diff options
Diffstat (limited to 'data')
207 files changed, 12490 insertions, 0 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json new file mode 100644 index 0000000..13de434 --- /dev/null +++ b/data/config-mode-dependencies/vyos-1x.json @@ -0,0 +1,61 @@ +{ + "system_conntrack": { + "conntrack_sync": ["service_conntrack-sync"], + "vrf": ["vrf"] + }, + "firewall": { + "conntrack": ["system_conntrack"], + "group_resync": ["system_conntrack", "nat", "policy_route"] + }, + "interfaces_bonding": { + "ethernet": ["interfaces_ethernet"] + }, + "interfaces_bridge": { + "vxlan": ["interfaces_vxlan"], + "wlan": ["interfaces_wireless"] + }, + "load_balancing_wan": { + "conntrack": ["system_conntrack"] + }, + "nat": { + "conntrack": ["system_conntrack"] + }, + "nat66": { + "conntrack": ["system_conntrack"] + }, + "pki": { + "ethernet": ["interfaces_ethernet"], + "openvpn": ["interfaces_openvpn"], + "https": ["service_https"], + "ipsec": ["vpn_ipsec"], + "openconnect": ["vpn_openconnect"], + "rpki": ["protocols_rpki"], + "sstp": ["vpn_sstp"] + }, + "vpn_ipsec": { + "nhrp": ["protocols_nhrp"] + }, + "vpn_l2tp": { + "ipsec": ["vpn_ipsec"] + }, + "qos": { + "bonding": ["interfaces_bonding"], + "bridge": ["interfaces_bridge"], + "dummy": ["interfaces_dummy"], + "ethernet": ["interfaces_ethernet"], + "geneve": ["interfaces_geneve"], + "input": ["interfaces_input"], + "l2tpv3": ["interfaces_l2tpv3"], + "loopback": ["interfaces_loopback"], + "macsec": ["interfaces_macsec"], + "openvpn": ["interfaces_openvpn"], + "pppoe": ["interfaces_pppoe"], + "pseudo-ethernet": ["interfaces_pseudo-ethernet"], + "tunnel": ["interfaces_tunnel"], + "vti": ["interfaces_vti"], + "vxlan": ["interfaces_vxlan"], + "wireguard": ["interfaces_wireguard"], + "wireless": ["interfaces_wireless"], + "wwan": ["interfaces_wwan"] + } +} diff --git a/data/configd-include.json b/data/configd-include.json new file mode 100644 index 0000000..dcee503 --- /dev/null +++ b/data/configd-include.json @@ -0,0 +1,111 @@ +[ +"container.py", +"firewall.py", +"high-availability.py", +"interfaces_bonding.py", +"interfaces_bridge.py", +"interfaces_dummy.py", +"interfaces_ethernet.py", +"interfaces_geneve.py", +"interfaces_input.py", +"interfaces_l2tpv3.py", +"interfaces_loopback.py", +"interfaces_macsec.py", +"interfaces_openvpn.py", +"interfaces_pppoe.py", +"interfaces_pseudo-ethernet.py", +"interfaces_sstpc.py", +"interfaces_tunnel.py", +"interfaces_virtual-ethernet.py", +"interfaces_vti.py", +"interfaces_vxlan.py", +"interfaces_wireguard.py", +"interfaces_wireless.py", +"interfaces_wwan.py", +"load-balancing_reverse-proxy.py", +"load-balancing_wan.py", +"nat.py", +"nat64.py", +"nat66.py", +"netns.py", +"pki.py", +"policy.py", +"policy_route.py", +"policy_local-route.py", +"protocols_babel.py", +"protocols_bfd.py", +"protocols_bgp.py", +"protocols_eigrp.py", +"protocols_failover.py", +"protocols_igmp-proxy.py", +"protocols_isis.py", +"protocols_mpls.py", +"protocols_nhrp.py", +"protocols_ospf.py", +"protocols_ospfv3.py", +"protocols_pim.py", +"protocols_pim6.py", +"protocols_rip.py", +"protocols_ripng.py", +"protocols_rpki.py", +"protocols_segment-routing.py", +"protocols_static.py", +"protocols_static_arp.py", +"protocols_static_multicast.py", +"protocols_static_neighbor-proxy.py", +"qos.py", +"service_aws_glb.py", +"service_broadcast-relay.py", +"service_config-sync.py", +"service_conntrack-sync.py", +"service_console-server.py", +"service_dhcp-relay.py", +"service_dhcp-server.py", +"service_dhcpv6-relay.py", +"service_dhcpv6-server.py", +"service_dns_dynamic.py", +"service_dns_forwarding.py", +"service_event-handler.py", +"service_https.py", +"service_ids_ddos-protection.py", +"service_ipoe-server.py", +"service_lldp.py", +"service_mdns_repeater.py", +"service_monitoring_telegraf.py", +"service_monitoring_zabbix-agent.py", +"service_ndp-proxy.py", +"service_ntp.py", +"service_pppoe-server.py", +"service_router-advert.py", +"service_salt-minion.py", +"service_sla.py", +"service_ssh.py", +"service_tftp-server.py", +"service_webproxy.py", +"system_acceleration.py", +"system_config-management.py", +"system_conntrack.py", +"system_console.py", +"system_flow-accounting.py", +"system_frr.py", +"system_host-name.py", +"system_ip.py", +"system_ipv6.py", +"system_lcd.py", +"system_login_banner.py", +"system_logs.py", +"system_option.py", +"system_proxy.py", +"system_sflow.py", +"system_sysctl.py", +"system_syslog.py", +"system_task-scheduler.py", +"system_timezone.py", +"system_update-check.py", +"vpn_ipsec.py", +"vpn_l2tp.py", +"vpn_openconnect.py", +"vpn_pptp.py", +"vpn_sstp.py", +"vrf.py" +] diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json new file mode 100644 index 0000000..c141331 --- /dev/null +++ b/data/op-mode-standardized.json @@ -0,0 +1,34 @@ +[ +"accelppp.py", +"bgp.py", +"bonding.py", +"bridge.py", +"cgnat.py", +"config_mgmt.py", +"conntrack.py", +"container.py", +"cpu.py", +"dhcp.py", +"dns.py", +"evpn.py", +"interfaces.py", +"ipsec.py", +"lldp.py", +"log.py", +"memory.py", +"multicast.py", +"nat.py", +"neighbor.py", +"nhrp.py", +"openconnect.py", +"openvpn.py", +"otp.py", +"reset_vpn.py", +"reverseproxy.py", +"route.py", +"storage.py", +"system.py", +"uptime.py", +"version.py", +"vrf.py" +] diff --git a/data/templates/accel-ppp/chap-secrets.config_dict.j2 b/data/templates/accel-ppp/chap-secrets.config_dict.j2 new file mode 100644 index 0000000..51e66d5 --- /dev/null +++ b/data/templates/accel-ppp/chap-secrets.config_dict.j2 @@ -0,0 +1,10 @@ +# username server password acceptable local IP addresses shaper +{% if authentication.local_users.username is vyos_defined %} +{% for user, user_config in authentication.local_users.username.items() if user_config.disabled is not vyos_defined %} +{% if user_config.rate_limit is vyos_defined %} +{{ "%-12s" | format(user) }} * {{ "%-16s" | format(user_config.password) }} {{ "%-16s" | format(user_config.static_ip) }} {{ user_config.rate_limit.download }}/{{ user_config.rate_limit.upload }} +{% else %} +{{ "%-12s" | format(user) }} * {{ "%-16s" | format(user_config.password) }} {{ "%-16s" | format(user_config.static_ip) }} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/accel-ppp/chap-secrets.ipoe.j2 b/data/templates/accel-ppp/chap-secrets.ipoe.j2 new file mode 100644 index 0000000..43083e2 --- /dev/null +++ b/data/templates/accel-ppp/chap-secrets.ipoe.j2 @@ -0,0 +1,13 @@ +# username server password acceptable local IP addresses shaper +{% if authentication.interface is vyos_defined %} +{% for iface, iface_config in authentication.interface.items() %} +{% if iface_config.mac is vyos_defined %} +{% for mac, mac_config in iface_config.mac.items() %} +{% if mac_config.vlan is vyos_defined %} +{% set iface = iface ~ '.' ~ mac_config.vlan %} +{% endif %} +{{ "%-11s" | format(iface) }} * {{ mac | lower }} * {{ mac_config.rate_limit.download ~ '/' ~ mac_config.rate_limit.upload if mac_config.rate_limit.download is vyos_defined and mac_config.rate_limit.upload is vyos_defined }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/accel-ppp/chap-secrets.j2 b/data/templates/accel-ppp/chap-secrets.j2 new file mode 100644 index 0000000..cc3ddc2 --- /dev/null +++ b/data/templates/accel-ppp/chap-secrets.j2 @@ -0,0 +1,10 @@ +# username server password acceptable local IP addresses shaper +{% for user in local_users %} +{% if user.state == 'enabled' %} +{% if user.upload and user.download %} +{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {{ user.download }}/{{ user.upload }} +{% else %} +{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} +{% endif %} +{% endif %} +{% endfor %} diff --git a/data/templates/accel-ppp/config_chap_secrets_radius.j2 b/data/templates/accel-ppp/config_chap_secrets_radius.j2 new file mode 100644 index 0000000..e343ce4 --- /dev/null +++ b/data/templates/accel-ppp/config_chap_secrets_radius.j2 @@ -0,0 +1,58 @@ +{% if authentication.mode is vyos_defined('local') %} +[chap-secrets] +chap-secrets={{ chap_secrets_file }} +{% elif authentication.mode is vyos_defined('radius') %} +[radius] +verbose=1 +{% for server, options in authentication.radius.server.items() if not options.disable is vyos_defined %} +{% set _server_cfg = "server=" %} +{% set _server_cfg = _server_cfg + server %} +{% set _server_cfg = _server_cfg + "," + options.key %} +{% set _server_cfg = _server_cfg + ",auth-port=" + options.port %} +{% set _server_cfg = _server_cfg + ",acct-port=" + options.acct_port %} +{% set _server_cfg = _server_cfg + ",req-limit=0" %} +{% set _server_cfg = _server_cfg + ",fail-time=" + options.fail_time %} +{% if options.priority is vyos_defined %} +{% set _server_cfg = _server_cfg + ",weight=" + options.priority %} +{% endif %} +{% if options.backup is vyos_defined %} +{% set _server_cfg = _server_cfg + ",backup" %} +{% endif %} +{{ _server_cfg }} +{% endfor %} +{% if authentication.radius.accounting_interim_interval is vyos_defined %} +acct-interim-interval={{ authentication.radius.accounting_interim_interval }} +{% endif %} +{% if authentication.radius.acct_interim_jitter is vyos_defined %} +acct-interim-jitter={{ authentication.radius.acct_interim_jitter }} +{% endif %} +acct-timeout={{ authentication.radius.acct_timeout }} +timeout={{ authentication.radius.timeout }} +max-try={{ authentication.radius.max_try }} +{% if authentication.radius.nas_identifier is vyos_defined %} +nas-identifier={{ authentication.radius.nas_identifier }} +{% endif %} +{% if authentication.radius.nas_ip_address is vyos_defined %} +nas-ip-address={{ authentication.radius.nas_ip_address }} +{% endif %} +{% if authentication.radius.source_address is vyos_defined %} +bind={{ authentication.radius.source_address }} +{% endif %} +{% if authentication.radius.dynamic_author.server is vyos_defined %} +dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.radius.dynamic_author.port }},{{ authentication.radius.dynamic_author.key }} +{% endif %} +{% endif %} +{# Both chap-secrets and radius block required the gw-ip-address #} +{% if authentication.mode is vyos_defined('local') or authentication.mode is vyos_defined('radius') %} +{% if gateway_address is vyos_defined %} +{% if server_type == 'ipoe' %} +{% for gw in gateway_address %} +{% set host_address, _ = gw.split('/') %} +gw-ip-address={{ host_address }} +{% endfor %} +{% else %} +gw-ip-address={{ gateway_address }} +{% endif %} +{% endif %} +{% endif %} + diff --git a/data/templates/accel-ppp/config_extended_scripts.j2 b/data/templates/accel-ppp/config_extended_scripts.j2 new file mode 100644 index 0000000..ded0a0a --- /dev/null +++ b/data/templates/accel-ppp/config_extended_scripts.j2 @@ -0,0 +1,9 @@ +{% if extended_scripts is vyos_defined %} +[pppd-compat] +verbose=1 +radattr-prefix=/run/accel-pppd/radattr +{% set script_name = {'on_up': 'ip-up', 'on_down': 'ip-down', 'on_change':'ip-change', 'on_pre_up':'ip-pre-up'} %} +{% for script in extended_scripts %} +{{ script_name[script] }}={{ extended_scripts[script] }} +{% endfor %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2 new file mode 100644 index 0000000..8e66486 --- /dev/null +++ b/data/templates/accel-ppp/config_ip_pool.j2 @@ -0,0 +1,32 @@ +{% if ordered_named_pools is vyos_defined %} +[ip-pool] +{% if gateway_address is vyos_defined %} +{% if server_type == 'ipoe' %} +{% for gw in gateway_address %} +{% set host_address, _ = gw.split('/') %} +gw-ip-address={{ host_address }} +{% endfor %} +{% else %} +gw-ip-address={{ gateway_address }} +{% endif %} +{% endif %} +{% for pool in ordered_named_pools %} +{% for pool_name, pool_config in pool.items() %} +{% if pool_config.range is vyos_defined %} +{% for range in pool_config.range %} +{% set iprange_str = range %} +{% set iprange_list = range.split('-') %} +{% if iprange_list | length == 2 %} +{% set last_ip_oct = iprange_list[1].split('.') %} +{% set iprange_str = iprange_list[0] + '-' + last_ip_oct[last_ip_oct | length - 1] %} +{% endif %} +{% if loop.last and pool_config.next_pool is vyos_defined %} +{{ iprange_str }},name={{ pool_name }},next={{ pool_config.next_pool }} +{% else %} +{{ iprange_str }},name={{ pool_name }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endfor %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/config_ipv6_pool.j2 b/data/templates/accel-ppp/config_ipv6_pool.j2 new file mode 100644 index 0000000..86efdc1 --- /dev/null +++ b/data/templates/accel-ppp/config_ipv6_pool.j2 @@ -0,0 +1,21 @@ +{% if client_ipv6_pool is vyos_defined %} +[ipv6-nd] +AdvAutonomousFlag=1 +verbose=1 + +[ipv6-pool] +{% for pool_name, pool_config in client_ipv6_pool.items() %} +{% if pool_config.prefix is vyos_defined %} +{% for prefix, options in pool_config.prefix.items() %} +{{ prefix }},{{ options.mask }},name={{ pool_name }} +{% endfor %} +{% endif %} +{% if pool_config.delegate is vyos_defined %} +{% for prefix, options in pool_config.delegate.items() %} +delegate={{ prefix }},{{ options.delegation_prefix }},name={{ pool_name }} +{% endfor %} +{% endif %} +{% endfor %} +[ipv6-dhcp] +verbose=1 +{% endif %} diff --git a/data/templates/accel-ppp/config_limits.j2 b/data/templates/accel-ppp/config_limits.j2 new file mode 100644 index 0000000..f10dfcc --- /dev/null +++ b/data/templates/accel-ppp/config_limits.j2 @@ -0,0 +1,12 @@ +{% if limits is vyos_defined %} +[connlimit] +{% if limits.connection_limit is vyos_defined %} +limit={{ limits.connection_limit }} +{% endif %} +{% if limits.burst is vyos_defined %} +burst={{ limits.burst }} +{% endif %} +{% if limits.timeout is vyos_defined %} +timeout={{ limits.timeout }} +{% endif %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/config_modules_auth_mode.j2 b/data/templates/accel-ppp/config_modules_auth_mode.j2 new file mode 100644 index 0000000..3fb8a01 --- /dev/null +++ b/data/templates/accel-ppp/config_modules_auth_mode.j2 @@ -0,0 +1,5 @@ +{% if authentication.mode is vyos_defined('local') %} +chap-secrets +{% elif authentication.mode is vyos_defined('radius') %} +radius +{% endif %} diff --git a/data/templates/accel-ppp/config_modules_auth_protocols.j2 b/data/templates/accel-ppp/config_modules_auth_protocols.j2 new file mode 100644 index 0000000..2854684 --- /dev/null +++ b/data/templates/accel-ppp/config_modules_auth_protocols.j2 @@ -0,0 +1,10 @@ +{% for protocol in authentication.protocols %} +{# this should be fixed in the CLI by a migrator #} +{% if protocol == 'chap' %} +auth_chap_md5 +{% elif protocol == 'mschap' %} +auth_mschap_v1 +{% else %} +auth_{{ protocol.replace('-', '_') }} +{% endif %} +{% endfor %} diff --git a/data/templates/accel-ppp/config_modules_ipv6.j2 b/data/templates/accel-ppp/config_modules_ipv6.j2 new file mode 100644 index 0000000..6174779 --- /dev/null +++ b/data/templates/accel-ppp/config_modules_ipv6.j2 @@ -0,0 +1,5 @@ +{% if ppp_options.ipv6 is vyos_defined and ppp_options.ipv6 is not vyos_defined('deny') %} +ipv6pool +ipv6_nd +ipv6_dhcp +{% endif %} diff --git a/data/templates/accel-ppp/config_name_server.j2 b/data/templates/accel-ppp/config_name_server.j2 new file mode 100644 index 0000000..9c745fe --- /dev/null +++ b/data/templates/accel-ppp/config_name_server.j2 @@ -0,0 +1,13 @@ +{% if name_server_ipv4 is vyos_defined %} +[dns] +{% for ns in name_server_ipv4 %} +dns{{ loop.index }}={{ ns }} +{% endfor %} +{% endif %} + +{% if name_server_ipv6 is vyos_defined %} +[ipv6-dns] +{% for ns in name_server_ipv6 %} +{{ ns }} +{% endfor %} +{% endif %} diff --git a/data/templates/accel-ppp/config_shaper_radius.j2 b/data/templates/accel-ppp/config_shaper_radius.j2 new file mode 100644 index 0000000..fcd68f6 --- /dev/null +++ b/data/templates/accel-ppp/config_shaper_radius.j2 @@ -0,0 +1,19 @@ +{% if authentication.mode is vyos_defined('radius') or shaper is vyos_defined %} +[shaper] +verbose=1 +down-limiter=tbf +{% if authentication.radius.rate_limit.enable is vyos_defined %} +attr={{ authentication.radius.rate_limit.attribute }} +{% if authentication.radius.rate_limit.vendor is vyos_defined %} +vendor={{ authentication.radius.rate_limit.vendor }} +{% endif %} +{% if authentication.radius.rate_limit.multiplier is vyos_defined %} +rate-multiplier={{ authentication.radius.rate_limit.multiplier }} +{% endif %} +{% endif %} +{% if shaper is vyos_defined %} +{% if shaper.fwmark is vyos_defined %} +fwmark={{ shaper.fwmark }} +{% endif %} +{% endif %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/config_snmp.j2 b/data/templates/accel-ppp/config_snmp.j2 new file mode 100644 index 0000000..11526dd --- /dev/null +++ b/data/templates/accel-ppp/config_snmp.j2 @@ -0,0 +1,4 @@ +{% if snmp.master_agent is vyos_defined %} +[snmp] +master=1 +{% endif %} diff --git a/data/templates/accel-ppp/config_wins_server.j2 b/data/templates/accel-ppp/config_wins_server.j2 new file mode 100644 index 0000000..23312f9 --- /dev/null +++ b/data/templates/accel-ppp/config_wins_server.j2 @@ -0,0 +1,6 @@ +{% if wins_server is vyos_defined %} +[wins] +{% for server in wins_server %} +wins{{ loop.index }}={{ server }} +{% endfor %} +{% endif %} diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 new file mode 100644 index 0000000..c898129 --- /dev/null +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -0,0 +1,104 @@ +{# j2lint: disable=operator-enclosed-by-spaces #} +### generated by ipoe.py ### +[modules] +log_syslog +ipoe +shaper +{# Common authentication backend definitions #} +{% include 'accel-ppp/config_modules_auth_mode.j2' %} +ippool +ipv6pool +ipv6_nd +ipv6_dhcp +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} + +[core] +thread-count={{ thread_count }} + +[common] +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} + + +[log] +syslog=accel-ipoe,daemon +copy=1 +level=5 + +[ipoe] +verbose=1 +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +{% set tmp = 'interface=' %} +{% if iface_config.vlan is vyos_defined %} +{% set tmp = tmp ~ 're:^' ~ iface ~ '\.' ~ iface_config.vlan | range_to_regex ~ '$' %} +{% else %} +{% set tmp = tmp ~ iface %} +{% endif %} +{% set shared = '' %} +{% if iface_config.network is vyos_defined('shared') %} +{% set shared = 'shared=1,' %} +{% elif iface_config.network is vyos_defined('vlan') %} +{% set shared = 'shared=0,' %} +{% endif %} +{% set range = 'range=' ~ iface_config.client_subnet ~ ',' if iface_config.client_subnet is vyos_defined else '' %} +{% set relay = ',' ~ 'relay=' ~ iface_config.external_dhcp.dhcp_relay if iface_config.external_dhcp.dhcp_relay is vyos_defined else '' %} +{% set giaddr = ',' ~ 'giaddr=' ~ iface_config.external_dhcp.giaddr if iface_config.external_dhcp.giaddr is vyos_defined else '' %} +{{ tmp }},{{ shared }}mode={{ iface_config.mode | upper }},ifcfg=1,{{ range }}start=dhcpv4,ipv6=1{{ relay }}{{ giaddr }} +{% if iface_config.vlan is vyos_defined %} +vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }} +{% endif %} +{% endfor %} +{% endif %} +{% if authentication.mode is vyos_defined('noauth') %} +noauth=1 +{% elif authentication.mode is vyos_defined('local') %} +username=ifname +password=csid +{% endif %} +{% if default_pool is vyos_defined %} +ip-pool={{ default_pool }} +{% endif %} +{% if default_ipv6_pool is vyos_defined %} +ipv6-pool={{ default_ipv6_pool }} +ipv6-pool-delegate={{ default_ipv6_pool }} +{% endif %} +{% if gateway_address is vyos_defined %} +{% for gw_addr in gateway_address %} +gw-ip-address={{ gw_addr }} +{% endfor %} +{% endif %} +proxy-arp=1 + +{# Common IP pool definitions #} +{% include 'accel-ppp/config_ip_pool.j2' %} + +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} + +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common chap-secrets and RADIUS server/option definitions #} +{% include 'accel-ppp/config_chap_secrets_radius.j2' %} + +{# Common RADIUS shaper configuration #} +{% include 'accel-ppp/config_shaper_radius.j2' %} + +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + +[cli] +tcp=127.0.0.1:2002 diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2 new file mode 100644 index 0000000..4ce9042 --- /dev/null +++ b/data/templates/accel-ppp/l2tp.config.j2 @@ -0,0 +1,90 @@ +### generated by accel_l2tp.py ### +[modules] +log_syslog +l2tp +shaper +{# Common authentication backend definitions #} +{% include 'accel-ppp/config_modules_auth_mode.j2' %} +ippool +{# Common IPv6 definitions #} +{% include 'accel-ppp/config_modules_ipv6.j2' %} +{# Common authentication protocols (pap, chap ...) #} +{% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} + +[core] +thread-count={{ thread_count }} + +[common] +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} + +[log] +syslog=accel-l2tp,daemon +copy=1 +level=5 + +[client-ip-range] +0.0.0.0/0 + +[l2tp] +verbose=1 +ifname=l2tp%d +ppp-max-mtu={{ mtu }} +mppe={{ ppp_options.mppe }} +{% if outside_address is vyos_defined %} +bind={{ outside_address }} +{% endif %} +{% if lns.shared_secret is vyos_defined %} +secret={{ lns.shared_secret }} +{% endif %} +{% if lns.host_name is vyos_defined %} +host-name={{ lns.host_name }} +{% endif %} +{% if default_pool is vyos_defined %} +ip-pool={{ default_pool }} +{% endif %} +{% if default_ipv6_pool is vyos_defined %} +ipv6-pool={{ default_ipv6_pool }} +ipv6-pool-delegate={{ default_ipv6_pool }} +{% endif %} + +{# Common IP pool definitions #} +{% include 'accel-ppp/config_ip_pool.j2' %} + +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} + +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + +{# Common chap-secrets and RADIUS server/option definitions #} +{% include 'accel-ppp/config_chap_secrets_radius.j2' %} + +{# Common ppp-options definitions #} +{% include 'accel-ppp/ppp-options.j2' %} + +{# Common RADIUS shaper configuration #} +{% include 'accel-ppp/config_shaper_radius.j2' %} + +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + +[cli] +tcp=127.0.0.1:2004 + diff --git a/data/templates/accel-ppp/ppp-options.j2 b/data/templates/accel-ppp/ppp-options.j2 new file mode 100644 index 0000000..f2d2519 --- /dev/null +++ b/data/templates/accel-ppp/ppp-options.j2 @@ -0,0 +1,39 @@ +#ppp options +[ppp] +verbose=1 +check-ip=1 +ccp={{ "0" if ppp_options.disable_ccp is vyos_defined else "1" }} +unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }} +{% if ppp_options.min_mtu is vyos_defined %} +min-mtu={{ ppp_options.min_mtu }} +{% endif %} +{% if ppp_options.mru is vyos_defined %} +mru={{ ppp_options.mru }} +{% endif %} +mppe={{ ppp_options.mppe }} +lcp-echo-interval={{ ppp_options.lcp_echo_interval }} +lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }} +lcp-echo-failure={{ ppp_options.lcp_echo_failure }} +{% if ppp_options.ipv4 is vyos_defined %} +ipv4={{ ppp_options.ipv4 }} +{% endif %} +{# IPv6 #} +{% if ppp_options.ipv6 is vyos_defined %} +ipv6={{ ppp_options.ipv6 }} +{% if ppp_options.ipv6_interface_id is vyos_defined %} +ipv6-intf-id={{ ppp_options.ipv6_interface_id }} +{% endif %} +{% if ppp_options.ipv6_peer_interface_id is vyos_defined %} +{% if ppp_options.ipv6_peer_interface_id == 'ipv4-addr' %} +ipv6-peer-intf-id=ipv4 +{% else %} +ipv6-peer-intf-id={{ ppp_options.ipv6_peer_interface_id }} +{% endif %} +{% endif %} +ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_interface_id is vyos_defined else "0" }} +{% endif %} +{# MTU #} +mtu={{ mtu }} +{% if ppp_options.interface_cache is vyos_defined %} +unit-cache={{ ppp_options.interface_cache }} +{% endif %} diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2 new file mode 100644 index 0000000..42bc844 --- /dev/null +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -0,0 +1,123 @@ +### generated by accel_pppoe.py ### +[modules] +log_syslog +pppoe +shaper +{# Common authentication backend definitions #} +{% include 'accel-ppp/config_modules_auth_mode.j2' %} +ippool +{# Common IPv6 definitions #} +{% include 'accel-ppp/config_modules_ipv6.j2' %} +{# Common authentication protocols (pap, chap ...) #} +{% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} +{% if extended_scripts is vyos_defined %} +sigchld +pppd_compat +{% endif %} + +[core] +thread-count={{ thread_count }} + +[log] +syslog=accel-pppoe,daemon +copy=1 +level=5 + +{% if authentication.mode is vyos_defined("noauth") %} +[auth] +noauth=1 +{% endif %} + +[client-ip-range] +0.0.0.0/0 + +[common] +{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %} +single-session={{ session_control }} +{% endif %} +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} + +[pppoe] +verbose=1 +ac-name={{ access_concentrator }} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +{% if iface_config.vlan is not vyos_defined %} +interface={{ iface }} +{% else %} +{% for vlan in iface_config.vlan %} +interface=re:^{{ iface }}\.{{ vlan | range_to_regex }}$ +{% endfor %} +vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }} +{% endif %} +{% endfor %} +{% endif %} +{% if service_name %} +service-name={{ service_name | join(',') }} +{% endif %} +{% if pado_delay %} +{% set delay_without_sessions = pado_delay.delays_without_sessions[0] | default('0') %} +{% set pado_delay_param = namespace(value=delay_without_sessions) %} +{% for delay, sessions in pado_delay.delays_with_sessions | sort(attribute='1') %} +{% if not delay == 'disable' %} +{% set pado_delay_param.value = pado_delay_param.value + ',' + delay + ':' + sessions | string %} +{% else %} +{% set pado_delay_param.value = pado_delay_param.value + ',-1:' + sessions | string %} +{% endif %} +{% endfor %} +pado-delay={{ pado_delay_param.value }} +{% endif %} +{% if authentication.radius.called_sid_format is vyos_defined %} +called-sid={{ authentication.radius.called_sid_format }} +{% endif %} +{% if authentication.mode is vyos_defined("noauth") %} +noauth=1 +{% endif %} +{% if default_pool is vyos_defined %} +ip-pool={{ default_pool }} +{% endif %} +{% if default_ipv6_pool is vyos_defined %} +ipv6-pool={{ default_ipv6_pool }} +ipv6-pool-delegate={{ default_ipv6_pool }} +{% endif %} + +{# Common IP pool definitions #} +{% include 'accel-ppp/config_ip_pool.j2' %} + +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} + +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + +{# Common chap-secrets and RADIUS server/option definitions #} +{% include 'accel-ppp/config_chap_secrets_radius.j2' %} + +{# Common ppp-options definitions #} +{% include 'accel-ppp/ppp-options.j2' %} + +{# Common RADIUS shaper configuration #} +{% include 'accel-ppp/config_shaper_radius.j2' %} + +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + +[cli] +tcp=127.0.0.1:2001 diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2 new file mode 100644 index 0000000..a04bd40 --- /dev/null +++ b/data/templates/accel-ppp/pptp.config.j2 @@ -0,0 +1,86 @@ +### generated by accel_pptp.py ### +[modules] +log_syslog +pptp +shaper +{# Common authentication backend definitions #} +{% include 'accel-ppp/config_modules_auth_mode.j2' %} +ippool +{# Common IPv6 definitions #} +{% include 'accel-ppp/config_modules_ipv6.j2' %} +{# Common authentication protocols (pap, chap ...) #} +{% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} + +[core] +thread-count={{ thread_count }} + +[common] +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} + +[log] +syslog=accel-pptp,daemon +copy=1 +level=5 + +[client-ip-range] +0.0.0.0/0 + +[pptp] +ifname=pptp%d +{% if outside_address is vyos_defined %} +bind={{ outside_address }} +{% endif %} +verbose=1 +ppp-max-mtu={{ mtu }} +mppe={{ authentication.mppe }} +echo-interval=10 +echo-failure=3 +{% if default_pool is vyos_defined %} +ip-pool={{ default_pool }} +{% endif %} +{% if default_ipv6_pool is vyos_defined %} +ipv6-pool={{ default_ipv6_pool }} +ipv6-pool-delegate={{ default_ipv6_pool }} +{% endif %} + +{# Common IP pool definitions #} +{% include 'accel-ppp/config_ip_pool.j2' %} + +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} + +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + +{# Common chap-secrets and RADIUS server/option definitions #} +{% include 'accel-ppp/config_chap_secrets_radius.j2' %} + +{# Common ppp-options definitions #} +{% include 'accel-ppp/ppp-options.j2' %} + +{# Common RADIUS shaper configuration #} +{% include 'accel-ppp/config_shaper_radius.j2' %} + +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + +[cli] +tcp=127.0.0.1:2003 + diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2 new file mode 100644 index 0000000..22fb555 --- /dev/null +++ b/data/templates/accel-ppp/sstp.config.j2 @@ -0,0 +1,87 @@ +### generated by vpn_sstp.py ### +[modules] +log_syslog +sstp +shaper +{# Common authentication backend definitions #} +{% include 'accel-ppp/config_modules_auth_mode.j2' %} +ippool +{# Common IPv6 definitions #} +{% include 'accel-ppp/config_modules_ipv6.j2' %} +{# Common authentication protocols (pap, chap ...) #} +{% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} + +[core] +thread-count={{ thread_count }} + +[common] +single-session=replace +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} + +[log] +syslog=accel-sstp,daemon +copy=1 +level=5 + +[client-ip-range] +0.0.0.0/0 + +[sstp] +verbose=1 +ifname=sstp%d +port={{ port }} +accept=ssl +ssl-ca-file=/run/accel-pppd/sstp-ca.pem +ssl-pemfile=/run/accel-pppd/sstp-cert.pem +ssl-keyfile=/run/accel-pppd/sstp-cert.key +{% if host_name is vyos_defined %} +host-name={{ host_name }} +{% endif %} +{% if default_pool is vyos_defined %} +ip-pool={{ default_pool }} +{% endif %} +{% if default_ipv6_pool is vyos_defined %} +ipv6-pool={{ default_ipv6_pool }} +ipv6-pool-delegate={{ default_ipv6_pool }} +{% endif %} + +{# Common IP pool definitions #} +{% include 'accel-ppp/config_ip_pool.j2' %} + +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} + +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + +{# Common chap-secrets and RADIUS server/option definitions #} +{% include 'accel-ppp/config_chap_secrets_radius.j2' %} + +{# Common ppp-options definitions #} +{% include 'accel-ppp/ppp-options.j2' %} + +{# Common RADIUS shaper configuration #} +{% include 'accel-ppp/config_shaper_radius.j2' %} + +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + +[cli] +tcp=127.0.0.1:2005 diff --git a/data/templates/aws/override_aws_gwlbtun.conf.j2 b/data/templates/aws/override_aws_gwlbtun.conf.j2 new file mode 100644 index 0000000..4c566d8 --- /dev/null +++ b/data/templates/aws/override_aws_gwlbtun.conf.j2 @@ -0,0 +1,36 @@ +{% set args = [] %} +{% if script.on_create is vyos_defined %} +{% set _ = args.append("-c " + script.on_create) %} +{% endif %} +{% if script.on_destroy is vyos_defined %} +{% set _ = args.append("-r " + script.on_destroy) %} +{% endif %} + +{% if status.port is vyos_defined %} +{% set _ = args.append("-p " + status.port) %} +{% endif %} + +{% if threads.tunnel is vyos_defined %} +{% set _ = args.append("--tunthreads " + threads.tunnel) %} +{% endif %} +{% if threads.tunnel_affinity is vyos_defined %} +{% set _ = args.append("--tunaffinity " + threads.tunnel_affinity) %} +{% endif %} + +{% if threads.udp is vyos_defined %} +{% set _ = args.append("--udpthreads " + threads.udp) %} +{% endif %} +{% if threads.udp_affinity is vyos_defined %} +{% set _ = args.append("--udpaffinity " + threads.udp_affinity) %} +{% endif %} + +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + +[Service] +EnvironmentFile= +ExecStart=/usr/bin/gwlbtun {{ args | join(' ') }} +CapabilityBoundingSet=CAP_NET_ADMIN +Restart=always +RestartSec=10 diff --git a/data/templates/bcast-relay/udp-broadcast-relay.j2 b/data/templates/bcast-relay/udp-broadcast-relay.j2 new file mode 100644 index 0000000..3f5b5bb --- /dev/null +++ b/data/templates/bcast-relay/udp-broadcast-relay.j2 @@ -0,0 +1,5 @@ +### Autogenerated by service_broadcast-relay.py ### + +# UDP broadcast relay configuration for instance {{ id }} +{{ '# ' ~ description if description is vyos_defined }} +DAEMON_ARGS="{{ '-s ' ~ address if address is vyos_defined }} {{ instance }} {{ port }} {{ interface | join(' ') }}" diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2 new file mode 100644 index 0000000..e3f078f --- /dev/null +++ b/data/templates/chrony/chrony.conf.j2 @@ -0,0 +1,68 @@ +### Autogenerated by service_ntp.py ### + +# This would step the system clock if the adjustment is larger than 0.1 seconds, +# but only in the first three clock updates. +makestep 1.0 3 + +# The rtcsync directive enables a mode where the system time is periodically +# copied to the RTC and chronyd does not try to track its drift. This directive +# cannot be used with the rtcfile directive. On Linux, the RTC copy is performed +# by the kernel every 11 minutes. +rtcsync + +# This directive specifies the maximum amount of memory that chronyd is allowed +# to allocate for logging of client accesses and the state that chronyd as an +# NTP server needs to support the interleaved mode for its clients. +clientloglimit 1048576 + +driftfile /run/chrony/drift +dumpdir /run/chrony +ntsdumpdir /run/chrony +pidfile {{ config_file | replace('.conf', '.pid') }} + +# Determine when will the next leap second occur and what is the current offset +{% if leap_second is vyos_defined('timezone') %} +leapsectz right/UTC +{% elif leap_second is vyos_defined('ignore') %} +leapsecmode ignore +{% elif leap_second is vyos_defined('smear') %} +leapsecmode slew +maxslewrate 1000 +smoothtime 400 0.001024 leaponly +{% elif leap_second is vyos_defined('system') %} +leapsecmode system +{% endif %} + +user {{ user }} + +# NTP servers to reach out to +{% if server is vyos_defined %} +{% for server, config in server.items() %} +{% set association = 'server' %} +{% if config.pool is vyos_defined %} +{% set association = 'pool' %} +{% endif %} +{{ association }} {{ server | replace('_', '-') }} iburst {{ 'nts' if config.nts is vyos_defined }} {{ 'noselect' if config.noselect is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }} +{% endfor %} +{% endif %} + +# Allowed clients configuration +{% if allow_client.address is vyos_defined %} +{% for address in allow_client.address %} +allow {{ address }} +{% endfor %} +{% else %} +deny all +{% endif %} + +{% if listen_address is vyos_defined or interface is vyos_defined %} +# NTP should listen on configured addresses only +{% if listen_address is vyos_defined %} +{% for address in listen_address %} +bindaddress {{ address }} +{% endfor %} +{% endif %} +{% if interface is vyos_defined %} +binddevice {{ interface }} +{% endif %} +{% endif %} diff --git a/data/templates/chrony/override.conf.j2 b/data/templates/chrony/override.conf.j2 new file mode 100644 index 0000000..b8935ae --- /dev/null +++ b/data/templates/chrony/override.conf.j2 @@ -0,0 +1,17 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +ConditionPathExists={{ config_file }} +After=vyos-router.service + +[Service] +EnvironmentFile= +ExecStart= +ExecStart=!{{ vrf_command }}/usr/sbin/chronyd -F 1 -f {{ config_file }} +PIDFile= +PIDFile={{ config_file | replace('.conf', '.pid') }} +Restart=always +RestartSec=10 +# Required for VRF support +ProcSubset=all +ProtectControlGroups=no diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2 new file mode 100644 index 0000000..c753e6b --- /dev/null +++ b/data/templates/conntrack/nftables-ct.j2 @@ -0,0 +1,176 @@ +#!/usr/sbin/nft -f + +{% import 'conntrack/nftables-helpers.j2' as helper_tmpl %} +{% import 'firewall/nftables-defines.j2' as group_tmpl %} + +{% if first_install is not vyos_defined %} +delete table ip vyos_conntrack +{% endif %} +table ip vyos_conntrack { + chain VYOS_CT_IGNORE { +{% if ignore.ipv4.rule is vyos_defined %} +{% for rule, rule_config in ignore.ipv4.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=False) }} +{% endfor %} +{% endif %} + return + } + chain VYOS_CT_TIMEOUT { +{% if timeout.custom.ipv4.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv4.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=False) }} +{% endfor %} +{% endif %} + return + } + +{% if timeout.custom.ipv4.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv4.rule.items() %} + ct timeout ct-timeout-{{ rule }} { + l3proto ip; +{% for protocol, protocol_config in rule_config.protocol.items() %} + protocol {{ protocol }}; + policy = { {{ protocol_config | conntrack_ct_policy() }} } +{% endfor %} + } +{% endfor %} +{% endif %} + + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK + counter jump WLB_CONNTRACK + notrack + } + +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK +{% if wlb_local_action %} + counter jump WLB_CONNTRACK +{% endif %} + notrack + } + +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + +{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }} + + chain FW_CONNTRACK { + {{ ipv4_firewall_action }} + } + + chain NAT_CONNTRACK { + {{ ipv4_nat_action }} + } + + chain WLB_CONNTRACK { + {{ wlb_action }} + } + +{% if firewall.group is vyos_defined %} +{{ group_tmpl.groups(firewall.group, False, True) }} +{% endif %} +} + +{% if first_install is not vyos_defined %} +delete table ip6 vyos_conntrack +{% endif %} +table ip6 vyos_conntrack { + chain VYOS_CT_IGNORE { +{% if ignore.ipv6.rule is vyos_defined %} +{% for rule, rule_config in ignore.ipv6.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=True) }} +{% endfor %} +{% endif %} + return + } + chain VYOS_CT_TIMEOUT { +{% if timeout.custom.ipv6.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv6.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=True) }} +{% endfor %} +{% endif %} + return + } + +{% if timeout.custom.ipv6.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv6.rule.items() %} + ct timeout ct-timeout-{{ rule }} { + l3proto ip; +{% for protocol, protocol_config in rule_config.protocol.items() %} + protocol {{ protocol }}; + policy = { {{ protocol_config | conntrack_ct_policy() }} } +{% endfor %} + } +{% endfor %} +{% endif %} + + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK + notrack + } + +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK + notrack + } + +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + +{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }} + + chain FW_CONNTRACK { + {{ ipv6_firewall_action }} + } + + chain NAT_CONNTRACK { + {{ ipv6_nat_action }} + } + +{% if firewall.group is vyos_defined %} +{{ group_tmpl.groups(firewall.group, True, True) }} +{% endif %} +} diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2 new file mode 100644 index 0000000..63a0cc8 --- /dev/null +++ b/data/templates/conntrack/nftables-helpers.j2 @@ -0,0 +1,76 @@ +{% macro conntrack_helpers(module_map, modules, ipv4=True) %} +{% if modules.ftp is vyos_defined %} + ct helper ftp_tcp { + type "ftp" protocol tcp; + } +{% endif %} + +{% if modules.h323 is vyos_defined %} + ct helper ras_udp { + type "RAS" protocol udp; + } + + ct helper q931_tcp { + type "Q.931" protocol tcp; + } +{% endif %} + +{% if modules.pptp is vyos_defined and ipv4 %} + ct helper pptp_tcp { + type "pptp" protocol tcp; + } +{% endif %} + +{% if modules.nfs is vyos_defined %} + ct helper rpc_tcp { + type "rpc" protocol tcp; + } + + ct helper rpc_udp { + type "rpc" protocol udp; + } +{% endif %} + +{% if modules.rtsp is vyos_defined and ipv4 %} + ct helper rtsp_tcp { + type "rtsp" protocol tcp; + } +{% endif %} + +{% if modules.sip is vyos_defined %} + ct helper sip_tcp { + type "sip" protocol tcp; + } + + ct helper sip_udp { + type "sip" protocol udp; + } +{% endif %} + +{% if modules.tftp is vyos_defined %} + ct helper tftp_udp { + type "tftp" protocol udp; + } +{% endif %} + +{% if modules.sqlnet is vyos_defined %} + ct helper tns_tcp { + type "tns" protocol tcp; + } +{% endif %} + + chain VYOS_CT_HELPER { +{% for module, module_conf in module_map.items() %} +{% if modules[module] is vyos_defined %} +{% if 'nftables' in module_conf %} +{% if module_conf.ipv4 is not vyos_defined or module_conf.ipv4 == ipv4 %} +{% for rule in module_conf.nftables %} + {{ rule }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} +{% endfor %} + return + } +{% endmacro %} diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2 new file mode 100644 index 0000000..986f75c --- /dev/null +++ b/data/templates/conntrack/sysctl.conf.j2 @@ -0,0 +1,27 @@ +# Autogenerated by system_conntrack.py +{# all values have defaults - thus no checking required #} + +net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }} +net.netfilter.nf_conntrack_max = {{ table_size }} + +net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }} + +net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose is vyos_defined('enable') else '0' }} +net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }} + +net.netfilter.nf_conntrack_icmp_timeout = {{ timeout.icmp }} +net.netfilter.nf_conntrack_generic_timeout = {{ timeout.other }} + +net.netfilter.nf_conntrack_tcp_timeout_close_wait = {{ timeout.tcp.close_wait }} +net.netfilter.nf_conntrack_tcp_timeout_close = {{ timeout.tcp.close }} +net.netfilter.nf_conntrack_tcp_timeout_established = {{ timeout.tcp.established }} +net.netfilter.nf_conntrack_tcp_timeout_fin_wait = {{ timeout.tcp.fin_wait }} +net.netfilter.nf_conntrack_tcp_timeout_last_ack = {{ timeout.tcp.last_ack }} +net.netfilter.nf_conntrack_tcp_timeout_syn_recv = {{ timeout.tcp.syn_recv }} +net.netfilter.nf_conntrack_tcp_timeout_syn_sent = {{ timeout.tcp.syn_sent }} +net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }} + +net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }} +net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }} + +net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }} diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 new file mode 100644 index 0000000..1b12fec --- /dev/null +++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 @@ -0,0 +1,2 @@ +# Autogenerated by system_conntrack.py +options nf_conntrack hashsize={{ hash_size }} diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2 new file mode 100644 index 0000000..30e619d --- /dev/null +++ b/data/templates/conntrackd/conntrackd.conf.j2 @@ -0,0 +1,114 @@ +### autogenerated by service_conntrack-sync.py ### + +# Synchronizer settings +Sync { + Mode FTFW { + DisableExternalCache {{ 'on' if disable_external_cache is vyos_defined else 'off' }} + StartupResync {{ 'on' if startup_resync is vyos_defined else 'off' }} + } +{% for iface, iface_config in interface.items() %} +{% if iface_config.peer is vyos_defined %} + UDP { +{% if listen_address is vyos_defined %} +{% for address in listen_address %} + IPv4_address {{ address }} +{% endfor %} +{% endif %} + IPv4_Destination_Address {{ iface_config.peer }} + Port {{ iface_config.port if iface_config.port is vyos_defined else '3780' }} + Interface {{ iface }} + SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} + RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} + Checksum on + } +{% else %} + Multicast { +{% set ip_address = iface | get_ipv4 %} + IPv4_address {{ mcast_group }} + Group {{ iface_config.port if iface_config.port is vyos_defined else '3780' }} + IPv4_interface {{ ip_address[0] | ip_from_cidr }} + Interface {{ iface }} + SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} + RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} + Checksum on + } +{% endif %} +{% endfor %} +{% if expect_sync is vyos_defined %} + Options { +{% if 'all' in expect_sync %} + ExpectationSync on +{% else %} + ExpectationSync { +{% for protocol in expect_sync %} + {{ protocol }} +{% endfor %} + } +{% endif %} + } +{% endif %} +} +Helper { + Type rpc inet tcp { + QueueNum 3 + Policy rpc { + ExpectMax 1 + ExpectTimeout 300 + } + } + Type rpc inet udp { + QueueNum 4 + Policy rpc { + ExpectMax 1 + ExpectTimeout 300 + } + } + Type tns inet tcp { + QueueNum 5 + Policy tns { + ExpectMax 1 + ExpectTimeout 300 + } + } +} + +# General settings +General { + HashSize {{ hash_size }} + HashLimit {{ table_size | int *2 }} + LogFile off + Syslog {{ 'off' if disable_syslog is vyos_defined else 'on' }} + LockFile /var/lock/conntrack.lock + UNIX { + Path /var/run/conntrackd.ctl + } + NetlinkBufferSize {{ 2 *1024 *1024 }} + NetlinkBufferSizeMaxGrowth {{ event_listen_queue_size | int *1024 *1024 }} + NetlinkOverrunResync off + NetlinkEventsReliable on +{% if ignore_address is vyos_defined or accept_protocol is vyos_defined %} + Filter From Userspace { +{% if ignore_address is vyos_defined %} + Address Ignore { +{% for address in ignore_address if address | is_ipv4 %} + IPv4_address {{ address }} +{% endfor %} +{% for address in ignore_address if address | is_ipv6 %} + IPv6_address {{ address }} +{% endfor %} + } +{% endif %} +{% if accept_protocol is vyos_defined %} + Protocol Accept { +{% for protocol in accept_protocol %} +{% if protocol == 'icmp6' %} + IPv6-ICMP +{% else %} + {{ protocol | upper }} +{% endif %} +{% endfor %} + } +{% endif %} + } +{% endif %} +} diff --git a/data/templates/conntrackd/conntrackd.op-mode.j2 b/data/templates/conntrackd/conntrackd.op-mode.j2 new file mode 100644 index 0000000..82f7e28 --- /dev/null +++ b/data/templates/conntrackd/conntrackd.op-mode.j2 @@ -0,0 +1,13 @@ +Source Destination Protocol +{% for parsed in data if parsed.flow.meta is vyos_defined %} +{% for key in parsed.flow.meta %} +{% if key['@direction'] == 'original' %} +{% set saddr = key.layer3.src | bracketize_ipv6 %} +{% set sport = key.layer4.sport %} +{% set daddr = key.layer3.dst | bracketize_ipv6 %} +{% set dport = key.layer4.dport %} +{% set protocol = key.layer4['@protoname'] %} +{{ "%-48s" | format(saddr ~ ':' ~ sport) }} {{ "%-48s" | format(daddr ~ ':' ~ dport) }} {{ protocol }} +{% endif %} +{% endfor %} +{% endfor %} diff --git a/data/templates/conserver/conserver.conf.j2 b/data/templates/conserver/conserver.conf.j2 new file mode 100644 index 0000000..ffd2938 --- /dev/null +++ b/data/templates/conserver/conserver.conf.j2 @@ -0,0 +1,40 @@ +### Autogenerated by service_console-server.py ### + +# See https://www.conserver.com/docs/conserver.cf.man.html for additional options + +config * { + primaryport 3109; + daemonmode false; +} + +default * { + motd "VyOS Console Server"; + rw *; +} + +## +## list of consoles we serve +## +{% for key, value in device.items() %} +{# Depending on our USB serial console we could require a path adjustment #} +{% set path = '/dev' if key.startswith('ttyS') else '/dev/serial/by-bus' %} +console {{ key }} { + master localhost; + type device; + device {{ path }}/{{ key }}; + baud {{ value.speed }}; + parity {{ value.parity }}; + options {{ "!" if value.stop_bits == "1" }}cstopb; +{% if value.alias is vyos_defined %} + aliases "{{ value.alias }}"; +{% endif %} +} +{% endfor %} + +## +## list of clients we allow +## +access * { + trusted localhost; + allowed localhost; +} diff --git a/data/templates/conserver/dropbear@.service.j2 b/data/templates/conserver/dropbear@.service.j2 new file mode 100644 index 0000000..e355dab --- /dev/null +++ b/data/templates/conserver/dropbear@.service.j2 @@ -0,0 +1,4 @@ +[Service] +ExecStart= +ExecStart=/usr/sbin/dropbear -w -j -k -r /etc/dropbear/dropbear_rsa_host_key -b /etc/issue.net -c "/usr/bin/console {{ device }}" -P /run/conserver/dropbear.