable level-2
+{% elif fast_reroute.lfa.local.load_sharing.disable is vyos_defined %}
+ fast-reroute load-sharing disable
+{% endif %}
+{% if fast_reroute.lfa.local.priority_limit is vyos_defined %}
+{% for priority, priority_limit_options in fast_reroute.lfa.local.priority_limit.items() %}
+{% for level in priority_limit_options %}
+ fast-reroute priority-limit {{ priority }} {{ level | replace('_', '-') }}
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% if fast_reroute.lfa.local.tiebreaker is vyos_defined %}
+{% for tiebreaker, tiebreaker_options in fast_reroute.lfa.local.tiebreaker.items() %}
+{% for index, index_options in tiebreaker_options.items() %}
+{% for index_value, index_value_options in index_options.items() %}
+{% for level in index_value_options %}
+ fast-reroute lfa tiebreaker {{ tiebreaker | replace('_', '-') }} index {{ index_value }} {{ level | replace('_', '-') }}
+{% endfor %}
+{% endfor %}
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if fast_reroute.lfa.remote.prefix_list is vyos_defined %}
+{% for prefix_list, prefix_list_options in fast_reroute.lfa.remote.prefix_list.items() %}
+{% if prefix_list_options.level_1 is vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }} level-1
+{% endif %}
+{% if prefix_list_options.level_2 is vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }} level-2
+{% endif %}
+{% if prefix_list is vyos_defined and prefix_list_options.level_1 is not vyos_defined and prefix_list_options.level_2 is not vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endif %}
{% if redistribute.ipv4 is vyos_defined %}
{% for protocol, protocol_options in redistribute.ipv4.items() %}
{% for level, level_config in protocol_options.items() %}
@@ -191,4 +239,4 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
is-type {{ level }}
{% endif %}
exit
-! \ No newline at end of file
+!
diff --git a/data/templates/frr/ldpd.frr.j2 b/data/templates/frr/ldpd.frr.j2
index 11aff331a..9a893cc55 100644
--- a/data/templates/frr/ldpd.frr.j2
+++ b/data/templates/frr/ldpd.frr.j2
@@ -14,19 +14,19 @@ mpls ldp
ordered-control
{% endif %}
{% if ldp.neighbor is vyos_defined %}
-{% for neighbor, neighbor_config in ldp.neighbor %}
+{% for neighbor, neighbor_config in ldp.neighbor.items() %}
{% if neighbor_config.password is vyos_defined %}
- neighbor {{ neighbors }} password {{ neighbor_config.password }}
+ neighbor {{ neighbor }} password {{ neighbor_config.password }}
{% endif %}
{% if neighbor_config.ttl_security is vyos_defined %}
{% if neighbor_config.ttl_security.disable is vyos_defined %}
- neighbor {{ neighbors }} ttl-security disable
+ neighbor {{ neighbor }} ttl-security disable
{% else %}
- neighbor {{ neighbors }} ttl-security hops {{ neighbor_config.ttl_security }}
+ neighbor {{ neighbor }} ttl-security hops {{ neighbor_config.ttl_security }}
{% endif %}
{% endif %}
{% if neighbor_config.session_holdtime is vyos_defined %}
- neighbor {{ neighbors }} session holdtime {{ neighbor_config.session_holdtime }}
+ neighbor {{ neighbor }} session holdtime {{ neighbor_config.session_holdtime }}
{% endif %}
{% endfor %}
{% endif %}
diff --git a/data/templates/frr/pim6d.frr.j2 b/data/templates/frr/pim6d.frr.j2
new file mode 100644
index 000000000..bac716fcc
--- /dev/null
+++ b/data/templates/frr/pim6d.frr.j2
@@ -0,0 +1,81 @@
+!
+{% if interface is vyos_defined %}
+{% for iface, iface_config in interface.items() %}
+!
+interface {{ iface }}
+ ipv6 pim
+{% if iface_config.no_bsm is vyos_defined %}
+ no ipv6 pim bsm
+{% endif %}
+{% if iface_config.dr_priority is vyos_defined %}
+ ipv6 pim drpriority {{ iface_config.dr_priority }}
+{% endif %}
+{% if iface_config.hello is vyos_defined %}
+ ipv6 pim hello {{ iface_config.hello }}
+{% endif %}
+{% if iface_config.no_unicast_bsm is vyos_defined %}
+ no ipv6 pim unicast-bsm
+{% endif %}
+{% if iface_config.passive is vyos_defined %}
+ ipv6 pim passive
+{% endif %}
+{% if iface_config.mld is vyos_defined and iface_config.mld.disable is not vyos_defined %}
+ ipv6 mld
+{% if iface_config.mld.version is vyos_defined %}
+ ipv6 mld version {{ iface_config.mld.version }}
+{% endif %}
+{% if iface_config.mld.interval is vyos_defined %}
+ ipv6 mld query-interval {{ iface_config.mld.interval }}
+{% endif %}
+{% if iface_config.mld.max_response_time is vyos_defined %}
+ ipv6 mld query-max-response-time {{ iface_config.mld.max_response_time // 100 }}
+{% endif %}
+{% if iface_config.mld.last_member_query_count is vyos_defined %}
+ ipv6 mld last-member-query-count {{ iface_config.mld.last_member_query_count }}
+{% endif %}
+{% if iface_config.mld.last_member_query_interval is vyos_defined %}
+ ipv6 mld last-member-query-interval {{ iface_config.mld.last_member_query_interval // 100 }}
+{% endif %}
+{% if iface_config.mld.join is vyos_defined %}
+{% for group, group_config in iface_config.mld.join.items() %}
+{% if group_config.source is vyos_defined %}
+{% for source in group_config.source %}
+ ipv6 mld join {{ group }} {{ source }}
+{% endfor %}
+{% else %}
+ ipv6 mld join {{ group }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endif %}
+exit
+{% endfor %}
+{% endif %}
+!
+{% if join_prune_interval is vyos_defined %}
+ipv6 pim join-prune-interval {{ join_prune_interval }}
+{% endif %}
+{% if keep_alive_timer is vyos_defined %}
+ipv6 pim keep-alive-timer {{ keep_alive_timer }}
+{% endif %}
+{% if packets is vyos_defined %}
+ipv6 pim packets {{ packets }}
+{% endif %}
+{% if register_suppress_time is vyos_defined %}
+ipv6 pim register-suppress-time {{ register_suppress_time }}
+{% endif %}
+{% if rp.address is vyos_defined %}
+{% for address, address_config in rp.address.items() %}
+{% if address_config.group is vyos_defined %}
+{% for group in address_config.group %}
+ipv6 pim rp {{ address }} {{ group }}
+{% endfor %}
+{% endif %}
+{% if address_config.prefix_list6 is vyos_defined %}
+ipv6 pim rp {{ address }} prefix-list {{ address_config.prefix_list6 }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if rp.keep_alive_timer is vyos_defined %}
+ipv6 pim rp keep-alive-timer {{ rp.keep_alive_timer }}
+{% endif %}
diff --git a/data/templates/frr/pimd.frr.j2 b/data/templates/frr/pimd.frr.j2
index cb2f2aa98..68edf4a5c 100644
--- a/data/templates/frr/pimd.frr.j2
+++ b/data/templates/frr/pimd.frr.j2
@@ -1,34 +1,95 @@
+{% if interface is vyos_defined %}
+{% for iface, iface_config in interface.items() %}
!
