9 files changed, 180 insertions, 110 deletions

diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2
index f041e278e..203a9772e 100644
--- a/data/templates/accel-ppp/l2tp.config.j2
+++ b/data/templates/accel-ppp/l2tp.config.j2
@@ -65,30 +65,8 @@ ipv6-pool-delegate={{ default_ipv6_pool }}
 {# Common chap-secrets and RADIUS server/option definitions #}
 {% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-[ppp]
-verbose=1
-check-ip=1
-single-session=replace
-lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
-lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
-lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
-{# MTU #}
-mtu={{ mtu }}
-ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }}
-ipv4={{ ppp_options.ipv4 }}
-mppe={{ ppp_options.mppe }}
-{% if ccp_disable is vyos_defined %}
-ccp=0
-{% endif %}
-unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
-
-{% if ppp_options.ipv6_intf_id is vyos_defined %}
-ipv6-intf-id={{ ppp_options.ipv6_intf_id }}
-{% endif %}
-{% if ppp_options.ipv6_peer_intf_id is vyos_defined %}
-ipv6-peer-intf-id={{ ppp_options.ipv6_peer_intf_id }}
-{% endif %}
-ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is vyos_defined else "0" }}
+{# Common ppp-options definitions #}
+{% include 'accel-ppp/ppp-options.j2' %}
 
 {# Common IPv6 pool definitions #}
 {% include 'accel-ppp/config_ipv6_pool.j2' %}
@@ -98,5 +76,4 @@ ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is vyos_
 
 [cli]
 tcp=127.0.0.1:2004
-sessions-columns=ifname,username,calling-sid,ip,{{ ip6_column | join(',') }}{{ ',' if ip6_column }}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime
 
diff --git a/data/templates/accel-ppp/ppp-options.j2 b/data/templates/accel-ppp/ppp-options.j2
new file mode 100644
index 000000000..f2d2519d9
--- /dev/null
+++ b/data/templates/accel-ppp/ppp-options.j2
@@ -0,0 +1,39 @@
+#ppp options
+[ppp]
+verbose=1
+check-ip=1
+ccp={{ "0" if ppp_options.disable_ccp is vyos_defined else "1" }}
+unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
+{% if ppp_options.min_mtu is vyos_defined %}
+min-mtu={{ ppp_options.min_mtu }}
+{% endif %}
+{% if ppp_options.mru is vyos_defined %}
+mru={{ ppp_options.mru }}
+{% endif %}
+mppe={{ ppp_options.mppe }}
+lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
+lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
+lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
+{% if ppp_options.ipv4 is vyos_defined %}
+ipv4={{ ppp_options.ipv4 }}
+{% endif %}
+{# IPv6 #}
+{% if ppp_options.ipv6 is vyos_defined %}
+ipv6={{ ppp_options.ipv6 }}
+{%     if ppp_options.ipv6_interface_id is vyos_defined %}
+ipv6-intf-id={{ ppp_options.ipv6_interface_id }}
+{%     endif %}
+{%     if ppp_options.ipv6_peer_interface_id is vyos_defined %}
+{%         if ppp_options.ipv6_peer_interface_id == 'ipv4-addr' %}
+ipv6-peer-intf-id=ipv4
+{%         else %}
+ipv6-peer-intf-id={{ ppp_options.ipv6_peer_interface_id }}
+{%         endif %}
+{%     endif %}
+ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_interface_id is vyos_defined else "0" }}
+{% endif %}
+{# MTU #}
+mtu={{ mtu }}
+{% if ppp_options.interface_cache is vyos_defined %}
+unit-cache={{ ppp_options.interface_cache }}
+{% endif %}
diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2
index fb8a11366..bf7b2eb72 100644
--- a/data/templates/accel-ppp/pppoe.config.j2
+++ b/data/templates/accel-ppp/pppoe.config.j2
@@ -70,40 +70,8 @@ single-session={{ session_control }}
 max-starting={{ max_concurrent_sessions }}
 {% endif %}
 