%I.pid -p %I +PIDFile=/run/conserver/dropbear.%I.pid diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2 new file mode 100644 index 0000000..c8b54df --- /dev/null +++ b/data/templates/container/containers.conf.j2 @@ -0,0 +1,709 @@ +### Autogenerated by container.py ### + +# The containers configuration file specifies all of the available configuration +# command-line options/flags for container engine tools like Podman & Buildah, +# but in a TOML format that can be easily modified and versioned. + +# Please refer to containers.conf(5) for details of all configuration options. +# Not all container engines implement all of the options. +# All of the options have hard coded defaults and these options will override +# the built in defaults. Users can then override these options via the command +# line. Container engines will read containers.conf files in up to three +# locations in the following order: +# 1. /usr/share/containers/containers.conf +# 2. /etc/containers/containers.conf +# 3. $HOME/.config/containers/containers.conf (Rootless containers ONLY) +# Items specified in the latter containers.conf, if they exist, override the +# previous containers.conf settings, or the default settings. + +[containers] + +# List of annotation. Specified as +# "key = value" +# If it is empty or commented out, no annotations will be added +# +#annotations = [] + +# Used to change the name of the default AppArmor profile of container engine. +# +#apparmor_profile = "container-default" + +# The hosts entries from the base hosts file are added to the containers hosts +# file. This must be either an absolute path or as special values "image" which +# uses the hosts file from the container image or "none" which means +# no base hosts file is used. The default is "" which will use /etc/hosts. +# +#base_hosts_file = "" + +# Default way to to create a cgroup namespace for the container +# Options are: +# `private` Create private Cgroup Namespace for the container. +# `host` Share host Cgroup Namespace with the container. +# +#cgroupns = "private" + +# Control container cgroup configuration +# Determines whether the container will create CGroups. +# Options are: +# `enabled` Enable cgroup support within container +# `disabled` Disable cgroup support, will inherit cgroups from parent +# `no-conmon` Do not create a cgroup dedicated to conmon. +# +#cgroups = "enabled" + +# List of default capabilities for containers. If it is empty or commented out, +# the default capabilities defined in the container engine will be added. +# +default_capabilities = [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "FSETID", + "KILL", + "NET_BIND_SERVICE", + "SETFCAP", + "SETGID", + "SETPCAP", + "SETUID", + "SYS_CHROOT" +] + +# A list of sysctls to be set in containers by default, +# specified as "name=value", +# for example:"net.ipv4.ping_group_range=0 0". +# +default_sysctls = [ + "net.ipv4.ping_group_range=0 0", +] + +# A list of ulimits to be set in containers by default, specified as +# "<ulimit name>=<soft limit>:<hard limit>", for example: +# "nofile=1024:2048" +# See setrlimit(2) for a list of resource names. +# Any limit not specified here will be inherited from the process launching the +# container engine. +# Ulimits has limits for non privileged container engines. +# +#default_ulimits = [ +# "nofile=1280:2560", +#] + +# List of devices. Specified as +# "<device-on-host>:<device-on-container>:<permissions>", for example: +# "/dev/sdc:/dev/xvdc:rwm". +# If it is empty or commented out, only the default devices will be used +# +#devices = [] + +# List of default DNS options to be added to /etc/resolv.conf inside of the container. +# +#dns_options = [] + +# List of default DNS search domains to be added to /etc/resolv.conf inside of the container. +# +#dns_searches = [] + +# Set default DNS servers. +# This option can be used to override the DNS configuration passed to the +# container. The special value "none" can be specified to disable creation of +# /etc/resolv.conf in the container. +# The /etc/resolv.conf file in the image will be used without changes. +# +#dns_servers = [] + +# Environment variable list for the conmon process; used for passing necessary +# environment variables to conmon or the runtime. +# +#env = [ +# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +# "TERM=xterm", +#] + +# Pass all host environment variables into the container. +# +#env_host = false + +# Set the ip for the host.containers.internal entry in the containers /etc/hosts +# file. This can be set to "none" to disable adding this entry. By default it +# will automatically choose the host ip. +# +# NOTE: When using podman machine this entry will never be added to the containers +# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore +# it is not possible to disable the entry in this case. +# +#host_containers_internal_ip = "" + +# Default proxy environment variables passed into the container. +# The environment variables passed in include: +# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of +# these. This option is needed when host system uses a proxy but container +# should not use proxy. Proxy environment variables specified for the container +# in any other way will override the values passed from the host. +# +#http_proxy = true + +# Run an init inside the container that forwards signals and reaps processes. +# +#init = false + +# Container init binary, if init=true, this is the init binary to be used for containers. +# +#init_path = "/usr/libexec/podman/catatonit" + +# Default way to to create an IPC namespace (POSIX SysV IPC) for the container +# Options are: +# "host" Share host IPC Namespace with the container. +# "none" Create shareable IPC Namespace for the container without a private /dev/shm. +# "private" Create private IPC Namespace for the container, other containers are not allowed to share it. +# "shareable" Create shareable IPC Namespace for the container. +# +#ipcns = "shareable" + +# keyring tells the container engine whether to create +# a kernel keyring for use within the container. +# +#keyring = true + +# label tells the container engine whether to use container separation using +# MAC(SELinux) labeling or not. +# The label flag is ignored on label disabled systems. +# +#label = true + +# Logging driver for the container. Available options: k8s-file and journald. +# +#log_driver = "k8s-file" + +# Maximum size allowed for the container log file. Negative numbers indicate +# that no size limit is imposed. If positive, it must be >= 8192 to match or +# exceed conmon's read buffer. The file is truncated and re-opened so the +# limit is never exceeded. +# +#log_size_max = -1 + +# Specifies default format tag for container log messages. +# This is useful for creating a specific tag for container log messages. +# Containers logs default to truncated container ID as a tag. +# +#log_tag = "" + +# Default way to to create a Network namespace for the container +# Options are: +# `private` Create private Network Namespace for the container. +# `host` Share host Network Namespace with the container. +# `none` Containers do not use the network +# +#netns = "private" + +# Create /etc/hosts for the container. By default, container engine manage +# /etc/hosts, automatically adding the container's own IP address. +# +#no_hosts = false + +# Default way to to create a PID namespace for the container +# Options are: +# `private` Create private PID Namespace for the container. +# `host` Share host PID Namespace with the container. +# +#pidns = "private" + +# Maximum number of processes allowed in a container. +# +#pids_limit = 2048 + +# Copy the content from the underlying image into the newly created volume +# when the container is created instead of when it is started. If false, +# the container engine will not copy the content until the container is started. +# Setting it to true may have negative performance implications. +# +#prepare_volume_on_create = false + +# Path to the seccomp.json profile which is used as the default seccomp profile +# for the runtime. +# +#seccomp_profile = "/usr/share/containers/seccomp.json" + +# Size of /dev/shm. Specified as <number><unit>. +# Unit is optional, values: +# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). +# If the unit is omitted, the system uses bytes. +# +#shm_size = "65536k" + +# Set timezone in container. Takes IANA timezones as well as "local", +# which sets the timezone in the container to match the host machine. +# +#tz = "" + +# Set umask inside the container +# +#umask = "0022" + +# Default way to to create a User namespace for the container +# Options are: +# `auto` Create unique User Namespace for the container. +# `host` Share host User Namespace with the container. +# +#userns = "host" + +# Number of UIDs to allocate for the automatic container creation. +# UIDs are allocated from the "container" UIDs listed in +# /etc/subuid & /etc/subgid +# +#userns_size = 65536 + +# Default way to to create a UTS namespace for the container +# Options are: +# `private` Create private UTS Namespace for the container. +# `host` Share host UTS Namespace with the container. +# +#utsns = "private" + +# List of volumes. Specified as +# "<directory-on-host>:<directory-in-container>:<options>", for example: +# "/db:/var/lib/db:ro". +# If it is empty or commented out, no volumes will be added +# +#volumes = [] + +[secrets] +#driver = "file" + +[secrets.opts] +#root = "/example/directory" + +[network] + +# Network backend determines what network driver will be used to set up and tear down container networks. +# Valid values are "cni" and "netavark". +# The default value is empty which means that it will automatically choose CNI or netavark. If there are +# already containers/images or CNI networks preset it will choose CNI. +# +# Before changing this value all containers must be stopped otherwise it is likely that +# iptables rules and network interfaces might leak on the host. A reboot will fix this. +# +network_backend = "netavark" + +# Path to directory where CNI plugin binaries are located. +# +#cni_plugin_dirs = [ +# "/usr/local/libexec/cni", +# "/usr/libexec/cni", +# "/usr/local/lib/cni", +# "/usr/lib/cni", +# "/opt/cni/bin", +#] + +# The network name of the default network to attach pods to. +# +#default_network = "podman" + +# The default subnet for the default network given in default_network. +# If a network with that name does not exist, a new network using that name and +# this subnet will be created. +# Must be a valid IPv4 CIDR prefix. +# +#default_subnet = "10.88.0.0/16" + +# DefaultSubnetPools is a list of subnets and size which are used to +# allocate subnets automatically for podman network create. +# It will iterate through the list and will pick the first free subnet +# with the given size. This is only used for ipv4 subnets, ipv6 subnets +# are always assigned randomly. +# +#default_subnet_pools = [ +# {"base" = "10.89.0.0/16", "size" = 24}, +# {"base" = "10.90.0.0/15", "size" = 24}, +# {"base" = "10.92.0.0/14", "size" = 24}, +# {"base" = "10.96.0.0/11", "size" = 24}, +# {"base" = "10.128.0.0/9", "size" = 24}, +#] + +# Path to the directory where network configuration files are located. +# For the CNI backend the default is "/etc/cni/net.d" as root +# and "$HOME/.config/cni/net.d" as rootless. +# For the netavark backend "/etc/containers/networks" is used as root +# and "$graphroot/networks" as rootless. +# +#network_config_dir = "/etc/cni/net.d/" + +# Port to use for dns forwarding daemon with netavark in rootful bridge +# mode and dns enabled. +# Using an alternate port might be useful if other dns services should +# run on the machine. +# +#dns_bind_port = 53 + +[engine] +# Index to the active service +# +#active_service = production + +# The compression format to use when pushing an image. +# Valid options are: `gzip`, `zstd` and `zstd:chunked`. +# +#compression_format = "gzip" + + +# Cgroup management implementation used for the runtime. +# Valid options "systemd" or "cgroupfs" +# +#cgroup_manager = "systemd" + +# Environment variables to pass into conmon +# +#conmon_env_vars = [ +# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +#] + +# Paths to look for the conmon container manager binary +# +#conmon_path = [ +# "/usr/libexec/podman/conmon", +# "/usr/local/libexec/podman/conmon", +# "/usr/local/lib/podman/conmon", +# "/usr/bin/conmon", +# "/usr/sbin/conmon", +# "/usr/local/bin/conmon", +# "/usr/local/sbin/conmon" +#] + +# Enforces using docker.io for completing short names in Podman's compatibility +# REST API. Note that this will ignore unqualified-search-registries and +# short-name aliases defined in containers-registries.conf(5). +#compat_api_enforce_docker_hub = true + +# Specify the keys sequence used to detach a container. +# Format is a single character [a-Z] or a comma separated sequence of +# `ctrl-<value>`, where `<value>` is one of: +# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_` +# +#detach_keys = "ctrl-p,ctrl-q" + +# Determines whether engine will reserve ports on the host when they are +# forwarded to containers. When enabled, when ports are forwarded to containers, +# ports are held open by as long as the container is running, ensuring that +# they cannot be reused by other programs on the host. However, this can cause +# significant memory usage if a container has many ports forwarded to it. +# Disabling this can save memory. +# +#enable_port_reservation = true + +# Environment variables to be used when running the container engine (e.g., Podman, Buildah). +# For example "http_proxy=internal.proxy.company.com". +# Note these environment variables will not be used within the container. +# Set the env section under [containers] table, if you want to set environment variables for the container. +# +#env = [] + +# Define where event logs will be stored, when events_logger is "file". +#events_logfile_path="" + +# Sets the maximum size for