-{% for rp_addr in old_pim.rp %}
-{% for group in old_pim.rp[rp_addr] %}
-no ip pim rp {{ rp_addr }} {{ group }}
+interface {{ iface }}
+ ip pim
+{% if iface_config.bfd is vyos_defined %}
+ ip pim bfd {{ 'profile ' ~ iface_config.bfd.profile if iface_config.bfd.profile is vyos_defined }}
+{% endif %}
+{% if iface_config.no_bsm is vyos_defined %}
+ no ip pim bsm
+{% endif %}
+{% if iface_config.dr_priority is vyos_defined %}
+ ip pim drpriority {{ iface_config.dr_priority }}
+{% endif %}
+{% if iface_config.hello is vyos_defined %}
+ ip pim hello {{ iface_config.hello }}
+{% endif %}
+{% if iface_config.no_unicast_bsm is vyos_defined %}
+ no ip pim unicast-bsm
+{% endif %}
+{% if iface_config.passive is vyos_defined %}
+ ip pim passive
+{% endif %}
+{% if iface_config.source_address is vyos_defined %}
+ ip pim use-source {{ iface_config.source_address }}
+{% endif %}
+{% if iface_config.igmp is vyos_defined and iface_config.igmp.disable is not vyos_defined %}
+ ip igmp
+{% if iface_config.igmp.query_interval %}
+ ip igmp query-interval {{ iface_config.igmp.query_interval }}
+{% endif %}
+{% if iface_config.igmp.query_max_response_time %}
+ ip igmp query-max-response-time {{ iface_config.igmp.query_max_response_time }}
+{% endif %}
+{% if iface_config.igmp.version is vyos_defined %}
+ ip igmp version {{ iface_config.igmp.version }}
+{% endif %}
+{% if iface_config.igmp.join is vyos_defined %}
+{% for join, join_config in iface_config.igmp.join.items() %}
+{% if join_config.source_address is vyos_defined %}
+{% for source_address in join_config.source_address %}
+ ip igmp join {{ join }} {{ source_address }}
+{% endfor %}
+{% else %}
+ ip igmp join {{ join }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endif %}
+exit
{% endfor %}
-{% endfor %}
-{% if old_pim.rp_keep_alive %}
-no ip pim rp keep-alive-timer {{ old_pim.rp_keep_alive }}
{% endif %}
-{% for iface in old_pim.ifaces %}
-interface {{ iface }}
-no ip pim
-!
-{% endfor %}
-{% for iface in pim.ifaces %}
-interface {{ iface }}
-ip pim
-{% if pim.ifaces[iface].dr_prio %}
-ip pim drpriority {{ pim.ifaces[iface].dr_prio }}
-{% endif %}
-{% if pim.ifaces[iface].hello %}
-ip pim hello {{ pim.ifaces[iface].hello }}
-{% endif %}
!
-{% endfor %}
-{% for rp_addr in pim.rp %}
-{% for group in pim.rp[rp_addr] %}
-ip pim rp {{ rp_addr }} {{ group }}
+{% if ecmp is vyos_defined %}
+ip pim ecmp {{ 'rebalance' if ecmp.rebalance is vyos_defined }}
+{% endif %}
+{% if join_prune_interval is vyos_defined %}
+ip pim join-prune-interval {{ join_prune_interval }}
+{% endif %}
+{% if keep_alive_timer is vyos_defined %}
+ip pim keep-alive-timer {{ keep_alive_timer }}
+{% endif %}
+{% if packets is vyos_defined %}
+ip pim packets {{ packets }}
+{% endif %}
+{% if register_accept_list.prefix_list is vyos_defined %}
+ip pim register-accept-list {{ register_accept_list.prefix_list }}
+{% endif %}
+{% if register_suppress_time is vyos_defined %}
+ip pim register-suppress-time {{ register_suppress_time }}
+{% endif %}
+{% if rp.address is vyos_defined %}
+{% for address, address_config in rp.address.items() %}
+{% for group in address_config.group %}
+ip pim rp {{ address }} {{ group }}
+{% endfor %}
{% endfor %}
-{% endfor %}
-{% if pim.rp_keep_alive %}
-ip pim rp keep-alive-timer {{ pim.rp_keep_alive }}
+{% endif %}
+{% if rp.keep_alive_timer is vyos_defined %}
+ip pim rp keep-alive-timer {{ rp.keep_alive_timer }}
+{% endif %}
+{% if no_v6_secondary is vyos_defined %}
+no ip pim send-v6-secondary
+{% endif %}
+{% if spt_switchover.infinity_and_beyond is vyos_defined %}
+ip pim spt-switchover infinity-and-beyond {{ 'prefix-list ' ~ spt_switchover.infinity_and_beyond.prefix_list if spt_switchover.infinity_and_beyond.prefix_list is defined }}
+{% endif %}
+{% if ssm.prefix_list is vyos_defined %}
+ip pim ssm prefix-list {{ ssm.prefix_list }}
+{% endif %}
+!
+{% if igmp.watermark_warning is vyos_defined %}
+ip igmp watermark-warn {{ igmp.watermark_warning }}
{% endif %}
!
diff --git a/data/templates/frr/zebra.segment_routing.frr.j2 b/data/templates/frr/zebra.segment_routing.frr.j2
new file mode 100644
index 000000000..7b12fcdd0
--- /dev/null
+++ b/data/templates/frr/zebra.segment_routing.frr.j2
@@ -0,0 +1,23 @@
+!
+{% if srv6.locator is vyos_defined %}
+segment-routing
+ srv6
+ locators
+{% for locator, locator_config in srv6.locator.items() %}
+ locator {{ locator }}
+{% if locator_config.prefix is vyos_defined %}
+ prefix {{ locator_config.prefix }} block-len {{ locator_config.block_len }} node-len {{ locator_config.node_len }} func-bits {{ locator_config.func_bits }}
+{% endif %}
+{% if locator_config.behavior_usid is vyos_defined %}
+ behavior usid
+{% endif %}
+ exit
+ !
+{% endfor %}
+ exit
+ !
+exit
+!
+exit
+!