-[ppp]
-verbose=1
-check-ip=1
-ccp={{ "1" if ppp_options.ccp is vyos_defined else "0" }}
-unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
-{% if ppp_options.min_mtu is vyos_defined %}
-min-mtu={{ ppp_options.min_mtu }}
-{% endif %}
-{% if ppp_options.mru is vyos_defined %}
-mru={{ ppp_options.mru }}
-{% endif %}
-mppe={{ ppp_options.mppe }}
-lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
-lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
-lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
-{% if ppp_options.ipv4 is vyos_defined %}
-ipv4={{ ppp_options.ipv4 }}
-{% endif %}
-{# IPv6 #}
-{% if ppp_options.ipv6 is vyos_defined %}
-ipv6={{ ppp_options.ipv6 }}
-{%     if ppp_options.ipv6_intf_id is vyos_defined %}
-ipv6-intf-id={{ ppp_options.ipv6_intf_id }}
-{%     endif %}
-{%     if ppp_options.ipv6_peer_intf_id is vyos_defined %}
-ipv6-peer-intf-id={{ ppp_options.ipv6_peer_intf_id }}
-{%     endif %}
-ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is vyos_defined else "0" }}
-{% endif %}
-{# MTU #}
-mtu={{ mtu }}
-{% if ppp_options.interface_cache is vyos_defined %}
-unit-cache={{ ppp_options.interface_cache }}
-{% endif %}
+{# Common ppp-options definitions #}
+{% include 'accel-ppp/ppp-options.j2' %}
 
 [pppoe]
 verbose=1
diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2
index daafd6e92..7fe4b17bf 100644
--- a/data/templates/accel-ppp/pptp.config.j2
+++ b/data/templates/accel-ppp/pptp.config.j2
@@ -6,6 +6,8 @@ shaper
 {# Common authentication backend definitions #}
 {% include 'accel-ppp/config_modules_auth_mode.j2' %}
 ippool
+{# Common IPv6 definitions #}
+{% include 'accel-ppp/config_modules_ipv6.j2' %}
 {# Common authentication protocols (pap, chap ...) #}
 {% if authentication.require is vyos_defined %}
 {%     if authentication.require == 'chap' %}
@@ -40,7 +42,6 @@ wins{{ loop.index }}={{ server }}
 {%     endfor %}
 {% endif %}
 
-
 [pptp]
 ifname=pptp%d
 {% if outside_address is vyos_defined %}
@@ -54,6 +55,10 @@ echo-failure=3
 {% if default_pool is vyos_defined %}
 ip-pool={{ default_pool }}
 {% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
+{% endif %}
 
 [client-ip-range]
 0.0.0.0/0
@@ -61,10 +66,11 @@ ip-pool={{ default_pool }}
 {# Common IP pool definitions #}
 {% include 'accel-ppp/config_ip_pool.j2' %}
 
-[ppp]
-verbose=5
-check-ip=1
-single-session=replace
+{# Common IPv6 pool definitions #}
+{% include 'accel-ppp/config_ipv6_pool.j2' %}
+
+{# Common ppp-options definitions #}
+{% include 'accel-ppp/ppp-options.j2' %}
 
 {# Common chap-secrets and RADIUS server/option definitions #}
 {% include 'accel-ppp/config_chap_secrets_radius.j2' %}
diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2
index 51f7dfca8..c0bc62d9f 100644
--- a/data/templates/accel-ppp/sstp.config.j2
+++ b/data/templates/accel-ppp/sstp.config.j2
@@ -56,18 +56,8 @@ ipv6-pool-delegate={{ default_ipv6_pool }}
 {# Common chap-secrets and RADIUS server/option definitions #}
 {% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-[ppp]
-verbose=1
-check-ip=1
-{# MTU #}
-mtu={{ mtu }}
-unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
-ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }}
-ipv4={{ ppp_options.ipv4 }}
-mppe={{ ppp_options.mppe }}
-lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
-lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
-lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
+{# Common ppp-options definitions #}
+{% include 'accel-ppp/ppp-options.j2' %}
 
 {# Common RADIUS shaper configuration #}
 {% include 'accel-ppp/config_shaper_radius.j2' %}
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
index 6c0653a55..5538ea56c 100644
--- a/data/templates/dns-dynamic/ddclient.conf.j2
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -7,7 +7,7 @@ use{{ ipv }}={{ address if address == 'web' else 'if' }}{{ ipv }}, \
 web{{ ipv }}={{ web_options.url }}, \
 {%         endif %}
 {%         if web_options.skip is vyos_defined %}
-web-skip{{ ipv }}='{{ web_options.skip }}', \
+web{{ ipv }}-skip='{{ web_options.skip }}', \
 {%         endif %}
 {%     else %}
 if{{ ipv }}={{ address }}, \
@@ -45,9 +45,12 @@ use=no
                                        else ['']) %}
 {%             set password = config.key if config.protocol == 'nsupdate'
                               else config.password %}
+{%             set address = 'web' if config.address.web is vyos_defined
+                              else config.address.interface %}
+{%             set web_options = config.address.web | default({}) %}
 