events_logfile_path. +# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). +# The format for the size is `<number><unit>`, e.g., `1b` or `3g`. +# If no unit is included then the size will be read in bytes. +# When the limit is exceeded, the logfile will be rotated and the old one will be deleted. +# If the maximum size is set to 0, then no limit will be applied, +# and the logfile will not be rotated. +#events_logfile_max_size = "1m" + +# Selects which logging mechanism to use for container engine events. +# Valid values are `journald`, `file` and `none`. +# +#events_logger = "journald" + +# A is a list of directories which are used to search for helper binaries. +# +#helper_binaries_dir = [ +# "/usr/local/libexec/podman", +# "/usr/local/lib/podman", +# "/usr/libexec/podman", +# "/usr/lib/podman", +#] + +# Path to OCI hooks directories for automatically executed hooks. +# +#hooks_dir = [ +# "/usr/share/containers/oci/hooks.d", +#] + +# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building +# container images. By default image pulled and pushed match the format of the +# source image. Building/committing defaults to OCI. +# +#image_default_format = "" + +# Default transport method for pulling and pushing for images +# +#image_default_transport = "docker://" + +# Maximum number of image layers to be copied (pulled/pushed) simultaneously. +# Not setting this field, or setting it to zero, will fall back to containers/image defaults. +# +#image_parallel_copies = 0 + +# Tells container engines how to handle the builtin image volumes. +# * bind: An anonymous named volume will be created and mounted +# into the container. +# * tmpfs: The volume is mounted onto the container as a tmpfs, +# which allows users to create content that disappears when +# the container is stopped. +# * ignore: All volumes are just ignored and no action is taken. +# +#image_volume_mode = "" + +# Default command to run the infra container +# +#infra_command = "/pause" + +# Infra (pause) container image name for pod infra containers. When running a +# pod, we start a `pause` process in a container to hold open the namespaces +# associated with the pod. This container does nothing other then sleep, +# reserving the pods resources for the lifetime of the pod. By default container +# engines run a builtin container using the pause executable. If you want override +# specify an image to pull. +# +#infra_image = "" + +# Specify the locking mechanism to use; valid values are "shm" and "file". +# Change the default only if you are sure of what you are doing, in general +# "file" is useful only on platforms where cgo is not available for using the +# faster "shm" lock type. You may need to run "podman system renumber" after +# you change the lock type. +# +#lock_type** = "shm" + +# MultiImageArchive - if true, the container engine allows for storing archives +# (e.g., of the docker-archive transport) with multiple images. By default, +# Podman creates single-image archives. +# +#multi_image_archive = "false" + +# Default engine namespace +# If engine is joined to a namespace, it will see only containers and pods +# that were created in the same namespace, and will create new containers and +# pods in that namespace. +# The default namespace is "", which corresponds to no namespace. When no +# namespace is set, all containers and pods are visible. +# +#namespace = "" + +# Path to the slirp4netns binary +# +#network_cmd_path = "" + +# Default options to pass to the slirp4netns binary. +# Valid options values are: +# +# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). +# Default is false. +# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`). +# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`). +# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`). +# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only). +# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to. +# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only). +# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to. +# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default. +# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container +# network namespace, usually `10.0.2.100`. If your application requires the real source IP address, +# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for +# rootless containers when connected to user-defined networks. +# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but +# preserves the correct source IP address. This port handler cannot be used for user-defined networks. +# +#network_cmd_options = [] + +# Whether to use chroot instead of pivot_root in the runtime +# +#no_pivot_root = false + +# Number of locks available for containers and pods. +# If this is changed, a lock renumber must be performed (e.g. with the +# 'podman system renumber' command). +# +#num_locks = 2048 + +# Set the exit policy of the pod when the last container exits. +#pod_exit_policy = "continue" + +# Whether to pull new image before running a container +# +#pull_policy = "missing" + +# Indicates whether the application should be running in remote mode. This flag modifies the +# --remote option on container engines. Setting the flag to true will default +# `podman --remote=true` for access to the remote Podman service. +# +#remote = false + +# Default OCI runtime +# +#runtime = "crun" + +# List of the OCI runtimes that support --format=json. When json is supported +# engine will use it for reporting nicer errors. +# +#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"] + +# List of the OCI runtimes that supports running containers with KVM Separation. +# +#runtime_supports_kvm = ["kata", "krun"] + +# List of the OCI runtimes that supports running containers without cgroups. +# +#runtime_supports_nocgroups = ["crun", "krun"] + +# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment +# variable. If you specify "storage", then the location of the +# container/storage tmp directory will be used. +# image_copy_tmp_dir="/var/tmp" + +# Number of seconds to wait without a connection +# before the `podman system service` times out and exits +# +#service_timeout = 5 + +# Directory for persistent engine files (database, etc) +# By default, this will be configured relative to where the containers/storage +# stores containers +# Uncomment to change location from this default +# +#static_dir = "/var/lib/containers/storage/libpod" + +# Number of seconds to wait for container to exit before sending kill signal. +# +#stop_timeout = 10 + +# Number of seconds to wait before exit command in API process is given to. +# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds). +# +#exit_command_delay = 300 + +# map of service destinations +# +#[service_destinations] +# [service_destinations.production] +# URI to access the Podman service +# Examples: +# rootless "unix://run/user/$UID/podman/podman.sock" (Default) +# rootful "unix://run/podman/podman.sock (Default) +# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock +# remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock +# +# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock" +# Path to file containing ssh identity key +# identity = "~/.ssh/id_rsa" + +# Directory for temporary files. Must be tmpfs (wiped after reboot) +# +#tmp_dir = "/run/libpod" + +# Directory for libpod named volumes. +# By default, this will be configured relative to where containers/storage +# stores containers. +# Uncomment to change location from this default. +# +#volume_path = "/var/lib/containers/storage/volumes" + +# Default timeout (in seconds) for volume plugin operations. +# Plugins are external programs accessed via a REST API; this sets a timeout +# for requests to that API. +# A value of 0 is treated as no timeout. +#volume_plugin_timeout = 5 + +# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) +[engine.runtimes] +#crun = [ +# "/usr/bin/crun", +# "/usr/sbin/crun", +# "/usr/local/bin/crun", +# "/usr/local/sbin/crun", +# "/sbin/crun", +# "/bin/crun", +# "/run/current-system/sw/bin/crun", +#] + +#kata = [ +# "/usr/bin/kata-runtime", +# "/usr/sbin/kata-runtime", +# "/usr/local/bin/kata-runtime", +# "/usr/local/sbin/kata-runtime", +# "/sbin/kata-runtime", +# "/bin/kata-runtime", +# "/usr/bin/kata-qemu", +# "/usr/bin/kata-fc", +#] + +#runc = [ +# "/usr/bin/runc", +# "/usr/sbin/runc", +# "/usr/local/bin/runc", +# "/usr/local/sbin/runc", +# "/sbin/runc", +# "/bin/runc", +# "/usr/lib/cri-o-runc/sbin/runc", +#] + +#runsc = [ +# "/usr/bin/runsc", +# "/usr/sbin/runsc", +# "/usr/local/bin/runsc", +# "/usr/local/sbin/runsc", +# "/bin/runsc", +# "/sbin/runsc", +# "/run/current-system/sw/bin/runsc", +#] + +#krun = [ +# "/usr/bin/krun", +# "/usr/local/bin/krun", +#] + +[engine.volume_plugins] +#testplugin = "/run/podman/plugins/test.sock" + +[machine] +# Number of CPU's a machine is created with. +# +#cpus=1 + +# The size of the disk in GB created when init-ing a podman-machine VM. +# +#disk_size=10 + +# Default image URI when creating a new VM using `podman machine init`. +# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major +# version of the OS (e.g `36`) for Fedora 36. For all platforms you can +# alternatively specify a custom download URL to an image. Container engines +# translate URIs $OS and $ARCH to the native OS and ARCH. URI +# "https://example.com/$OS/$ARCH/foobar.ami" becomes +# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. +# The default value is `testing`. +# +# image = "testing" + +# Memory in MB a machine is created with. +# +#memory=2048 + +# The username to use and create on the podman machine OS for rootless +# container access. +# +#user = "core" + +# Host directories to be mounted as volumes into the VM by default. +# Environment variables like $HOME as well as complete paths are supported for +# the source and destination. An optional third field `:ro` can be used to +# tell the container engines to mount the volume readonly. +# +# volumes = [ +# "$HOME:$HOME", +#] + +# The [machine] table MUST be the last entry in this file. +# (Unless another table is added) +# TOML does not provide a way to end a table other than a further table being +# defined, so every key hereafter will be part of [machine] and not the +# main config. diff --git a/data/templates/container/registries.conf.j2 b/data/templates/container/registries.conf.j2 new file mode 100644 index 0000000..eb7ff87 --- /dev/null +++ b/data/templates/container/registries.conf.j2 @@ -0,0 +1,31 @@ +### Autogenerated by container.py ### + +# For more information on this configuration file, see containers-registries.conf(5). +# +# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. +# +# An array of host[:port] registries to try when pulling an unqualified image, in order. +# unqualified-search-registries = ["example.com"] + +{% if registry is vyos_defined %} +{% set registry_list = [] %} +{% for r, r_options in registry.items() if r_options.disable is not vyos_defined %} +{% set _ = registry_list.append(r) %} +{% endfor %} +unqualified-search-registries = {{ registry_list }} +{% endif %} diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2 new file mode 100644 index 0000000..1a4e601 --- /dev/null +++ b/data/templates/container/storage.conf.j2 @@ -0,0 +1,7 @@ +### Autogenerated by container.py ### +[storage] + driver = "overlay" + graphroot = "/usr/lib/live/mount/persistence/container/storage" + runroot = "/var/run/containers/storage" + [storage.options] + mount_program = "/usr/bin/fuse-overlayfs" diff --git a/data/templates/container/systemd-unit.j2 b/data/templates/container/systemd-unit.j2 new file mode 100644 index 0000000..d379f0a --- /dev/null +++ b/data/templates/container/systemd-unit.j2 @@ -0,0 +1,17 @@ +### Autogenerated by container.py ### +[Unit] +Description=VyOS Container {{ name }} + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +Restart=on-failure +ExecStartPre=/bin/rm -f %t/%n.pid %t/%n.cid +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/%n.pid --cidfile %t/%n.cid --cgroups=no-conmon \ + {{ run_args }} +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n.cid -t 5 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n.cid +ExecStopPost=/bin/rm -f %t/%n.cid +PIDFile=%t/%n.pid +KillMode=control-group +Type=forking diff --git a/data/templates/dhcp-client/dhcp6c-script.j2 b/data/templates/dhcp-client/dhcp6c-script.j2 new file mode 100644 index 0000000..14fb25c --- /dev/null +++ b/data/templates/dhcp-client/dhcp6c-script.j2 @@ -0,0 +1,31 @@ +#!/bin/sh +# Update DNS information for DHCPv6 clients +# should be used only if vyos-hostsd is running + +if /usr/bin/systemctl -q is-active vyos-hostsd; then + hostsd_client="/usr/bin/vyos-hostsd-client" + hostsd_changes= + + if [ -n "$new_domain_name" ]; then + logmsg info "Deleting search domains with tag \"dhcpv6-{{ ifname }}\" via vyos-hostsd-client" + $hostsd_client --delete-search-domains --tag "dhcpv6-{{ ifname }}" + logmsg info "Adding domain name \"$new_domain_name\" as search domain with tag \"dhcpv6-{{ ifname }}\" via vyos-hostsd-client" + $hostsd_client --add-search-domains "$new_domain_name" --tag "dhcpv6-{{ ifname }}" + hostsd_changes=y + fi + + if [ -n "$new_domain_name_servers" ]; then + logmsg info "Deleting nameservers with tag \"dhcpv6-{{ ifname }}\" via vyos-hostsd-client" + $hostsd_client --delete-name-servers --tag "dhcpv6-{{ ifname }}" + logmsg info "Adding nameservers \"$new_domain_name_servers\" with tag \"dhcpv6-{{ ifname }}\" via vyos-hostsd-client" + $hostsd_client --add-name-servers $new_domain_name_servers --tag "dhcpv6-{{ ifname }}" + hostsd_changes=y + fi + + if [ $hostsd_changes ]; then + logmsg info "Applying changes via vyos-hostsd-client" + $hostsd_client --apply + else + logmsg info "No changes to apply via vyos-hostsd-client" + fi +fi diff --git a/data/templates/dhcp-client/ipv4.j2 b/data/templates/dhcp-client/ipv4.j2 new file mode 100644 index 0000000..77905e0 --- /dev/null +++ b/data/templates/dhcp-client/ipv4.j2 @@ -0,0 +1,50 @@ +### Autogenerated by interface.py ### + +option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; +timeout 60; +retry 60; +initial-interval 2; + +interface "{{ ifname }}" { + send host-name "{{ dhcp_options.host_name }}"; +{% if dhcp_options.client_id is vyos_defined %} +{% set client_id = dhcp_options.client_id %} +{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. #} +{# If not HEX, use double quotes ASCII format #} +{% if not client_id.split(':') | length >= 3 %} +{% set client_id = '"' ~ dhcp_options.client_id ~ '"' %} +{% endif %} + send dhcp-client-identifier {{ client_id }}; +{% endif %} +{% if dhcp_options.vendor_class_id is vyos_defined %} +{% set vendor_class_id = dhcp_options.vendor_class_id %} +{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. #} +{# If not HEX, use double quotes ASCII format #} +{% if not vendor_class_id.split(':') | length >= 3 %} +{% set vendor_class_id = '"' ~ dhcp_options.vendor_class_id ~ '"' %} +{% endif %} + send vendor-class-identifier {{ vendor_class_id }}; +{% endif %} +{% if dhcp_options.user_class is vyos_defined %} +{% set user_class = dhcp_options.user_class %} +{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. #} +{# If not HEX, use