+{% endif %}
diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2
new file mode 100644
index 000000000..278ffbf2c
--- /dev/null
+++ b/data/templates/grub/grub_common.j2
@@ -0,0 +1,23 @@
+# load EFI video modules
+if [ "${grub_platform}" == "efi" ]; then
+ insmod efi_gop
+ insmod efi_uga
+fi
+
+# create and activate serial console
+function setup_serial {
+ # initialize the first serial port by default
+ if [ "${console_type}" == "ttyS" ]; then
+ serial --unit=${console_num}
+ else
+ serial --unit=0
+ fi
+ terminal_output --append serial console
+ terminal_input --append serial console
+}
+
+setup_serial
+
+{% if search_root %}
+{{ search_root }}
+{% endif %}
diff --git a/data/templates/grub/grub_compat.j2 b/data/templates/grub/grub_compat.j2
new file mode 100644
index 000000000..887d5d0bd
--- /dev/null
+++ b/data/templates/grub/grub_compat.j2
@@ -0,0 +1,63 @@
+{# j2lint: disable=S6 #}
+### Generated by VyOS image-tools v.{{ tools_version }} ###
+{% macro menu_name(mode) -%}
+{% if mode == 'normal' -%}
+ VyOS
+{%- elif mode == 'pw_reset' -%}
+ Lost password change
+{%- else -%}
+ Unknown
+{%- endif %}
+{%- endmacro %}
+{% macro console_name(type) -%}
+{% if type == 'tty' -%}
+ KVM
+{%- elif type == 'ttyS' -%}
+ Serial
+{%- elif type == 'ttyUSB' -%}
+ USB
+{%- else -%}
+ Unknown
+{%- endif %}
+{%- endmacro %}
+{% macro console_opts(type) -%}
+{% if type == 'tty' -%}
+ console=ttyS0,115200 console=tty0
+{%- elif type == 'ttyS' -%}
+ console=tty0 console=ttyS0,115200
+{%- elif type == 'ttyUSB' -%}
+ console=tty0 console=ttyUSB0,115200
+{%- else -%}
+ console=tty0 console=ttyS0,115200
+{%- endif %}
+{%- endmacro %}
+{% macro passwd_opts(mode) -%}
+{% if mode == 'pw_reset' -%}
+ init=/opt/vyatta/sbin/standalone_root_pw_reset
+{%- endif %}
+{%- endmacro %}
+set default={{ default }}
+set timeout={{ timeout }}
+{% if console_type == 'ttyS' %}
+serial --unit={{ console_num }} --speed=115200
+{% else %}
+serial --unit=0 --speed=115200
+{% endif %}
+terminal_output --append serial
+terminal_input serial console
+{% for mod in modules %}
+insmod {{ mod }}
+{% endfor %}
+{% if root %}
+set root={{ root }}
+{% endif %}
+{% if search_root %}
+{{ search_root }}
+{% endif %}
+
+{% for v in versions %}
+menuentry "{{ menu_name(v.bootmode) }} {{ v.version }} ({{ console_name(v.console_type) }} console)" {
+ linux /boot/{{ v.version }}/vmlinuz {{ v.boot_opts }} {{ console_opts(v.console_type) }} {{ passwd_opts(v.bootmode) }}
+ initrd /boot/{{ v.version }}/initrd.img
+}
+{% endfor %}
diff --git a/data/templates/grub/grub_main.j2 b/data/templates/grub/grub_main.j2
new file mode 100644
index 000000000..0c7ea0202
--- /dev/null
+++ b/data/templates/grub/grub_main.j2
@@ -0,0 +1,7 @@
+load_env
+insmod regexp
+
+for cfgfile in ${prefix}/grub.cfg.d/*-autoload.cfg
+do
+ source ${cfgfile}
+done
diff --git a/data/templates/grub/grub_menu.j2 b/data/templates/grub/grub_menu.j2
new file mode 100644
index 000000000..e73005f5d
--- /dev/null
+++ b/data/templates/grub/grub_menu.j2
@@ -0,0 +1,5 @@
+for cfgfile in ${config_directory}/vyos-versions/*.cfg
+do
+ source "${cfgfile}"
+done
+source ${config_directory}/50-vyos-options.cfg
diff --git a/data/templates/grub/grub_modules.j2 b/data/templates/grub/grub_modules.j2
new file mode 100644
index 000000000..24b540c9d
--- /dev/null
+++ b/data/templates/grub/grub_modules.j2
@@ -0,0 +1,3 @@
+{% for mod_name in mods_list %}
+insmod {{ mod_name | e }}
+{% endfor %}
diff --git a/data/templates/grub/grub_options.j2 b/data/templates/grub/grub_options.j2
new file mode 100644
index 000000000..c8a1472e1
--- /dev/null
+++ b/data/templates/grub/grub_options.j2
@@ -0,0 +1,52 @@
+submenu "Boot options" {
+ submenu "Select boot mode" {
+ menuentry "Normal" {
+ set bootmode="normal"
+ export bootmode
+ configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+ }
+ menuentry "Password reset" {
+ set bootmode="pw_reset"
+ export bootmode
+ configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+ }
+ menuentry "System recovery" {
+ set bootmode="recovery"
+ export bootmode
+ configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+ }
+ menuentry "Load the whole root filesystem to RAM" {
+ set boot_toram="yes"
+ export boot_toram
+ configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+ }
+ }
+ submenu "Select console type" {
+ menuentry "tty (graphical)" {
+ set console_type="tty"
+ export console_type
+ configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+ }
+ menuentry "ttyS (serial)" {
+ set console_type="ttyS"
+ export console_type
+ setup_serial
+ configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+ }
+ menuentry "ttyUSB (USB serial)" {
+ set console_type="ttyUSB"
+ export console_type
+ setup_serial
+ configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+ }
+ }
+ menuentry "Enter console number" {
+ read console_num
+ export console_num
+ setup_serial
+ configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+ }
+ menuentry "Current: boot mode: ${bootmode}, console: ${console_type}${console_num}" {
+ echo
+ }
+}
diff --git a/data/templates/grub/grub_vars.j2 b/data/templates/grub/grub_vars.j2
new file mode 100644
index 000000000..e0002e8d8
--- /dev/null
+++ b/data/templates/grub/grub_vars.j2
@@ -0,0 +1,4 @@
+{% for var_name, var_value in vars.items() %}
+set {{ var_name | e }}="{{ var_value | e }}"
+export {{ var_name | e }}
+{% endfor %}
diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2
new file mode 100644
index 000000000..97fbe8473
--- /dev/null
+++ b/data/templates/grub/grub_vyos_version.j2
@@ -0,0 +1,22 @@
+{% set boot_opts_default = "boot=live rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/" + version_name %}
+{% if boot_opts != '' %}
+{% set boot_opts_rendered = boot_opts %}
+{% else %}
+{% set boot_opts_rendered = boot_opts_default %}
+{% endif %}
+menuentry "{{ version_name }}" --id {{ version_uuid }} {
+ set boot_opts="{{ boot_opts_rendered }}"
+ # load rootfs to RAM
+ if [ "${boot_toram}" == "yes" ]; then
+ set boot_opts="${boot_opts} toram"
+ fi
+ if [ "${bootmode}" == "pw_reset" ]; then
+ set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/libexec/vyos/system/standalone_root_pw_reset"
+ elif [ "${bootmode}" == "recovery" ]; then
+ set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/bin/busybox init"
+ else
+ set boot_opts="${boot_opts} console=${console_type}${console_num}"
+ fi
+ linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts}
+ initrd "/boot/{{ version_name }}/initrd.img"
+}
diff --git a/data/templates/high-availability/10-override.conf.j2 b/data/templates/high-availability/10-override.conf.j2
new file mode 100644
index 000000000..c153f09b4
--- /dev/null
+++ b/data/templates/high-availability/10-override.conf.j2
@@ -0,0 +1,16 @@
+### Autogenerated by ${vyos_conf_scripts_dir}/high-availability.py ###
+{% set snmp = '--snmp' if vrrp.snmp is vyos_defined else '' %}
+[Unit]
+After=vyos-router.service
+# Only start if there is our configuration file - remove Debian default
+# config file from the condition list
+ConditionFileNotEmpty=
+ConditionFileNotEmpty=/run/keepalived/keepalived.conf
+
+[Service]
+KillMode=process
+Type=simple
+# Read configuration variable file if it is present
+ExecStart=
+ExecStart=/usr/sbin/keepalived --use-file /run/keepalived/keepalived.conf --pid /run/keepalived/keepalived.pid --dont-fork {{ snmp }}
+PIDFile=/run/keepalived/keepalived.pid
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
index b541ff309..5d17df001 100644
--- a/data/templates/https/nginx.default.j2
+++ b/data/templates/https/nginx.default.j2
@@ -1,64 +1,65 @@
-### Autogenerated by https.py ###
-# Default server configuration
+### Autogenerated by service_https.py ###
-{% for server in server_block_list %}
+{% if enable_http_redirect is vyos_defined %}
server {
- # SSL configuration
- #
-{% if server.address == '*' %}
- listen {{ server.port }} ssl;
- listen [::]:{{ server.port }} ssl;
-{% else %}
- listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl;
-{% endif %}
+ listen 80 default_server;
+ server_name {{ hostname }};
+ return 301 https://$host$request_uri;
+}
+{% endif %}
-{% for name in server.name %}
- server_name {{ name }};
+server {
+{% if listen_address is vyos_defined %}
+{% for address in listen_address %}
+ listen {{ address | bracketize_ipv6 }}:{{ port }} ssl;
{% endfor %}
+{% else %}
+ listen {{ port }} ssl;
+ listen [::]:{{ port }} ssl;
+{% endif %}
- root /srv/localui;
+ server_name {{ hostname }};
+ root /srv/localui;
-{% if server.certbot %}
- ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem;
- ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem;
- include {{ server.certbot_dir }}/options-ssl-nginx.conf;
- ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem;
-{% elif server.vyos_cert %}
- ssl_certificate {{ server.vyos_cert.crt }};
- ssl_certificate_key {{ server.vyos_cert.key }};
-{% else %}
- #
- # Self signed certs generated by the ssl-cert package
- # Don't use them in a production server!