 # Web service dynamic DNS configuration for {{ service }}: [{{ config.protocol }}, {{ host }}]
-{{ render_config(host, config.address, config.web_options, ip_suffixes,
+{{ render_config(host, address, web_options, ip_suffixes,
                  protocol=config.protocol, server=config.server, zone=config.zone,
                  login=config.username, password=password, ttl=config.ttl,
                  min_interval=config.wait_time, max_interval=config.expiry_time) }}
diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index e4e8e7044..5ac872f19 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -57,3 +57,17 @@ serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
 auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
 
 forward-zones-file={{ config_dir }}/recursor.forward-zones.conf
+
+#ecs
+{% if options.ecs_add_for is vyos_defined %}
+ecs-add-for={{ options.ecs_add_for | join(',') }}
+{% endif %}
+
+{% if options.ecs_ipv4_bits is vyos_defined %}
+ecs-ipv4-bits={{ options.ecs_ipv4_bits }}
+{% endif %}
+
+{% if options.edns_subnet_allow_list is vyos_defined %}
+edns-subnet-allow-list={{ options.edns_subnet_allow_list | join(',') }}
+{% endif %}
+
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index a20c399ae..8a75ab2d6 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -98,5 +98,26 @@
     }
 {%         endfor %}
 {%     endif %}
+
+{%     if group.dynamic_group is vyos_defined %}
+{%         if group.dynamic_group.address_group is vyos_defined and not is_ipv6 and is_l3 %}
+{%             for group_name, group_conf in group.dynamic_group.address_group.items() %}
+    set DA_{{ group_name }} {
+        type {{ ip_type }}
+        flags dynamic, timeout
+    }
+{%             endfor %}
+{%         endif %}
+
+{%         if group.dynamic_group.ipv6_address_group is vyos_defined and is_ipv6 and is_l3 %}
+{%             for group_name, group_conf in group.dynamic_group.ipv6_address_group.items() %}
+    set DA6_{{ group_name }} {
+        type {{ ip_type }}
+        flags dynamic, timeout
+    }
+{%             endfor %}
+{%         endif %}
+{%     endif %}
+
 {% endif %}
 {% endmacro %}
diff --git a/data/templates/firewall/upnpd.conf.j2 b/data/templates/firewall/upnpd.conf.j2
index e964fc696..616e8869f 100644
--- a/data/templates/firewall/upnpd.conf.j2
+++ b/data/templates/firewall/upnpd.conf.j2
@@ -3,13 +3,42 @@
 # WAN network interface
 ext_ifname={{ wan_interface }}
 {% if wan_ip is vyos_defined %}
+
+# if the WAN network interface for IPv6 is different than for IPv4,
+# set ext_ifname6
+#ext_ifname6=eth2
+
 # If the WAN interface has several IP addresses, you
-# can specify the one to use below
+# can specify the one to use below.
+# Setting ext_ip is also useful in double NAT setup, you can declare here
+# the public IP address.
 {%     for addr in wan_ip %}
 ext_ip={{ addr }}
 {%     endfor  %}
 {% endif %}
 
+{% if stun is vyos_defined %}
+# WAN interface must have public IP address. Otherwise it is behind NAT
+# and port forwarding is impossible. In some cases WAN interface can be
+# behind unrestricted full-cone NAT 1:1 when all incoming traffic is NAT-ed and
+# routed to WAN interfaces without any filtering. In this cases miniupnpd
+# needs to know public IP address and it can be learnt by asking external
+# server via STUN protocol. Following option enable retrieving external
+# public IP address from STUN server and detection of NAT type. You need
+# to specify also external STUN server in stun_host option below.
+# This option is disabled by default.
+ext_perform_stun=yes
+# Specify STUN server, either hostname or IP address
+# Some public STUN servers:
+#  stun.stunprotocol.org
+#  stun.sipgate.net
+#  stun.xten.com
+#  stun.l.google.com (on non standard port 19302)
+ext_stun_host={{ stun.host }}
+# Specify STUN UDP port, by default it is standard port 3478.
+ext_stun_port={{ stun.port }}
+{% endif %}
+
 # LAN network interfaces IPs / networks
 {% if listen is vyos_defined %}
 # There can be multiple listening IPs for SSDP traffic, in that case
@@ -20,6 +49,9 @@ ext_ip={{ addr }}
 # When MULTIPLE_EXTERNAL_IP is enabled, the external IP
 # address associated with the subnet follows. For example:
 #  listening_ip=192.168.0.1/24 88.22.44.13
+# When MULTIPLE_EXTERNAL_IP is disabled, you can list associated network
+# interfaces (for bridges)
+#  listening_ip=bridge0 em0 wlan0
 {%     for addr in listen %}
 {%         if addr | is_ipv4  %}
 listening_ip={{ addr }}
@@ -65,6 +97,18 @@ min_lifetime={{ pcp_lifetime.min }}
 {%     endif %}
 {% endif %}
 