double quotes ASCII format #} +{% if not user_class.split(':') | length >= 3 %} +{% set user_class = '"' ~ dhcp_options.user_class ~ '"' %} +{% endif %} + send user-class {{ user_class }}; +{% endif %} + # The request statement causes the client to request that any server responding to the + # client send the client its values for the specified options. + request subnet-mask, broadcast-address,{{ " routers," if dhcp_options.no_default_route is not vyos_defined }} domain-name-servers, + rfc3442-classless-static-routes, domain-name, interface-mtu; + + # The require statement lists options that must be sent in order for an offer to be + # accepted. Offers that do not contain all the listed options will be ignored! + require subnet-mask; +{% if dhcp_options.reject is vyos_defined %} + # Block addresses coming from theses dhcp servers if configured. + reject {{ dhcp_options.reject | join(', ') }}; +{% endif %} +} + diff --git a/data/templates/dhcp-client/ipv6.j2 b/data/templates/dhcp-client/ipv6.j2 new file mode 100644 index 0000000..311c856 --- /dev/null +++ b/data/templates/dhcp-client/ipv6.j2 @@ -0,0 +1,62 @@ +### Autogenerated by interface.py ### + +# man https://www.unix.com/man-page/debian/5/dhcp6c.conf/ +interface {{ ifname }} { +{% if dhcpv6_options.duid is vyos_defined %} + send client-id {{ dhcpv6_options.duid }}; +{% endif %} +{% if address is vyos_defined and 'dhcpv6' in address %} + request domain-name-servers; + request domain-name; +{% if dhcpv6_options.parameters_only is vyos_defined %} + information-only; +{% endif %} +{% if dhcpv6_options.temporary is not vyos_defined %} + send ia-na 0; # non-temporary address +{% endif %} +{% if dhcpv6_options.rapid_commit is vyos_defined %} + send rapid-commit; # wait for immediate reply instead of advertisements +{% endif %} +{% endif %} +{% if dhcpv6_options.pd is vyos_defined %} +{% for pd in dhcpv6_options.pd %} + send ia-pd {{ pd }}; # prefix delegation #{{ pd }} +{% endfor %} +{% endif %} + script "{{ dhcp6_script_file }}"; +}; + +{% if address is vyos_defined and 'dhcpv6' in address %} +{% if dhcpv6_options.temporary is not vyos_defined %} +id-assoc na 0 { + # Identity association for non temporary address +}; +{% endif %} +{% endif %} + +{% if dhcpv6_options.pd is vyos_defined %} +{% for pd, pd_config in dhcpv6_options.pd.items() %} +id-assoc pd {{ pd }} { +{# length got a default value #} + prefix ::/{{ pd_config.length }} infinity; +{% set sla_len = 64 - pd_config.length | int %} +{% set count = namespace(value=0) %} +{% if pd_config.interface is vyos_defined %} +{% for interface, interface_config in pd_config.interface.items() if pd_config.interface is vyos_defined %} + prefix-interface {{ interface }} { + sla-len {{ sla_len }}; +{% if interface_config.sla_id is vyos_defined %} + sla-id {{ interface_config.sla_id }}; +{% else %} + sla-id {{ count.value }}; +{% endif %} +{% if interface_config.address is vyos_defined %} + ifid {{ interface_config.address }}; +{% endif %} + }; +{% set count.value = count.value + 1 %} +{% endfor %} +{% endif %} +}; +{% endfor %} +{% endif %} diff --git a/data/templates/dhcp-client/ipv6.override.conf.j2 b/data/templates/dhcp-client/ipv6.override.conf.j2 new file mode 100644 index 0000000..b0c0e05 --- /dev/null +++ b/data/templates/dhcp-client/ipv6.override.conf.j2 @@ -0,0 +1,12 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +{% set no_release = '-n' if dhcpv6_options.no_release is vyos_defined else '' %} +{% set dhcp6c_options = '-D -k ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.sock -c ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.conf -p ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.pid ' ~ no_release %} + +[Unit] +ConditionPathExists={{ dhcp6_client_dir }}/dhcp6c.%i.conf + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/dhcp6c {{ dhcp6c_options }} {{ ifname }} +WorkingDirectory={{ dhcp6_client_dir }} +PIDFile={{ dhcp6_client_dir }}/dhcp6c.%i.pid diff --git a/data/templates/dhcp-client/override.conf.j2 b/data/templates/dhcp-client/override.conf.j2 new file mode 100644 index 0000000..c2e059c --- /dev/null +++ b/data/templates/dhcp-client/override.conf.j2 @@ -0,0 +1,12 @@ +### Autogenerated by interface.py ### +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +{% set if_metric = '-e IF_METRIC=' ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined else '' %} +{% set dhclient_options = '-d -nw -cf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.conf -pf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.pid -lf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.leases ' ~ if_metric %} + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/sbin/dhclient -4 {{ dhclient_options }} {{ ifname }} +ExecStop= +ExecStop={{ vrf_command }}/sbin/dhclient -4 -r {{ dhclient_options }} {{ ifname }} +WorkingDirectory={{ isc_dhclient_dir }} +PIDFile={{ isc_dhclient_dir }}/dhclient_%i.pid diff --git a/data/templates/dhcp-relay/dhcrelay.conf.j2 b/data/templates/dhcp-relay/dhcrelay.conf.j2 new file mode 100644 index 0000000..71a3954 --- /dev/null +++ b/data/templates/dhcp-relay/dhcrelay.conf.j2 @@ -0,0 +1,9 @@ +### Autogenerated by service_dhcp-relay.py ### + +{% set max_size = '-A ' ~ relay_options.max_size if relay_options.max_size is vyos_defined %} +{# hop_count and relay_agents_packets is a default option, thus it is always present #} +{% if interface is vyos_defined %} +OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -i {{ interface | join(' -i ') }} {{ server | join(' ') }}" +{% else %} +OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -id {{ listen_interface | join(' -id ') }} -iu {{ upstream_interface | join(' -iu ') }} {{ server | join(' ') }}" +{% endif %} diff --git a/data/templates/dhcp-relay/dhcrelay6.conf.j2 b/data/templates/dhcp-relay/dhcrelay6.conf.j2 new file mode 100644 index 0000000..25f7671 --- /dev/null +++ b/data/templates/dhcp-relay/dhcrelay6.conf.j2 @@ -0,0 +1,20 @@ +### Autogenerated by service_dhcpv6-relay.py ### + +{# upstream_interface is mandatory so it's always present #} +{% set upstream = namespace(value='') %} +{% for interface, config in upstream_interface.items() %} +{% for address in config.address %} +{% set upstream.value = upstream.value ~ '-u ' ~ address ~ '%' ~ interface ~ ' ' %} +{% endfor %} +{% endfor %} +{# listen_interface is mandatory so it's always present #} +{% set listen = namespace(value='') %} +{% for interface, config in listen_interface.items() %} +{% if config.address is vyos_defined %} +{% set listen.value = listen.value ~ '-l ' ~ config.address ~ '%' ~ interface ~ ' ' %} +{% else %} +{% set listen.value = listen.value ~ '-l ' ~ interface ~ ' ' %} +{% endif %} +{% endfor %} + +OPTIONS="{{ listen.value }} {{ upstream.value }} -c {{ max_hop_count }} {{ '-I' if use_interface_id_option is vyos_defined }}" diff --git a/data/templates/dhcp-server/10-override.conf.j2 b/data/templates/dhcp-server/10-override.conf.j2 new file mode 100644 index 0000000..6cf9e0a --- /dev/null +++ b/data/templates/dhcp-server/10-override.conf.j2 @@ -0,0 +1,2 @@ +[Unit] +ConditionFileNotEmpty= diff --git a/data/templates/dhcp-server/kea-ctrl-agent.conf.j2 b/data/templates/dhcp-server/kea-ctrl-agent.conf.j2 new file mode 100644 index 0000000..b37cf47 --- /dev/null +++ b/data/templates/dhcp-server/kea-ctrl-agent.conf.j2 @@ -0,0 +1,14 @@ +{ + "Control-agent": { +{% if high_availability is vyos_defined %} + "http-host": "{{ high_availability.source_address }}", + "http-port": 647, + "control-sockets": { + "dhcp4": { + "socket-type": "unix", + "socket-name": "/run/kea/dhcp4-ctrl-socket" + } + } +{% endif %} + } +} diff --git a/data/templates/dhcp-server/kea-dhcp4.conf.j2 b/data/templates/dhcp-server/kea-dhcp4.conf.j2 new file mode 100644 index 0000000..bf37b94 --- /dev/null +++ b/data/templates/dhcp-server/kea-dhcp4.conf.j2 @@ -0,0 +1,80 @@ +{ + "Dhcp4": { + "interfaces-config": { +{% if listen_address is vyos_defined %} + "interfaces": {{ listen_address | kea_address_json }}, + "dhcp-socket-type": "udp", +{% elif listen_interface is vyos_defined %} + "interfaces": {{ listen_interface | tojson }}, + "dhcp-socket-type": "raw", +{% else %} + "interfaces": [ "*" ], + "dhcp-socket-type": "raw", +{% endif %} + "service-sockets-max-retries": 5, + "service-sockets-retry-wait-time": 5000 + }, + "control-socket": { + "socket-type": "unix", + "socket-name": "/run/kea/dhcp4-ctrl-socket" + }, + "lease-database": { + "type": "memfile", + "persist": true, + "name": "{{ lease_file }}" + }, + "option-def": [ + { + "name": "rfc3442-static-route", + "code": 121, + "type": "record", + "array": true, + "record-types": "uint8,uint8,uint8,uint8,uint8,uint8,uint8,uint8" + }, + { + "name": "windows-static-route", + "code": 249, + "type": "record", + "array": true, + "record-types": "uint8,uint8,uint8,uint8,uint8,uint8,uint8,uint8" + }, + { + "name": "wpad-url", + "code": 252, + "type": "string" + }, + { + "name": "unifi-controller", + "code": 1, + "type": "ipv4-address", + "space": "ubnt" + } + ], + "hooks-libraries": [ +{% if high_availability is vyos_defined %} + { + "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_ha.so", + "parameters": { + "high-availability": [{{ high_availability | kea_high_availability_json }}] + } + }, +{% endif %} +{% if hostfile_update is vyos_defined %} + { + "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_run_script.so", + "parameters": { + "name": "/usr/libexec/vyos/system/on-dhcp-event.sh", + "sync": false + } + }, +{% endif %} + { + "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_lease_cmds.so", + "parameters": {} + } + ], +{% if shared_network_name is vyos_defined %} + "shared-networks": {{ shared_network_name | kea_shared_network_json }} +{% endif %} + } +} diff --git a/data/templates/dhcp-server/kea-dhcp6.conf.j2 b/data/templates/dhcp-server/kea-dhcp6.conf.j2 new file mode 100644 index 0000000..2f0de6b --- /dev/null +++ b/data/templates/dhcp-server/kea-dhcp6.conf.j2 @@ -0,0 +1,61 @@ +{ + "Dhcp6": { + "interfaces-config": { +{% if listen_interface is vyos_defined %} + "interfaces": {{ listen_interface | tojson }}, +{% else %} + "interfaces": [ "*" ], +{% endif %} + "service-sockets-max-retries": 5, + "service-sockets-retry-wait-time": 5000 + }, + "control-socket": { + "socket-type": "unix", + "socket-name": "/run/kea/dhcp6-ctrl-socket" + }, + "lease-database": { + "type": "memfile", + "persist": true, + "name": "{{ lease_file }}" + }, + "hooks-libraries": [ +{% if disable_route_autoinstall is not vyos_defined %} + { + "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_run_script.so", + "parameters": { + "name": "/usr/libexec/vyos/system/on-dhcpv6-event.sh", + "sync": false + } + }, +{% endif %} + { + "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_lease_cmds.so", + "parameters": {} + } + ], + "option-data": [ +{% if global_parameters.name_server is vyos_defined %} + { + "name": "dns-servers", + "code": 23, + "space": "dhcp6", + "csv-format": true, + "data": "{{ global_parameters.name_server | join(", ") }}" + }{{ ',' if preference is vyos_defined else '' }} +{% endif %} +{% if preference is vyos_defined %} + { + "name": "preference", + "code": 7, + "space": "dhcp6", + "csv-format": true, + "data": "{{ preference }}" + } +{% endif %} + ], +{% if shared_network_name is vyos_defined %} + "shared-networks": {{ shared_network_name | kea6_shared_network_json }} +{% endif %} + + } +} diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2 new file mode 100644 index 0000000..5538ea5 --- /dev/null +++ b/data/templates/dns-dynamic/ddclient.conf.j2 @@ -0,0 +1,59 @@ +{% macro render_config(host, address, web_options, ip_suffixes=['']) %} +{# Address: use=if, if=ethX, usev6=ifv6, ifv6=ethX, usev6=webv6, webv6=https://v6.example.com #} +{% for ipv in ip_suffixes %} +use{{ ipv }}={{ address if address == 'web' else 'if' }}{{ ipv }}, \ +{% if address == 'web' %} +{% if web_options.url is vyos_defined %} +web{{ ipv }}={{ web_options.url }}, \ +{% endif %} +{% if web_options.skip is vyos_defined %} +web{{ ipv }}-skip='{{ web_options.skip }}', \ +{% endif %} +{% else %} +if{{ ipv }}={{ address }}, \ +{% endif %} +{% endfor %} +{# Other service options with special treatment for password #} +{% for k,v in kwargs.items() if v is vyos_defined %} +{{ k | replace('_', '-') }}={{ "'%s'" % (v) if k == 'password' else v }}{{ ',' if not loop.last }} \ +{% endfor %} +{# Actual hostname for the service #} +{{ host }} +{% endmacro %} +### Autogenerated by service_dns_dynamic.py ### +daemon={{ interval }} +syslog=yes +ssl=yes +pid={{ config_file | replace('.conf', '.pid') }} +cache={{ config_file | replace('.conf', '.cache') }} +{# ddclient default (web=dyndns) doesn't support ssl and results in process lockup #} +web=googledomains +{# ddclient default (use=ip) results in confusing warning message in log #} +use=no + +{% if name is vyos_defined %} +{% for service, config in name.items() %} +{% if config.description is vyos_defined %} + +# {{ config.description }} +{% endif %} +{% for host in config.host_name if config.host_name is vyos_defined %} +{# ip_suffixes can be either of ['v4'], ['v6'], ['v4', 'v6'] for all protocols except 'nsupdate' + ip_suffixes must be [''] for nsupdate since it doesn't support usevX/wantipvX yet #} +{% set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both' + else ([config.ip_version[2:]] if config.protocol != 'nsupdate' + else ['']) %} +{% set password = config.key if config.protocol == 'nsupdate' + else config.password %} +{% set address = 'web' if config.address.web is vyos_defined + else config.address.interface %} +{% set web_options = config.address.web | default({}) %} + +# Web service dynamic DNS configuration for {{ service }}: [{{ config.protocol }}, {{ host }}] +{{ render_config(host, address, web_options, ip_suffixes, + protocol=config.protocol, server=config.server, zone=config.zone, + login=config.username, password=password, ttl=config.ttl, + min_interval=config.wait_time, max_interval=config.expiry_time) }} +{% endfor %} +{% endfor %} +{% endif %} diff --git a/data/templates/dns-dynamic/override.conf.j2 b/data/templates/dns-dynamic/override.conf.j2 new file mode 100644 index 0000000..4a6851c --- /dev/null +++ b/data/templates/dns-dynamic/override.conf.j2 @@ -0,0 +1,10 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +ConditionPathExists={{ config_file }} +After=vyos-router.service + +[Service] +PIDFile={{ config_file | replace('.conf', '.pid') }} +EnvironmentFile= +ExecStart= +ExecStart={{ vrf_command }}/usr/bin/ddclient -file {{ config_file }} diff --git a/data/templates/dns-forwarding/override.conf.j2 b/data/templates/dns-forwarding/override.conf.j2 new file mode 100644 index 0000000..9d81a29 --- /dev/null +++ b/data/templates/dns-forwarding/override.conf.j2 @@ -0,0 +1,8 @@ +[Unit] +ConditionPathExists={{ config_file }} +After=vyos-router.service + +[Service] +RuntimeDirectoryPreserve=yes +ExecStart= +ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir={{ config_dir }} diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2 new file mode 100644 index 0000000..5ac872f --- /dev/null +++ b/data/templates/dns-forwarding/recursor.conf.j2 @@ -0,0 +1,73 @@ +{# j2lint: disable=single-statement-per-line #} +### Autogenerated by service_dns_forwarding.py ### + +# XXX: pdns recursor doesn't like whitespace near entry separators, +# especially in the semicolon-separated lists of name servers. +# Please be careful if you edit the template. + +# Non-configurable defaults +daemon=yes +threads=1 +allow-from={{ allow_from | join(',') }} +log-common-errors=yes +non-local-bind=yes +query-local-address={{ source_address | join(',') }} +lua-config-file={{ config_dir }}/recursor.conf.lua + +# cache-size +max-cache-entries={{ cache_size }} + +# negative TTL for NXDOMAIN +max-negative-ttl={{ negative_ttl }} + +# timeout +network-timeout={{ timeout }} + +# ignore-hosts-file +export-etc-hosts={{ 'no' if ignore_hosts_file is vyos_defined else 'yes' }} + +# listen-address +local-address={{ listen_address | join(',') }} + +# listen-port +local-port={{ port }} + +# dnssec +dnssec={{ dnssec }} + +{% if dns64_prefix is vyos_defined %} +# dns64-prefix +dns64-prefix={{ dns64_prefix }} +{% endif %} + +{% if exclude_throttle_address is vyos_defined %} +# dont-throttle-netmasks +dont-throttle-netmasks={{ exclude_throttle_address | join(',') }} +{% endif %} + +{% if serve_stale_extension is vyos_defined %} +# serve-stale-extensions +serve-stale-extensions={{ serve_stale_extension }} +{% endif %} + +# serve rfc1918 records +serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }} + +# zones +auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %} + +forward-zones-file={{ config_dir }}/recursor.forward-zones.conf + +#ecs +{% if options.ecs_add_for is vyos_defined %} +ecs-add-for={{ options.ecs_add_for | join(',') }} +{% endif %} + +{% if options.ecs_ipv4_bits is vyos_defined %} +ecs-ipv4-bits={{ options.ecs_ipv4_bits }} +{% endif %} + +{% if options.edns_subnet_allow_list is vyos_defined %} +edns-subnet-allow-list={{ options.edns_subnet_allow_list | join(',') }} +{% endif %} + diff --git a/data/templates/dns-forwarding/recursor.conf.lua.j2 b/data/templates/dns-forwarding/recursor.conf.lua.j2 new file mode 100644 index 0000000..8026442 --- /dev/null +++ b/data/templates/dns-forwarding/recursor.conf.lua.j2 @@ -0,0 +1,8 @@ +-- Autogenerated by VyOS (service_dns_forwarding.py) -- +-- Do not edit, your changes will get overwritten -- + +-- Load DNSSEC root keys from dns-root-data package. +dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua") + +-- Load lua from vyos-hostsd -- +dofile("{{ config_dir }}/recursor.vyos-hostsd.conf.lua") diff --git a/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 new file mode 100644 index 0000000..593a98c --- /dev/null +++ b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 @@ -0,0 +1,28 @@ +{# j2lint: disable=operator-enclosed-by-spaces #} +# Autogenerated by VyOS (vyos-hostsd) +# Do not edit, your changes will get overwritten + +# dot zone (catch-all): '+' indicates recursion is desired +# (same as forward-zones-recurse) +{# the code below ensures the order of nameservers is determined first by #} +{# the order of tags, then by the order of nameservers within that tag #} +{% set n = namespace(dot_zone_ns='') %} +{% for tag in name_server_tags_recursor %} +{% set ns = '' %} +{% if tag in name_servers %} +{% set ns = ns + name_servers[tag] | join(', ') %} +{% set n.dot_zone_ns = (n.dot_zone_ns, ns) | join(', ') if n.dot_zone_ns != '' else ns %} +{% endif %} +# {{ tag }}: {{ ns }} +{% endfor %} + +{% if n.dot_zone_ns %} ++.={{ n.dot_zone_ns }} +{% endif %} + +{% if forward_zones is vyos_defined %} +# zones added via 'service dns forwarding domain' +{% for zone, zonedata in forward_zones.items() %} +{{ "+" if zonedata.recursion_desired is vyos_defined }}{{ zone | replace('_', '-') }}={{ zonedata.name_server | join(', ') }} +{% endfor %} +{% endif %} diff --git a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.j2 b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.j2 new file mode 100644 index 0000000..987c7de --- /dev/null +++ b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.j2 @@ -0,0 +1,30 @@ +-- Autogenerated by VyOS (vyos-hostsd) -- +-- Do not edit, your changes will get overwritten -- + +{% if hosts %} +-- from 'system static-host-mapping' and DHCP server +{% for tag, taghosts in hosts.items() %} +{% for host, hostprops in taghosts.items() %} +addNTA("{{ host }}.", "{{ tag }}") +{% for a in hostprops['aliases'] %} +addNTA("{{ a }}.", "{{ tag }} alias") +{% endfor %} +{% endfor %} +{% endfor %} +{% endif %} + +{% if forward_zones is vyos_defined %} +-- from 'service dns forwarding domain' +{% for zone, zonedata in forward_zones.items() %} +{% if zonedata.addnta is vyos_defined %} +addNTA("{{ zone }}", "static") +{% endif %} +{% endfor %} +{% endif %} + +{% if authoritative_zones is vyos_defined %} +-- from 'service dns forwarding authoritative-domain' +{% for zone in authoritative_zones %} +addNTA("{{ zone }}", "static") +{% endfor %} +{% endif %} diff --git a/data/templates/dns-forwarding/recursor.zone.conf.j2 b/data/templates/dns-forwarding/recursor.zone.conf.j2 new file mode 100644 index 0000000..797068c --- /dev/null +++ b/data/templates/dns-forwarding/recursor.zone.conf.j2 @@ -0,0 +1,6 @@ +; +; Autogenerated by service_dns_forwarding.py +; +{% for r in records %} +{{ r.name }} {{ r.ttl }} {{ r.type }} {{ r.value }} +{% endfor %} diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2 new file mode 100644 index 0000000..6da2fa5 --- /dev/null +++ b/data/templates/ethernet/wpa_supplicant.conf.j2 @@ -0,0 +1,76 @@ +### Autogenerated by interfaces_ethernet.py ### + +# see full documentation: +# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf + +# For UNIX domain sockets (default on Linux and BSD): This is a directory that +# will be created for UNIX domain sockets for listening to requests from +# external programs (CLI/GUI, etc.) for status information and configuration. +# The socket file will be named based on the interface name, so multiple +# wpa_supplicant processes can be run at the same time if more than one +# interface is used. +# /var/run/wpa_supplicant is the recommended directory for sockets and by +# default, wpa_cli will use it when trying to connect with wpa_supplicant. +ctrl_interface=/run/wpa_supplicant + +# IEEE 802.1X/EAPOL version +# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines +# EAPOL version 2. However, there are many APs that do not handle the new +# version number correctly (they seem to drop the frames completely). In order +# to make wpa_supplicant interoperate with these APs, the version number is set +# to 1 by default. This configuration value can be used to set it to the new +# version (2). +# Note: When using MACsec, eapol_version shall be set to 3, which is +# defined in IEEE Std 802.1X-2010. +eapol_version=2 + +# No need to scan for access points in EAPoL mode +ap_scan=0 + +# EAP fast re-authentication +fast_reauth=1 + +network={ +{% if eapol is vyos_defined %} +{% if eapol.ca_certificate is vyos_defined %} + ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem" +{% endif %} + client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem" + private_key="/run/wpa_supplicant/{{ ifname }}_cert.key" +{% endif %} + + # list of accepted authenticated key management protocols + key_mgmt=IEEE8021X + eap=TLS + +{% if mac is vyos_defined %} + identity="{{ mac }}" +{% else %} + identity="{{ hw_id }}" +{% endif %} + + # eapol_flags: IEEE 802.1X/EAPOL options (bit field) + # Dynamic WEP key required for non-WPA mode + # bit0 (1): require dynamically generated unicast WEP key + # bit1 (2): require dynamically generated broadcast WEP key + # (3) = require both keys; default) + # Note: When using wired authentication (including MACsec drivers), + # eapol_flags must be set to 0 for the authentication to be completed + # successfully. + eapol_flags=0 + + # For wired IEEE 802.1X authentication, "allow_canned_success=1" can be + # used to configure a mode that allows EAP-Success (and EAP-Failure) without + # going through authentication step. Some switches use such sequence when + # forcing the port to be authorized/unauthorized or as a fallback option if + # the authentication server is unreachable. By default, wpa_supplicant + # discards such frames to protect against potential attacks by rogue + # devices, but this option can be used to disable that protection for cases + # where the server/authenticator does not need to be authenticated. + # + # "tls_disable_tlsv1_0=0" is used to allow TLSv1 for compatibility with + # legacy networks. This follows the behavior of Debian's wpa_supplicant, + # which includes a custom patch for allowing TLSv1, but the patch currently + # does not work for VyOS' git builds of wpa_supplicant. + phase1="allow_canned_success=1 tls_disable_tlsv1_0=0" +} diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2 new file mode 100644 index 0000000..dec027b --- /dev/null +++ b/data/templates/firewall/nftables-bridge.j2 @@ -0,0 +1,35 @@ +{% macro bridge(bridge) %} +{% set ns = namespace(sets=[]) %} +{% if bridge.forward is vyos_defined %} +{% for prior, conf in bridge.forward.items() %} + chain VYOS_FORWARD_{{ prior }} { + type filter hook forward priority {{ prior }}; policy accept; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('FWD-filter', 'bri') }} + } +{% endfor %} +{% endif %} + +{% if bridge.name is vyos_defined %} +{% for name_text, conf in bridge.name.items() %} + chain NAME_{{ name_text }} { +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'bri') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule(name_text, 'bri') }} + } +{% endfor %} +{% endif %} +{% endmacro %} diff --git a/data/templates/firewall/nftables-cgnat.j2 b/data/templates/firewall/nftables-cgnat.j2 new file mode 100644 index 0000000..79a8e3d --- /dev/null +++ b/data/templates/firewall/nftables-cgnat.j2 @@ -0,0 +1,47 @@ +#!/usr/sbin/nft -f + +add table ip cgnat +flush table ip cgnat + +add map ip cgnat tcp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;} +add map ip cgnat udp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;} +add map ip cgnat icmp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;} +add map ip cgnat other_nat_map { type ipv4_addr: interval ipv4_addr ; flags interval ;} +flush map ip cgnat tcp_nat_map +flush map ip cgnat udp_nat_map +flush map ip cgnat icmp_nat_map +flush map ip cgnat other_nat_map + +table ip cgnat { + map tcp_nat_map { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { {{ proto_map_elements }} } + } + + map udp_nat_map { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { {{ proto_map_elements }} } + } + + map icmp_nat_map { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { {{ proto_map_elements }} } + } + + map other_nat_map { + type ipv4_addr : interval ipv4_addr + flags interval + elements = { {{ other_map_elements }} } + } + + chain POSTROUTING { + type nat hook postrouting priority srcnat; policy accept; + ip protocol tcp counter snat ip to ip saddr map @tcp_nat_map + ip protocol udp counter snat ip to ip saddr map @udp_nat_map + ip protocol icmp counter snat ip to ip saddr map @icmp_nat_map + counter snat ip to ip saddr map @other_nat_map + } +} diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2 new file mode 100644 index 0000000..8a75ab2 --- /dev/null +++ b/data/templates/firewall/nftables-defines.j2 @@ -0,0 +1,123 @@ +{% macro groups(group, is_ipv6, is_l3) %} +{% if group is vyos_defined %} +{% set ip_type = 'ipv6_addr' if is_ipv6 else 'ipv4_addr' %} +{% if group.address_group is vyos_defined and not is_ipv6 and is_l3 %} +{% for group_name, group_conf in group.address_group.items() %} +{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} + set A_{{ group_name }} { + type {{ ip_type }} + flags interval + auto-merge +{% if group_conf.address is vyos_defined or includes %} + elements = { {{ group_conf.address | nft_nested_group(includes, group.address_group, 'address') | join(",") }} } +{% endif %} + } +{% endfor %} +{% endif %} +{% if group.ipv6_address_group is vyos_defined and is_ipv6 and is_l3 %} +{% for group_name, group_conf in group.ipv6_address_group.items() %} +{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} + set A6_{{ group_name }} { + type {{ ip_type }} + flags interval + auto-merge +{% if group_conf.address is vyos_defined or includes %} + elements = { {{ group_conf.address | nft_nested_group(includes, group.ipv6_address_group, 'address') | join(",") }} } +{% endif %} + } +{% endfor %} +{% endif %} +{% if group.domain_group is vyos_defined and is_l3 %} +{% for name, name_config in group.domain_group.items() %} + set D_{{ name }} { + type {{ ip_type }} + flags interval + } +{% endfor %} +{% endif %} +{% if group.mac_group is vyos_defined %} +{% for group_name, group_conf in group.mac_group.items() %} +{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} + set M_{{ group_name }} { + type ether_addr +{% if group_conf.mac_address is vyos_defined or includes %} + elements = { {{ group_conf.mac_address | nft_nested_group(includes, group.mac_group, 'mac_address') | join(",") }} } +{% endif %} + } +{% endfor %} +{% endif %} +{% if group.network_group is vyos_defined and not is_ipv6 and is_l3 %} +{% for group_name, group_conf in group.network_group.items() %} +{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} + set N_{{ group_name }} { + type {{ ip_type }} + flags interval + auto-merge +{% if group_conf.network is vyos_defined or includes %} + elements = { {{ group_conf.network | nft_nested_group(includes, group.network_group, 'network') | join(",") }} } +{% endif %} + } +{% endfor %} +{% endif %} +{% if group.ipv6_network_group is vyos_defined and is_ipv6 and is_l3 %} +{% for group_name, group_conf in group.ipv6_network_group.items() %} +{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} + set N6_{{ group_name }} { + type {{ ip_type }} + flags interval + auto-merge +{% if group_conf.network is vyos_defined or includes %} + elements = { {{ group_conf.network | nft_nested_group(includes, group.ipv6_network_group, 'network') | join(",") }} } +{% endif %} + } +{% endfor %} +{% endif %} +{% if group.port_group is vyos_defined and is_l3 %} +{% for group_name, group_conf in group.port_group.items() %} +{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} + set P_{{ group_name }} { + type inet_service + flags interval + auto-merge +{% if group_conf.port is vyos_defined or includes %} + elements = { {{ group_conf.port | nft_nested_group(includes, group.port_group, 'port') | join(",") }} } +{% endif %} + } +{% endfor %} +{% endif %} +{% if group.interface_group is vyos_defined %} +{% for group_name, group_conf in group.interface_group.items() %} +{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} + set I_{{ group_name }} { + type ifname + flags interval + auto-merge +{% if group_conf.interface is vyos_defined or includes %} + elements = { {{ group_conf.interface | nft_nested_group(includes, group.interface_group, 'interface') | join(",") }} } +{% endif %} + } +{% endfor %} +{% endif %} + +{% if group.dynamic_group is vyos_defined %} +{% if group.dynamic_group.address_group is vyos_defined and not is_ipv6 and is_l3 %} +{% for group_name, group_conf in group.dynamic_group.address_group.items() %} + set DA_{{ group_name }} { + type {{ ip_type }} + flags dynamic, timeout + } +{% endfor %} +{% endif %} + +{% if group.dynamic_group.ipv6_address_group is vyos_defined and is_ipv6 and is_l3 %} +{% for group_name, group_conf in group.dynamic_group.ipv6_address_group.items() %} + set DA6_{{ group_name }} { + type {{ ip_type }} + flags dynamic, timeout + } +{% endfor %} +{% endif %} +{% endif %} + +{% endif %} +{% endmacro %} diff --git a/data/templates/firewall/nftables-geoip-update.j2 b/data/templates/firewall/nftables-geoip-update.j2 new file mode 100644 index 0000000..832ccc3 --- /dev/null +++ b/data/templates/firewall/nftables-geoip-update.j2 @@ -0,0 +1,33 @@ +#!