- #
- include snippets/snakeoil.conf;
+ # SSL configuration
+{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %}
+ ssl_certificate {{ certificates.cert_path }};
+ ssl_certificate_key {{ certificates.key_path }};
+{% if certificates.dh_file is vyos_defined %}
+ ssl_dhparam {{ certificates.dh_file }};
{% endif %}
- ssl_protocols TLSv1.2 TLSv1.3;
+{% else %}
+ # Self signed certs generated by the ssl-cert package
+ # Don't use them in a production server!
+ include snippets/snakeoil.conf;
+{% endif %}
- # proxy settings for HTTP API, if enabled; 503, if not
- location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reset|docs|openapi.json|redoc|graphql) {
-{% if server.api %}
-{% if server.api.socket %}
- proxy_pass http://unix:/run/api.sock;
-{% else %}
- proxy_pass http://localhost:{{ server.api.port }};
-{% endif %}
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_read_timeout 600;
- proxy_buffering off;
-{% else %}
- return 503;
-{% endif %}
-{% if server.allow_client %}
-{% for client in server.allow_client %}
- allow {{ client }};
-{% endfor %}
- deny all;
-{% endif %}
- }
+ # Improve HTTPS performance with session resumption
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 10m;
+ ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }};
- error_page 497 =301 https://$host:{{ server.port }}$request_uri;
-}
+ # From LetsEncrypt
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-{% endfor %}
+ # proxy settings for HTTP API, if enabled; 503, if not
+ location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+{% if api is vyos_defined %}
+ proxy_pass http://unix:/run/api.sock;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_read_timeout 600;
+ proxy_buffering off;
+{% else %}
+ return 503;
+{% endif %}
+{% if allow_client.address is vyos_defined %}
+{% for address in allow_client.address %}
+ allow {{ address }};
+{% endfor %}
+ deny all;
+{% endif %}
+ }
+ error_page 497 =301 https://$host:{{ port }}$request_uri;
+}
diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2
index fb424e06c..aa4da7666 100644
--- a/data/templates/https/vyos-http-api.service.j2
+++ b/data/templates/https/vyos-http-api.service.j2
@@ -3,9 +3,11 @@
Description=VyOS HTTP API service
After=vyos-router.service
Requires=vyos-router.service
+ConditionPathExists={{ api_config_state }}
[Service]
ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server
+ExecReload=kill -HUP $MAINPID
Type=idle
SyslogIdentifier=vyos-http-api
@@ -19,4 +21,3 @@ Group=vyattacfg
[Install]
WantedBy=vyos.target
-
diff --git a/data/templates/igmp-proxy/igmpproxy.conf.j2 b/data/templates/igmp-proxy/igmpproxy.conf.j2