+# table names for netfilter nft. Default is "filter" for both
+#upnp_table_name=
+#upnp_nat_table_name=
+# chain names for netfilter and netfilter nft
+# netfilter : default are MINIUPNPD, MINIUPNPD, MINIUPNPD-POSTROUTING
+# netfilter nft : default are miniupnpd, prerouting_miniupnpd, postrouting_miniupnpd
+#upnp_forward_chain=forwardUPnP
+#upnp_nat_chain=UPnP
+#upnp_nat_postrouting_chain=UPnP-Postrouting
+
+# Lease file location
+lease_file=/config/upnp.leases
 
 # To enable the next few runtime options, see compile time
 # ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)
@@ -89,6 +133,11 @@ model_description=Vyos open source enterprise router/firewall operating system
 # Model URL, default is URL of OS vendor
 model_url=https://vyos.io/
 
+# Bitrates reported by daemon in bits per second
+# by default miniupnpd tries to get WAN interface speed
+#bitrate_up=1000000
+#bitrate_down=10000000
+
 {% if secure_mode is vyos_defined %}
 # Secure Mode, UPnP clients can only add mappings to their own IP
 secure_mode=yes
@@ -108,6 +157,10 @@ secure_mode=no
 # Report system uptime instead of daemon uptime
 system_uptime=yes
 
+# Notify interval in seconds. default is 30 seconds.
+#notify_interval=240
+notify_interval=60
+
 # Unused rules cleaning.
 # never remove any rule before this threshold for the number
 # of redirections is exceeded. default to 20
@@ -116,25 +169,46 @@ clean_ruleset_threshold=10
 # a 600 seconds (10 minutes) interval makes sense
 clean_ruleset_interval=600
 
+############################################################################
+## The next 5 config parameters (packet_log, anchor, queue, tag, quickrules)
+## are specific to BSD's pf(4) packet filter and hence cannot be enabled in
+## VyOS.
+# Log packets in pf (default is no)
+#packet_log=no
+
 # Anchor name in pf (default is miniupnpd)
-# Something wrong with this option "anchor", comment it out
-#   vyos@r14# miniupnpd -vv -f /run/upnp/miniupnp.conf
-#   invalid option in file /run/upnp/miniupnp.conf line 74 : anchor=VyOS
-#anchor=VyOS
+#anchor=miniupnpd
 
-uuid={{ uuid }}
+# ALTQ queue in pf
+# Filter rules must be used for this to be used.
+# compile with PF_ENABLE_FILTER_RULES (see config.h file)
+#queue=queue_name1
 
-# Lease file location
-lease_file=/config/upnp.leases
+# Tag name in pf
+#tag=tag_name1
+
+# Make filter rules in pf quick or not. default is yes
+# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
+#quickrules=no
+##
+## End of pf(4)-specific configuration not to be set in VyOS.
+############################################################################
+
+# UUID, generate your own UUID with "make genuuid"
+uuid={{ uuid }}
 
 # Daemon's serial and model number when reporting to clients
 # (in XML description)
 #serial=12345678
 #model_number=1
 
+# If compiled with IGD_V2 defined, force reporting IGDv1 in rootDesc (default
+# is no)
+#force_igd_desc_v1=no
+
 {% if rule is vyos_defined %}
-# UPnP permission rules
-# (allow|deny) (external port range) IP/mask (internal port range)
+# UPnP permission rules (also enforced for NAT-PMP and PCP)
+# (allow|deny) (external port range) IP/mask (internal port range) (optional regex filter)
 # A port range is <min port>-<max port> or <port> if there is only
 # one port in the range.
 # IP/mask format must be nnn.nnn.nnn.nnn/nn
@@ -151,25 +225,3 @@ lease_file=/config/upnp.leases
 {%         endif %}
 {%     endfor %}
 {% endif %}
-
-{% if stun is vyos_defined %}
-# WAN interface must have public IP address. Otherwise it is behind NAT
-# and port forwarding is impossible. In some cases WAN interface can be
-# behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and
-# routed to WAN interfaces without any filtering. In this cases miniupnpd
-# needs to know public IP address and it can be learnt by asking external
-# server via STUN protocol. Following option enable retrieving external
-# public IP address from STUN server and detection of NAT type. You need
-# to specify also external STUN server in stun_host option below.
-# This option is disabled by default.
-ext_perform_stun=yes
-# Specify STUN server, either hostname or IP address
-# Some public STUN servers:
-#  stun.stunprotocol.org
-#  stun.sipgate.net
-#  stun.xten.com
-#  stun.l.google.com (on non standard port 19302)
-ext_stun_host={{ stun.host }}
-# Specify STUN UDP port, by default it is standard port 3478.
-ext_stun_port={{ stun.port }}
-{% endif %}