diff options
Diffstat (limited to 'data')
| -rw-r--r-- | data/config-mode-dependencies/vyos-1x.json | 4 | ||||
| -rw-r--r-- | data/templates/aws/override_aws_gwlbtun.conf.j2 | 4 | ||||
| -rw-r--r-- | data/templates/conntrack/sysctl.conf.j2 | 3 | ||||
| -rw-r--r-- | data/templates/conntrack/vyos_nf_conntrack.conf.j2 | 2 | ||||
| -rwxr-xr-x | data/templates/firewall/nftables.j2 | 4 | ||||
| -rw-r--r-- | data/templates/frr/ospfd.frr.j2 | 2 | ||||
| -rw-r--r-- | data/templates/frr/zebra.route-map.frr.j2 | 6 | ||||
| -rw-r--r-- | data/templates/https/nginx.default.j2 | 2 | ||||
| -rw-r--r-- | data/templates/login/authorized_keys.j2 | 1 | ||||
| -rw-r--r-- | data/templates/login/authorized_principals.j2 | 4 | ||||
| -rw-r--r-- | data/templates/ssh/sshd_config.j2 | 16 |
11 files changed, 38 insertions, 10 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 7506a0908..ccfc022f4 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -34,6 +34,7 @@ "ipsec": ["vpn_ipsec"], "openconnect": ["vpn_openconnect"], "rpki": ["protocols_rpki"], + "ssh": ["service_ssh"], "sstp": ["vpn_sstp"], "sstpc": ["interfaces_sstpc"], "stunnel": ["service_stunnel"] @@ -73,6 +74,9 @@ "system_ipv6": { "sysctl": ["system_sysctl"] }, + "system_login": { + "ssh": ["service_ssh"] + }, "system_option": { "ip_ipv6": ["system_ip", "system_ipv6"], "sysctl": ["system_sysctl"] diff --git a/data/templates/aws/override_aws_gwlbtun.conf.j2 b/data/templates/aws/override_aws_gwlbtun.conf.j2 index 4c566d852..e7e60dc95 100644 --- a/data/templates/aws/override_aws_gwlbtun.conf.j2 +++ b/data/templates/aws/override_aws_gwlbtun.conf.j2 @@ -30,7 +30,7 @@ After=vyos-router.service [Service] EnvironmentFile= -ExecStart=/usr/bin/gwlbtun {{ args | join(' ') }} -CapabilityBoundingSet=CAP_NET_ADMIN +ExecStart=/usr/sbin/gwlbtun {{ args | join(' ') }} +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW Restart=always RestartSec=10 diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2 index cd6c34ede..8d934db9c 100644 --- a/data/templates/conntrack/sysctl.conf.j2 +++ b/data/templates/conntrack/sysctl.conf.j2 @@ -1,10 +1,11 @@ # Autogenerated by system_conntrack.py {# all values have defaults - thus no checking required #} +net.netfilter.nf_conntrack_buckets = {{ hash_size }} net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }} net.netfilter.nf_conntrack_max = {{ table_size }} net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }} net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose is vyos_defined('enable') else '0' }} net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }} net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }} -net.netfilter.nf_conntrack_timestamp = {{ '1' if log.timestamp is vyos_defined else '0' }}
\ No newline at end of file +net.netfilter.nf_conntrack_timestamp = {{ '1' if log.timestamp is vyos_defined else '0' }} diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 deleted file mode 100644 index 1b12fec5f..000000000 --- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -# Autogenerated by system_conntrack.py -options nf_conntrack hashsize={{ hash_size }} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index a78119a80..bf051bb57 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -414,7 +414,11 @@ table bridge vyos_filter { {% if 'invalid_connections' in global_options.apply_to_bridged_traffic %} ct state invalid udp sport 67 udp dport 68 counter accept ct state invalid ether type arp counter accept + ct state invalid ether type 8021q counter accept + ct state invalid ether type 8021ad counter accept + ct state invalid ether type 0x8863 counter accept ct state invalid ether type 0x8864 counter accept + ct state invalid ether type 0x0842 counter accept {% endif %} {% endif %} {% if global_options.state_policy is vyos_defined %} diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index bc2c74b10..79824fb64 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -82,7 +82,7 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% for area_id, area_config in area.items() %} {% if area_config.area_type is vyos_defined %} {% for type, type_config in area_config.area_type.items() if type != 'normal' %} - area {{ area_id }} {{ type }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} + area {{ area_id }} {{ type }} {{ 'translate-' + type_config.translate if type_config.translate is vyos_defined }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} {% if type_config.default_cost is vyos_defined %} area {{ area_id }} default-cost {{ type_config.default_cost }} {% endif %} diff --git a/data/templates/frr/zebra.route-map.frr.j2 b/data/templates/frr/zebra.route-map.frr.j2 index 70a810f43..0d6d01930 100644 --- a/data/templates/frr/zebra.route-map.frr.j2 +++ b/data/templates/frr/zebra.route-map.frr.j2 @@ -1,6 +1,12 @@ ! {{ 'no ' if disable_forwarding is vyos_defined }}{{ afi }} forwarding ! +{% if import_table is vyos_defined %} +{% for table_num, table_config in import_table.items() %} +ip import-table {{ table_num }} {{ 'distance ' ~ table_config.distance if table_config.distance is vyos_defined }} {{ 'route-map ' ~ table_config.route_map if table_config.route_map is vyos_defined }} +{% endfor %} +{% endif %} +! {% if nht.no_resolve_via_default is vyos_defined %} no {{ afi }} nht resolve-via-default {% endif %} diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index 692ccbff7..47280c9f0 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -48,7 +48,7 @@ server { ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; # proxy settings for HTTP API, if enabled; 503, if not - location ~ ^/(retrieve|configure|config-file|image|import-pki|container-image|generate|show|reboot|reset|poweroff|traceroute|info|docs|openapi.json|redoc|graphql) { + location ~ ^/(retrieve|configure|config-file|image|import-pki|container-image|generate|show|reboot|reset|poweroff|traceroute|info|docs|openapi.json|redoc|graphql|renew) { {% if api is vyos_defined %} proxy_pass http://unix:/run/api.sock; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2 index 695b66abe..5b15f066a 100644 --- a/data/templates/login/authorized_keys.j2 +++ b/data/templates/login/authorized_keys.j2 @@ -1,5 +1,4 @@ ### Automatically generated by system_login.py ### - {% if authentication.public_keys is vyos_defined %} {% for key, key_options in authentication.public_keys.items() %} {# The whitespace after options is wisely chosen #} diff --git a/data/templates/login/authorized_principals.j2 b/data/templates/login/authorized_principals.j2 new file mode 100644 index 000000000..16525e808 --- /dev/null +++ b/data/templates/login/authorized_principals.j2 @@ -0,0 +1,4 @@ +### Automatically generated by system_login.py ### +{% if authentication.principal is vyos_defined %} +{{ '\n'.join(authentication.principal) }} +{% endif %} diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index 7e44efae8..1315bf2cb 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -111,6 +111,18 @@ ClientAliveInterval {{ client_keepalive_interval }} RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }} {% endif %} -{% if trusted_user_ca_key is vyos_defined %} -TrustedUserCAKeys /etc/ssh/trusted_user_ca_key +{% if trusted_user_ca is vyos_defined %} +# Specifies a file containing public keys of certificate authorities that are +# trusted to sign user certificates for authentication +TrustedUserCAKeys {{ get_default_config_file('sshd_user_ca') }} + +# The default is "none", i.e. not to use a principals file - in this case, the +# username of the user must appear in a certificate's principals list for it +# to be accepted. ".ssh/authorized_principals" means a per-user configuration, +# relative to $HOME. +{% set filename = 'none' %} +{% if has_principals is vyos_defined %} +{% set filename = '.ssh/authorized_principals' %} +{% endif %} +AuthorizedPrincipalsFile {{ filename }} {% endif %} |