index ab3c9fd31..85a04de7d 100644
--- a/data/templates/igmp-proxy/igmpproxy.conf.j2
+++ b/data/templates/igmp-proxy/igmpproxy.conf.j2
@@ -1,6 +1,6 @@
########################################################
#
-# autogenerated by igmp_proxy.py
+# autogenerated by protocols_igmp-proxy.py
#
# The configuration file must define one upstream interface, and one or more
# downstream interfaces.
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index 60d2d1807..01dc8a4a7 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -29,8 +29,10 @@
{% endif %}
}
remote {
+{% if rw_conf.authentication.client_mode == 'x509' %}
+ auth = pubkey
+{% elif rw_conf.authentication.client_mode.startswith("eap") %}
auth = {{ rw_conf.authentication.client_mode }}
-{% if rw_conf.authentication.client_mode.startswith("eap") %}
eap_id = %any
{% endif %}
}
diff --git a/data/templates/lldp/lldpd.j2 b/data/templates/lldp/lldpd.j2
index 3c499197d..2238fe1c4 100644
--- a/data/templates/lldp/lldpd.j2
+++ b/data/templates/lldp/lldpd.j2
@@ -1,2 +1,2 @@
-### Autogenerated by lldp.py ###
-DAEMON_ARGS="-M 4 {{ '-x' if snmp.enable is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}"
+### Autogenerated by service_lldp.py ###
+DAEMON_ARGS="-M 4 {{ '-x' if snmp is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}"
diff --git a/data/templates/lldp/vyos.conf.j2 b/data/templates/lldp/vyos.conf.j2
index dfa422ab8..4b4228cea 100644
--- a/data/templates/lldp/vyos.conf.j2
+++ b/data/templates/lldp/vyos.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by lldp.py ###
+### Autogenerated by service_lldp.py ###
configure system platform VyOS
configure system description "VyOS {{ version }}"
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 0a40e1ecf..849cef74d 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -1,4 +1,4 @@
-# Generated by ${vyos_conf_scripts_dir}/load-balancing-haproxy.py
+### Autogenerated by load-balancing_reverse-proxy.py ###
global
log /dev/log local0
@@ -50,13 +50,19 @@ defaults
{% if service is vyos_defined %}
{% for front, front_config in service.items() %}
frontend {{ front }}
-{% set ssl_front = 'ssl crt /run/haproxy/' ~ front_config.ssl.certificate ~ '.pem' if front_config.ssl.certificate is vyos_defined else '' %}
+{% set ssl_front = [] %}
+{% if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %}
+{% for cert in front_config.ssl.certificate %}
+{% set _ = ssl_front.append('crt /run/haproxy/' ~ cert ~ '.pem') %}
+{% endfor %}
+{% endif %}
+{% set ssl_directive = 'ssl' if ssl_front else '' %}
{% if front_config.listen_address is vyos_defined %}
{% for address in front_config.listen_address %}
- bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_front }}
+ bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }}
{% endfor %}
{% else %}
- bind :::{{ front_config.port }} v4v6 {{ ssl_front }}
+ bind :::{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }}
{% endif %}
{% if front_config.redirect_http_to_https is vyos_defined %}
http-request redirect scheme https unless { ssl_fc }
@@ -146,7 +152,7 @@ backend {{ back }}
{% if back_config.server is vyos_defined %}
{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
{% for server, server_config in back_config.server.items() %}
- server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
+ server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
{% endfor %}
{% endif %}
{% if back_config.timeout.check is vyos_defined %}
@@ -161,4 +167,3 @@ backend {{ back }}
{% endfor %}
{% endif %}
-
diff --git a/data/templates/load-balancing/wlb.conf.j2 b/data/templates/load-balancing/wlb.conf.j2
index d3326b6b8..6557b6f4c 100644
--- a/data/templates/load-balancing/wlb.conf.j2
+++ b/data/templates/load-balancing/wlb.conf.j2
@@ -1,4 +1,4 @@
-# Generated by /usr/libexec/vyos/conf_mode/load-balancing-wan.py
+### Autogenerated by load-balancing_wan.py ###
{% if disable_source_nat is vyos_defined %}
disable-source-nat
@@ -41,7 +41,7 @@ health {
test-script {{ test_config.test_script }}
{% endif %}
{% if test_config.target is vyos_defined %}
- target {{ test_config.target }}
+ target {{ test_config.target }}
{% endif %}
resp-time {{ test_config.resp_time | int * 1000 }}
}
diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2
index aabca47cf..695b66abe 100644
--- a/data/templates/login/authorized_keys.j2
+++ b/data/templates/login/authorized_keys.j2
@@ -1,4 +1,4 @@
-### Automatically generated by system-login.py ###
+### Automatically generated by system_login.py ###
{% if authentication.public_keys is vyos_defined %}
{% for key, key_options in authentication.public_keys.items() %}
@@ -6,4 +6,3 @@
{{ key_options.options ~ ' ' if key_options.options is vyos_defined }}{{ key_options.type }} {{ key_options.key }} {{ key }}
{% endfor %}
{% endif %}
-
diff --git a/data/templates/login/limits.j2 b/data/templates/login/limits.j2
index 5e2c11f35..31abc85dd 100644
--- a/data/templates/login/limits.j2
+++ b/data/templates/login/limits.j2
@@ -1,4 +1,4 @@
-# Generated by /usr/libexec/vyos/conf_mode/system-login.py
+# Generated by system_login.py
{% if max_login_session is vyos_defined %}
* - maxsyslogins {{ max_login_session }}
diff --git a/data/templates/login/nsswitch.conf.j2 b/data/templates/login/nsswitch.conf.j2
index 65dc88291..0adfb491c 100644
--- a/data/templates/login/nsswitch.conf.j2
+++ b/data/templates/login/nsswitch.conf.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+# automatically generated by system_login.py ###
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
@@ -18,4 +18,3 @@ ethers: db files
rpc: db files
netgroup: nis
-
diff --git a/data/templates/login/pam_radius_auth.conf.j2 b/data/templates/login/pam_radius_auth.conf.j2
index c61154753..75437ca71 100644
--- a/data/templates/login/pam_radius_auth.conf.j2
+++ b/data/templates/login/pam_radius_auth.conf.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+### Automatically generated by system_login.py ###
# RADIUS configuration file
{% if radius is vyos_defined %}
diff --git a/data/templates/login/tacplus_servers.j2 b/data/templates/login/tacplus_servers.j2
index 5a65d6e68..23e8e495e 100644
--- a/data/templates/login/tacplus_servers.j2
+++ b/data/templates/login/tacplus_servers.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+# Automatically generated by system_login.py
# TACACS+ configuration file
# This is a common file used by audisp-tacplus, libpam_tacplus, and
@@ -56,4 +56,3 @@ user_homedir=1
service=shell
protocol=ssh
-
diff --git a/data/templates/macsec/wpa_supplicant.conf.j2 b/data/templates/macsec/wpa_supplicant.conf.j2
index 1f7ba16f4..4bb762935 100644
--- a/data/templates/macsec/wpa_supplicant.conf.j2
+++ b/data/templates/macsec/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-macsec.py ###
+### Autogenerated by interfaces_macsec.py ###
# see full documentation:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
diff --git a/data/templates/mdns-repeater/avahi-daemon.j2 b/data/templates/mdns-repeater/avahi-daemon.conf.j2
index e0dfd897e..cc6495817 100644
--- a/data/templates/mdns-repeater/avahi-daemon.j2
+++ b/data/templates/mdns-repeater/avahi-daemon.conf.j2
@@ -1,7 +1,7 @@
-### Autogenerated by service_mdns-repeater.py ###
+### Autogenerated by service_mdns_repeater.py ###
[server]
-use-ipv4=yes
-use-ipv6=yes
+use-ipv4={{ 'yes' if ip_version in ['ipv4', 'both'] else 'no' }}
+use-ipv6={{ 'yes' if ip_version in ['ipv6', 'both'] else 'no' }}
allow-interfaces={{ interface | join(', ') }}
{% if browse_domain is vyos_defined and browse_domain | length %}
browse-domains={{ browse_domain | join(', ') }}
@@ -17,6 +17,8 @@ disable-user-service-publishing=yes
publish-addresses=no
publish-hinfo=no
publish-workstation=no
+publish-aaaa-on-ipv4=no
+publish-a-on-ipv6=no
[reflector]
enable-reflector=yes
diff --git a/data/templates/mdns-repeater/override.conf.j2 b/data/templates/mdns-repeater/override.conf.j2
new file mode 100644
index 000000000..8c8187489
--- /dev/null
+++ b/data/templates/mdns-repeater/override.conf.j2
@@ -0,0 +1,7 @@
+[Unit]
+After=vyos-router.service
+ConditionPathExists={{ config_file }}
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/avahi-daemon --syslog --file {{ config_file }}
diff --git a/data/templates/ndppd/ndppd.conf.j2 b/data/templates/ndppd/ndppd.conf.j2
index 120fa0a64..6369dbdeb 100644
--- a/data/templates/ndppd/ndppd.conf.j2
+++ b/data/templates/ndppd/ndppd.conf.j2
@@ -1,44 +1,35 @@
-########################################################
-#
-# autogenerated by nat66.py
-#
-# The configuration file must define one upstream
-# interface.
-#
-# For some services, such as nat66, because it runs
-# stateless, it needs to rely on NDP Proxy to respond
-# to NDP requests.
-#
-# When using nat66 source rules, NDP Proxy needs
-# to be enabled
-#
-########################################################
+# autogenerated by service_ndp-proxy.py
-{% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %}
-{% if source.rule is vyos_defined %}
-{% for rule, config in source.rule.items() if config.disable is not defined %}
-{% if config.outbound_interface is vyos_defined %}
-{% if config.outbound_interface not in global.ndppd_interfaces %}
-{% set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %}
-{% endif %}
-{% if config.translation.address is vyos_defined and config.translation.address | is_ip_network %}
-{% set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %}
-{% endif %}
-{% endif %}
-{% endfor %}
-{% endif %}
+# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
+route-ttl {{ route_refresh }}
+
+{% if interface is vyos_defined %}
+# This sets up a listener, that will listen for any Neighbor Solicitation
+# messages, and respond to them according to a set of rules
+{% for iface, iface_config in interface.items() if iface_config.disable is not vyos_defined %}
+proxy {{ iface }} {
+ # Turn on or off the router flag for Neighbor Advertisements
+ router {{ 'yes' if iface_config.enable_router_bit is vyos_defined else 'no' }}
+ # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
+ timeout {{ iface_config.timeout }}
+ # Control how long a valid or invalid entry remains in the cache (milliseconds)
+ ttl {{ iface_config.ttl }}
-{% for interface in global.ndppd_interfaces %}
-proxy {{ interface }} {
- router yes
- timeout 500
- ttl 30000
-{% for map in global.ndppd_prefixs %}
-{% if map.interface == interface %}
- rule {{ map.rule }} {
- static
+{% if iface_config.prefix is vyos_defined %}
+ # This is a rule that the target address is to match against. If no netmask
+ # is provided, /128 is assumed. You may have several rule sections, and the
+ # addresses may or may not overlap.
+{% for prefix, prefix_config in iface_config.prefix.items() if prefix_config.disable is not vyos_defined %}
+ rule {{ prefix }} {
+{% if prefix_config.mode is vyos_defined('interface') %}
+ iface {{ prefix_config.interface }}
+{% else %}
+ {{ prefix_config.mode }}
+{% endif %}
}
-{% endif %}
-{% endfor %}
+{% endfor %}
+{% endif %}
}
-{% endfor %}
+
+{% endfor %}
+{% endif %}
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 1401b8b26..b5e890c32 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -119,4 +119,21 @@ split-dns = {{ tmp }}
{% for grp in authentication.group %}
select-group = {{ grp }}
{% endfor %}
-{% endif %} \ No newline at end of file
+{% endif %}
+
+{% if http_security_headers is vyos_defined %}
+# HTTP security headers
+included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
+included-http-headers = X-Frame-Options: deny
+included-http-headers = X-Content-Type-Options: nosniff
+included-http-headers = Content-Security-Policy: default-src "none"
+included-http-headers = X-Permitted-Cross-Domain-Policies: none
+included-http-headers = Referrer-Policy: no-referrer
+included-http-headers = Clear-Site-Data: "cache","cookies","storage"
+included-http-headers = Cross-Origin-Embedder-Policy: require-corp
+included-http-headers = Cross-Origin-Opener-Policy: same-origin
+included-http-headers = Cross-Origin-Resource-Policy: same-origin
+included-http-headers = X-XSS-Protection: 0
+included-http-headers = Pragma: no-cache
+included-http-headers = Cache-control: no-store, no-cache
+{% endif %}
diff --git a/data/templates/openvpn/auth.pw.j2 b/data/templates/openvpn/auth.pw.j2
index 218121062..9f9b31e7a 100644
--- a/data/templates/openvpn/auth.pw.j2
+++ b/data/templates/openvpn/auth.pw.j2
@@ -1,4 +1,4 @@
-{# Autogenerated by interfaces-openvpn.py #}
+{# Autogenerated by interfaces_openvpn.py #}
{% if authentication is vyos_defined %}
{{ authentication.username }}
{{ authentication.password }}
diff --git a/data/templates/openvpn/client.conf.j2 b/data/templates/openvpn/client.conf.j2
index 2e327e4d3..9edcdc8ae 100644
--- a/data/templates/openvpn/client.conf.j2
+++ b/data/templates/openvpn/client.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-openvpn.py ###
+### Autogenerated by interfaces_openvpn.py ###
{% if ip is vyos_defined %}
ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }}
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index f76fbbe79..64c8e8086 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-openvpn.py ###
+### Autogenerated by interfaces_openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
@@ -74,26 +74,17 @@ topology {{ server.topology }}
{% endif %}
{% for subnet in server.subnet %}
{% if subnet | is_ipv4 %}
-server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
+server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nopool' if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined else '' }}
{# First ip address is used as gateway. It's allows to use metrics #}
{% if server.push_route is vyos_defined %}
{% for route, route_config in server.push_route.items() %}
{% if route | is_ipv4 %}
-push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ 'vpn_gateway' ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
{% elif route | is_ipv6 %}
push "route-ipv6 {{ route }}"
{% endif %}
{% endfor %}
{% endif %}
-{# OpenVPN assigns the first IP address to its local interface so the pool used #}
-{# in net30 topology - where each client receives a /30 must start from the second subnet #}
-{% if server.topology is vyos_defined('net30') %}
-ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
-{% else %}
-{# OpenVPN assigns the first IP address to its local interface so the pool must #}
-{# start from the second address and end on the last address #}
-ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
-{% endif %}
{% elif subnet | is_ipv6 %}
server-ipv6 {{ subnet }}
{% endif %}
diff --git a/data/templates/pmacct/override.conf.j2 b/data/templates/pmacct/override.conf.j2
index 213569ddc..44a100bb6 100644
--- a/data/templates/pmacct/override.conf.j2
+++ b/data/templates/pmacct/override.conf.j2
@@ -9,9 +9,9 @@ ConditionPathExists=/run/pmacct/uacctd.conf
EnvironmentFile=
ExecStart=
ExecStart={{ vrf_command }}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf
+ExecStop=/usr/libexec/vyos/system/uacctd_stop.py $MAINPID 60
WorkingDirectory=
WorkingDirectory=/run/pmacct
-PIDFile=
-PIDFile=/run/pmacct/uacctd.pid
Restart=always
RestartSec=10
+KillMode=mixed
diff --git a/data/templates/pmacct/uacctd.conf.j2 b/data/templates/pmacct/uacctd.conf.j2
index 1370f8121..aae0a0619 100644
--- a/data/templates/pmacct/uacctd.conf.j2
+++ b/data/templates/pmacct/uacctd.conf.j2
@@ -1,7 +1,7 @@
# Genereated from VyOS configuration
daemonize: true
promisc: false
-pidfile: /run/pmacct/uacctd.pid
+syslog: daemon
uacctd_group: 2
uacctd_nl_size: 2097152
snaplen: {{ packet_length }}
diff --git a/data/templates/pppoe/peer.j2 b/data/templates/pppoe/peer.j2
index f30cefe63..efe47f369 100644
--- a/data/templates/pppoe/peer.j2
+++ b/data/templates/pppoe/peer.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-pppoe.py ###
+### Autogenerated by interfaces_pppoe.py ###
{{ '# ' ~ description if description is vyos_defined else '' }}
# Require peer to provide the local IP address if it is not
@@ -50,7 +50,7 @@ ifname {{ ifname }}
ipparam {{ ifname }}
debug
mtu {{ mtu }}
-mru {{ mtu }}
+mru {{ mru }}
{% if authentication is vyos_defined %}
{{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }}
diff --git a/data/templates/rsyslog/logrotate.j2 b/data/templates/rsyslog/logrotate.j2
index cc535c48f..ea33fea4f 100644
--- a/data/templates/rsyslog/logrotate.j2
+++ b/data/templates/rsyslog/logrotate.j2
@@ -1,4 +1,4 @@
-### Autogenerated by system-syslog.py ###
+### Autogenerated by system_syslog.py ###
/var/log/messages {
missingok
notifempty
diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2
index dff904129..97e0ee0b7 100644
--- a/data/templates/rsyslog/rsyslog.conf.j2
+++ b/data/templates/rsyslog/rsyslog.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by system-syslog.py ###
+### Autogenerated by system_syslog.py ###
{% if global.marker is vyos_defined %}
$ModLoad immark
@@ -15,7 +15,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }}
{% if global.facility is vyos_defined %}
{% set tmp = [] %}
{% for facility, facility_options in global.facility.items() %}
-{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
{% endfor %}
{{ tmp | join(';') }} :omfile:$global
{% endif %}
@@ -27,7 +27,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }}
$outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archive.size }},/usr/sbin/logrotate {{ logrotate }}
{% if file_options.facility is vyos_defined %}
{% for facility, facility_options in file_options.facility.items() %}
-{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
{% endfor %}
{% endif %}
{{ tmp | join(';') }} :omfile:${{ file }}
@@ -38,7 +38,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
# Console logging
{% set tmp = [] %}
{% for facility, facility_options in console.facility.items() %}
-{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
{% endfor %}
{{ tmp | join(';') }} /dev/console
{% endif %}
@@ -49,7 +49,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
{% set tmp = [] %}
{% if host_options.facility is vyos_defined %}
{% for facility, facility_options in host_options.facility.items() %}
-{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
{% endfor %}
{% endif %}
{% if host_options.protocol is vyos_defined('tcp') %}
@@ -70,7 +70,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
{% set tmp = [] %}
{% if user_options.facility is vyos_defined %}
{% for facility, facility_options in user_options.facility.items() %}
-{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
{% endfor %}
{% endif %}
{{ tmp | join(';') }} :omusrmsg:{{ username }}
diff --git a/data/templates/salt-minion/minion.j2 b/data/templates/salt-minion/minion.j2
index f4001db64..a69438f0b 100644
--- a/data/templates/salt-minion/minion.j2
+++ b/data/templates/salt-minion/minion.j2
@@ -1,4 +1,4 @@
-### Autogenerated by salt-minion.py ###
+### Autogenerated by service_salt-minion.py ###
##### Primary configuration settings #####
##########################################
diff --git a/data/templates/snmp/etc.snmp.conf.j2 b/data/templates/snmp/etc.snmp.conf.j2
index 8012cf6bb..c214b2266 100644
--- a/data/templates/snmp/etc.snmp.conf.j2
+++ b/data/templates/snmp/etc.snmp.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
{% if trap_source is vyos_defined %}
clientaddr {{ trap_source }}
{% endif %}
diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2
index 9d78d479a..b1ceb0451 100644
--- a/data/templates/snmp/etc.snmpd.conf.j2
+++ b/data/templates/snmp/etc.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
# non configurable defaults
sysObjectID 1.3.6.1.4.1.44641
@@ -56,6 +56,16 @@ SysDescr {{ description }}
{% endif %}
agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vyos_defined }}
+{% if mib is vyos_defined %}
+# Interface MIB limits
+{% if mib.interface_max is vyos_defined %}
+ifmib_max_num_ifaces {{ mib.interface_max }}
+{% endif %}
+{% if mib.interface is vyos_defined %}
+include_ifmib_iface_prefix {{ mib.interface | join(' ') }}
+{% endif %}
+{% endif %}
+
# SNMP communities
{% if community is vyos_defined %}
{% for comm, comm_config in community.items() %}
diff --git a/data/templates/snmp/override.conf.j2 b/data/templates/snmp/override.conf.j2
index 443ee64db..42dc7a9d2 100644
--- a/data/templates/snmp/override.conf.j2
+++ b/data/templates/snmp/override.conf.j2
@@ -10,4 +10,3 @@ ExecStart=
ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -f -p /run/snmpd.pid
Restart=always
RestartSec=10
-
diff --git a/data/templates/snmp/usr.snmpd.conf.j2 b/data/templates/snmp/usr.snmpd.conf.j2
index a713c1cec..189032bb0 100644
--- a/data/templates/snmp/usr.snmpd.conf.j2
+++ b/data/templates/snmp/usr.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
{% if v3.user is vyos_defined %}
{% for user, user_config in v3.user.items() %}
{{ user_config.mode }}user {{ user }}
diff --git a/data/templates/snmp/var.snmpd.conf.j2 b/data/templates/snmp/var.snmpd.conf.j2
index 012f33aeb..afab88abc 100644
--- a/data/templates/snmp/var.snmpd.conf.j2
+++ b/data/templates/snmp/var.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
# user
{% if v3 is vyos_defined %}
{% if v3.user is vyos_defined %}
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 422969ed8..650fd25e6 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
# https://linux.die.net/man/5/sshd_config
diff --git a/data/templates/ssh/sshguard_config.j2 b/data/templates/ssh/sshguard_config.j2
index 58c6ad48d..2e7507416 100644
--- a/data/templates/ssh/sshguard_config.j2
+++ b/data/templates/ssh/sshguard_config.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
{% if dynamic_protection is vyos_defined %}
# Full path to backend executable (required, no default)
diff --git a/data/templates/ssh/sshguard_whitelist.j2 b/data/templates/ssh/sshguard_whitelist.j2
index 47a950a2b..194fa29df 100644
--- a/data/templates/ssh/sshguard_whitelist.j2
+++ b/data/templates/ssh/sshguard_whitelist.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
{% if dynamic_protection.allow_from is vyos_defined %}
{% for address in dynamic_protection.allow_from %}
diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2
index 745a09e14..d38e53f15 100644
--- a/data/templates/sstp-client/peer.j2
+++ b/data/templates/sstp-client/peer.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-sstpc.py ###
+### Autogenerated by interfaces_sstpc.py ###
{{ '# ' ~ description if description is vyos_defined else '' }}
# Require peer to provide the local IP address if it is not
diff --git a/data/templates/system/proxy.j2 b/data/templates/system/proxy.j2
index 215c4c5c2..0737cd3f8 100644
--- a/data/templates/system/proxy.j2
+++ b/data/templates/system/proxy.j2
@@ -1,4 +1,4 @@
-# generated by system-proxy.py
+### autogenerated by system_proxy.py ###
{% if url is vyos_defined and port is vyos_defined %}
{# remove http:// prefix so we can inject a username/password if present #}
export http_proxy=http://{{ username ~ ':' ~ password ~ '@' if username is vyos_defined and password is vyos_defined }}{{ url | replace('http://', '') }}:{{ port }}
diff --git a/data/templates/system/sysctl.conf.j2 b/data/templates/system/sysctl.conf.j2
index 59a19e157..db699c3d8 100644
--- a/data/templates/system/sysctl.conf.j2
+++ b/data/templates/system/sysctl.conf.j2
@@ -1,7 +1,7 @@
-# autogenerated by system_sysctl.py
-
-{% if parameter is vyos_defined %}
-{% for k, v in parameter.items() %}
-{{ k }} = {{ v.value }}
-{% endfor %}
-{% endif %}
+# autogenerated by system_sysctl.py
+
+{% if parameter is vyos_defined %}
+{% for k, v in parameter.items() %}
+{{ k }} = {{ v.value }}
+{% endfor %}
+{% endif %}
diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2
index 5852d6232..9623bdec6 100644
--- a/data/templates/telegraf/telegraf.j2
+++ b/data/templates/telegraf/telegraf.j2
@@ -90,6 +90,8 @@
[[inputs.diskio]]
[[inputs.mem]]
[[inputs.net]]
+ ignore_protocol_stats = true
+[[inputs.nstat]]
[[inputs.system]]
[[inputs.netstat]]
[[inputs.processes]]
diff --git a/data/templates/tftp-server/default.j2 b/data/templates/tftp-server/default.j2
index b2676e0aa..d9ce847de 100644
--- a/data/templates/tftp-server/default.j2
+++ b/data/templates/tftp-server/default.j2
@@ -1,5 +1,5 @@
{# j2lint: disable=jinja-variable-format #}
-### Autogenerated by tftp_server.py ###
+### Autogenerated by service_tftp-server.py ###
DAEMON_ARGS="--listen --user tftp --address {{ listen_address }} {{ "--create --umask 000" if allow_upload is vyos_defined }} --secure {{ directory }}"
{% if vrf is vyos_defined %}
VRF_ARGS="ip vrf exec {{ vrf }}"
diff --git a/data/templates/vpp/override.conf.j2 b/data/templates/vpp/override.conf.j2
deleted file mode 100644
index a2c2b04ed..000000000
--- a/data/templates/vpp/override.conf.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-After=
-After=vyos-router.service
-ConditionPathExists=
-ConditionPathExists=/run/vpp/vpp.conf
-
-[Service]
-EnvironmentFile=
-ExecStart=
-ExecStart=/usr/bin/vpp -c /run/vpp/vpp.conf
-WorkingDirectory=
-WorkingDirectory=/run/vpp
-Restart=always
-RestartSec=10
diff --git a/data/templates/vpp/startup.conf.j2 b/data/templates/vpp/startup.conf.j2
deleted file mode 100644
index f33539fba..000000000
--- a/data/templates/vpp/startup.conf.j2
+++ /dev/null
@@ -1,116 +0,0 @@
-# Generated by /usr/libexec/vyos/conf_mode/vpp.py
-
-unix {
- nodaemon
- log /var/log/vpp.log
- full-coredump
- cli-listen /run/vpp/cli.sock
- gid vpp
- # exec /etc/vpp/bootstrap.vpp
-{% if unix is vyos_defined %}
-{% if unix.poll_sleep_usec is vyos_defined %}
- poll-sleep-usec {{ unix.poll_sleep_usec }}
-{% endif %}
-{% endif %}
-}
-
-{% if cpu is vyos_defined %}
-cpu {
-{% if cpu.main_core is vyos_defined %}
- main-core {{ cpu.main_core }}
-{% endif %}
-{% if cpu.corelist_workers is vyos_defined %}
- corelist-workers {{ cpu.corelist_workers | join(',') }}
-{% endif %}
-{% if cpu.skip_cores is vyos_defined %}
- skip-cores {{ cpu.skip_cores }}
-{% endif %}
-{% if cpu.workers is vyos_defined %}
- workers {{ cpu.workers }}
-{% endif %}
-}
-{% endif %}
-
-{# ip heap-size does not work now (23.06-rc2~1-g3a4e62ad4) #}
-{# vlib_call_all_config_functions: unknown input `ip heap-size 32M ' #}
-{% if ip is vyos_defined %}
-#ip {
-#{% if ip.heap_size is vyos_defined %}
-# heap-size {{ ip.heap_size }}M
-#{% endif %}
-#}
-{% endif %}
-
-{% if ip6 is vyos_defined %}
-ip6 {
-{% if ip6.hash_buckets is vyos_defined %}
- hash-buckets {{ ip6.hash_buckets }}
-{% endif %}
-{% if ip6.heap_size is vyos_defined %}
- heap-size {{ ip6.heap_size }}M
-{% endif %}
-}
-{% endif %}
-
-{% if l2learn is vyos_defined %}
-l2learn {
-{% if l2learn.limit is vyos_defined %}
- limit {{ l2learn.limit }}
-{% endif %}
-}
-{% endif %}
-
-{% if logging is vyos_defined %}
-logging {
-{% if logging.default_log_level is vyos_defined %}
- default-log-level {{ logging.default_log_level }}
-{% endif %}
-}
-{% endif %}
-
-{% if physmem is vyos_defined %}
-physmem {
-{% if physmem.max_size is vyos_defined %}
- max-size {{ physmem.max_size.upper() }}
-{% endif %}
-}
-{% endif %}
-
-plugins {
- path /usr/lib/x86_64-linux-gnu/vpp_plugins/
- plugin default { disable }
- plugin dpdk_plugin.so { enable }
- plugin linux_cp_plugin.so { enable }
- plugin linux_nl_plugin.so { enable }
-}
-
-linux-cp {
- lcp-sync
- lcp-auto-subint
-}
-
-dpdk {
- # Whitelist the fake PCI address 0000:00:00.0
- # This prevents all devices from being added to VPP-DPDK by default
- dev 0000:00:00.0
-{% for iface, iface_config in interface.items() %}
-{% if iface_config.pci is vyos_defined %}
- dev {{ iface_config.pci }} {
- name {{ iface }}
-{% if iface_config.num_rx_desc is vyos_defined %}
- num-rx-desc {{ iface_config.num_rx_desc }}
-{% endif %}
-{% if iface_config.num_tx_desc is vyos_defined %}
- num-tx-desc {{ iface_config.num_tx_desc }}
-{% endif %}
-{% if iface_config.num_rx_queues is vyos_defined %}
- num-rx-queues {{ iface_config.num_rx_queues }}
-{% endif %}
-{% if iface_config.num_tx_queues is vyos_defined %}
- num-tx-queues {{ iface_config.num_tx_queues }}
-{% endif %}
- }
-{% endif %}
-{% endfor %}
- uio-bind-force
-}
diff --git a/data/templates/wifi/hostapd.conf.j2 b/data/templates/wifi/hostapd.conf.j2
index c3f32da72..83009242b 100644
--- a/data/templates/wifi/hostapd.conf.j2
+++ b/data/templates/wifi/hostapd.conf.j2
@@ -1,5 +1,5 @@
{# j2lint: disable=operator-enclosed-by-spaces #}
-### Autogenerated by interfaces-wireless.py ###
+### Autogenerated by interfaces_wireless.py ###
{% if description is vyos_defined %}
# Description: {{ description }}
# User-friendly description of device; up to 32 octets encoded in UTF-8
diff --git a/data/templates/wifi/wpa_supplicant.conf.j2 b/data/templates/wifi/wpa_supplicant.conf.j2
index 01e0d632f..ac857a04a 100644
--- a/data/templates/wifi/wpa_supplicant.conf.j2
+++ b/data/templates/wifi/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-macsec.py ###
+### Autogenerated by interfaces_wireless.py ###
# see full documentation:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-14 11:29:26 +0000