/usr/sbin/nft -f + +{% if ipv4_sets is vyos_defined %} +{% for setname, ip_list in ipv4_sets.items() %} +flush set ip vyos_filter {{ setname }} +{% endfor %} + +table ip vyos_filter { +{% for setname, ip_list in ipv4_sets.items() %} + set {{ setname }} { + type ipv4_addr + flags interval + elements = { {{ ','.join(ip_list) }} } + } +{% endfor %} +} +{% endif %} + +{% if ipv6_sets is vyos_defined %} +{% for setname, ip_list in ipv6_sets.items() %} +flush set ip6 vyos_filter {{ setname }} +{% endfor %} + +table ip6 vyos_filter { +{% for setname, ip_list in ipv6_sets.items() %} + set {{ setname }} { + type ipv6_addr + flags interval + elements = { {{ ','.join(ip_list) }} } + } +{% endfor %} +} +{% endif %} diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2 new file mode 100644 index 0000000..4254f6a --- /dev/null +++ b/data/templates/firewall/nftables-nat.j2 @@ -0,0 +1,46 @@ +#!/usr/sbin/nft -f + +{% import 'firewall/nftables-defines.j2' as group_tmpl %} + +{% if first_install is not vyos_defined %} +delete table ip vyos_nat +{% endif %} +{% if deleted is not vyos_defined %} +table ip vyos_nat { + # + # Destination NAT rules build up here + # + chain PREROUTING { + type nat hook prerouting priority -100; policy accept; + counter jump VYOS_PRE_DNAT_HOOK +{% if destination.rule is vyos_defined %} +{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} + {{ config | nat_rule(rule, 'destination') }} +{% endfor %} +{% endif %} + } + + # + # Source NAT rules build up here + # + chain POSTROUTING { + type nat hook postrouting priority 100; policy accept; + counter jump VYOS_PRE_SNAT_HOOK +{% if source.rule is vyos_defined %} +{% for rule, config in source.rule.items() if config.disable is not vyos_defined %} + {{ config | nat_rule(rule, 'source') }} +{% endfor %} +{% endif %} + } + + chain VYOS_PRE_DNAT_HOOK { + return + } + + chain VYOS_PRE_SNAT_HOOK { + return + } + +{{ group_tmpl.groups(firewall_group, False, True) }} +} +{% endif %} diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2 new file mode 100644 index 0000000..67eb2c1 --- /dev/null +++ b/data/templates/firewall/nftables-nat66.j2 @@ -0,0 +1,40 @@ +#!/usr/sbin/nft -f + +{% if first_install is not vyos_defined %} +delete table ip6 vyos_nat +{% endif %} +table ip6 vyos_nat { + # + # Destination NAT66 rules build up here + # + chain PREROUTING { + type nat hook prerouting priority -100; policy accept; + counter jump VYOS_DNPT_HOOK +{% if destination.rule is vyos_defined %} +{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} + {{ config | nat_rule(rule, 'destination', ipv6=True) }} +{% endfor %} +{% endif %} + } + + # + # Source NAT66 rules build up here + # + chain POSTROUTING { + type nat hook postrouting priority 100; policy accept; + counter jump VYOS_SNPT_HOOK +{% if source.rule is vyos_defined %} +{% for rule, config in source.rule.items() if config.disable is not vyos_defined %} + {{ config | nat_rule(rule, 'source', ipv6=True) }} +{% endfor %} +{% endif %} + } + + chain VYOS_DNPT_HOOK { + return + } + + chain VYOS_SNPT_HOOK { + return + } +} diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2 new file mode 100644 index 0000000..a893e05 --- /dev/null +++ b/data/templates/firewall/nftables-offload.j2 @@ -0,0 +1,9 @@ +{% macro flowtable(name, config) %} + flowtable VYOS_FLOWTABLE_{{ name }} { + hook ingress priority 0; devices = { {{ config.interface | join(', ') }} }; +{% if config.offload is vyos_defined('hardware') %} + flags offload; +{% endif %} + counter + } +{% endmacro %} diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2 new file mode 100644 index 0000000..9e28899 --- /dev/null +++ b/data/templates/firewall/nftables-policy.j2 @@ -0,0 +1,71 @@ +#!/usr/sbin/nft -f + +{% import 'firewall/nftables-defines.j2' as group_tmpl %} + +{% if first_install is not vyos_defined %} +delete table ip vyos_mangle +delete table ip6 vyos_mangle +{% endif %} +table ip vyos_mangle { + chain VYOS_PBR_PREROUTING { + type filter hook prerouting priority -150; policy accept; +{% if route is vyos_defined %} +{% for route_text, conf in route.items() if conf.interface is vyos_defined %} + iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_UD_{{ route_text }} +{% endfor %} +{% endif %} + } + + chain VYOS_PBR_POSTROUTING { + type filter hook postrouting priority -150; policy accept; + } + +{% if route is vyos_defined %} +{% for route_text, conf in route.items() %} + chain VYOS_PBR_UD_{{ route_text }} { +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }} +{% endfor %} +{% endif %} +{% if conf.default_log is vyos_defined %} + counter log prefix "[ipv4-{{ (route_text)[:19] }}-default]" +{% endif %} + } +{% endfor %} +{% endif %} + +{{ group_tmpl.groups(firewall_group, False, True) }} +} + +table ip6 vyos_mangle { + chain VYOS_PBR6_PREROUTING { + type filter hook prerouting priority -150; policy accept; +{% if route6 is vyos_defined %} +{% for route_text, conf in route6.items() if conf.interface is vyos_defined %} + iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_UD_{{ route_text }} +{% endfor %} +{% endif %} + } + + chain VYOS_PBR6_POSTROUTING { + type filter hook postrouting priority -150; policy accept; + } + +{% if route6 is vyos_defined %} +{% for route_text, conf in route6.items() %} + chain VYOS_PBR6_UD_{{ route_text }} { +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }} +{% endfor %} +{% endif %} +{% if conf.default_log is vyos_defined %} + counter log prefix "[ipv6-{{ (route_text)[:19] }}-default]" +{% endif %} + } +{% endfor %} +{% endif %} + +{{ group_tmpl.groups(firewall_group, True, True) }} +} diff --git a/data/templates/firewall/nftables-static-nat.j2 b/data/templates/firewall/nftables-static-nat.j2 new file mode 100644 index 0000000..e5e3da8 --- /dev/null +++ b/data/templates/firewall/nftables-static-nat.j2 @@ -0,0 +1,33 @@ +#!/usr/sbin/nft -f + +{% if first_install is not vyos_defined %} +delete table ip vyos_static_nat +{% endif %} +{% if deleted is not vyos_defined %} +table ip vyos_static_nat { + # + # Destination NAT rules build up here + # + + chain PREROUTING { + type nat hook prerouting priority -100; policy accept; +{% if static.rule is vyos_defined %} +{% for rule, config in static.rule.items() if config.disable is not vyos_defined %} + {{ config | nat_static_rule(rule, 'destination') }} +{% endfor %} +{% endif %} + } + + # + # Source NAT rules build up here + # + chain POSTROUTING { + type nat hook postrouting priority 100; policy accept; +{% if static.rule is vyos_defined %} +{% for rule, config in static.rule.items() if config.disable is not vyos_defined %} + {{ config | nat_static_rule(rule, 'source') }} +{% endfor %} +{% endif %} + } +} +{% endif %} diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 new file mode 100644 index 0000000..e787250 --- /dev/null +++ b/data/templates/firewall/nftables-zone.j2 @@ -0,0 +1,77 @@ +{% macro zone_chains(zone, ipv6=False, state_policy=False) %} +{% set fw_name = 'ipv6_name' if ipv6 else 'name' %} +{% set suffix = '6' if ipv6 else '' %} + chain VYOS_ZONE_FORWARD { + type filter hook forward priority 1; policy accept; +{% if state_policy %} + jump VYOS_STATE_POLICY{{ suffix }} +{% endif %} +{% for zone_name, zone_conf in zone.items() %} +{% if 'local_zone' not in zone_conf %} + oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }} +{% endif %} +{% endfor %} + } + chain VYOS_ZONE_LOCAL { + type filter hook input priority 1; policy accept; +{% if state_policy %} + jump VYOS_STATE_POLICY{{ suffix }} +{% endif %} +{% for zone_name, zone_conf in zone.items() %} +{% if 'local_zone' in zone_conf %} + counter jump VZONE_{{ zone_name }}_IN +{% endif %} +{% endfor %} + } + chain VYOS_ZONE_OUTPUT { + type filter hook output priority 1; policy accept; +{% if state_policy %} + jump VYOS_STATE_POLICY{{ suffix }} +{% endif %} +{% for zone_name, zone_conf in zone.items() %} +{% if 'local_zone' in zone_conf %} + counter jump VZONE_{{ zone_name }}_OUT +{% endif %} +{% endfor %} + } +{% for zone_name, zone_conf in zone.items() %} +{% if zone_conf.local_zone is vyos_defined %} + chain VZONE_{{ zone_name }}_IN { + iifname lo counter return +{% if zone_conf.from is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %} + iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} + iifname { {{ zone[from_zone].interface | join(",") }} } counter return +{% endfor %} +{% endif %} + {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }} + } + chain VZONE_{{ zone_name }}_OUT { + oifname lo counter return +{% if zone_conf.from_local is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %} + oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} + oifname { {{ zone[from_zone].interface | join(",") }} } counter return +{% endfor %} +{% endif %} + {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }} + } +{% else %} + chain VZONE_{{ zone_name }} { + iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6) }} +{% if zone_conf.intra_zone_filtering is vyos_defined %} + iifname { {{ zone_conf.interface | join(",") }} } counter return +{% endif %} +{% if zone_conf.from is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %} +{% if zone[from_zone].local_zone is not defined %} + iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} + iifname { {{ zone[from_zone].interface | join(",") }} } counter return +{% endif %} +{% endfor %} +{% endif %} + {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }} + } +{% endif %} +{% endfor %} +{% endmacro %}
\ No newline at end of file diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 new file mode 100644 index 0000000..833df3a --- /dev/null +++ b/data/templates/firewall/nftables.j2 @@ -0,0 +1,327 @@ +#!/usr/sbin/nft -f + +{% import 'firewall/nftables-defines.j2' as group_tmpl %} +{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %} +{% import 'firewall/nftables-offload.j2' as offload_tmpl %} +{% import 'firewall/nftables-zone.j2' as zone_tmpl %} + +flush chain raw vyos_global_rpfilter +flush chain ip6 raw vyos_global_rpfilter + +table raw { + chain vyos_global_rpfilter { +{% if global_options.source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + return + } +} + +table ip6 raw { + chain vyos_global_rpfilter { +{% if global_options.ipv6_source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.ipv6_source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + return + } +} + +{% if first_install is not vyos_defined %} +delete table ip vyos_filter +{% endif %} +table ip vyos_filter { +{% if ipv4 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + +{% set ns = namespace(sets=[]) %} +{% if ipv4.forward is vyos_defined %} +{% for prior, conf in ipv4.forward.items() %} + chain VYOS_FORWARD_{{ prior }} { + type filter hook forward priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('FWD', prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('FWD-filter', 'ipv4') }} + } +{% endfor %} +{% endif %} + +{% if ipv4.input is vyos_defined %} +{% for prior, conf in ipv4.input.items() %} + chain VYOS_INPUT_{{ prior }} { + type filter hook input priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('INP',prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('INP-filter', 'ipv4') }} + } +{% endfor %} +{% endif %} + +{% if ipv4.output is vyos_defined %} +{% for prior, conf in ipv4.output.items() %} + chain VYOS_OUTPUT_{{ prior }} { + type filter hook output priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('OUT', prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['OUT_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('OUT-filter', 'ipv4') }} + } +{% endfor %} +{% endif %} + chain VYOS_FRAG_MARK { + type filter hook prerouting priority -450; policy accept; + ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return + } +{% if ipv4.prerouting is vyos_defined %} +{% for prior, conf in ipv4.prerouting.items() %} + chain VYOS_PREROUTING_{{ prior }} { + type filter hook prerouting priority {{ prior }}; policy accept; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('PRE', prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('PRE-filter', 'ipv4') }} + } +{% endfor %} +{% endif %} + +{% if ipv4.name is vyos_defined %} +{% for name_text, conf in ipv4.name.items() %} + chain NAME_{{ name_text }} { +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('NAM', name_text, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule(name_text, 'ipv4') }} + } +{% endfor %} +{% endif %} + +{% for set_name in ns.sets %} + set RECENT_{{ set_name }} { + type ipv4_addr + size 65535 + flags dynamic + } +{% endfor %} +{% for set_name in ip_fqdn %} + set FQDN_{{ set_name }} { + type ipv4_addr + flags interval + } +{% endfor %} +{% if geoip_updated.name is vyos_defined %} +{% for setname in geoip_updated.name %} + set {{ setname }} { + type ipv4_addr + flags interval + } +{% endfor %} +{% endif %} +{% endif %} +{{ group_tmpl.groups(group, False, True) }} + +{% if zone is vyos_defined %} +{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }} +{% endif %} +{% if global_options.state_policy is vyos_defined %} + chain VYOS_STATE_POLICY { +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } +{% endif %} +} + +{% if first_install is not vyos_defined %} +delete table ip6 vyos_filter +{% endif %} +table ip6 vyos_filter { +{% if ipv6 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + +{% set ns = namespace(sets=[]) %} +{% if ipv6.forward is vyos_defined %} +{% for prior, conf in ipv6.forward.items() %} + chain VYOS_IPV6_FORWARD_{{ prior }} { + type filter hook forward priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY6 +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('FWD-filter', 'ipv6') }} + } +{% endfor %} +{% endif %} + +{% if ipv6.input is vyos_defined %} +{% for prior, conf in ipv6.input.items() %} + chain VYOS_IPV6_INPUT_{{ prior }} { + type filter hook input priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY6 +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('INP-filter', 'ipv6') }} + } +{% endfor %} +{% endif %} + +{% if ipv6.output is vyos_defined %} +{% for prior, conf in ipv6.output.items() %} + chain VYOS_IPV6_OUTPUT_{{ prior }} { + type filter hook output priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY6 +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('OUT-filter', 'ipv6') }} + } +{% endfor %} +{% endif %} + + chain VYOS_FRAG6_MARK { + type filter hook prerouting priority -450; policy accept; + exthdr frag exists meta mark set 0xffff1 return + } + +{% if ipv6.name is vyos_defined %} +{% for name_text, conf in ipv6.name.items() %} + chain NAME6_{{ name_text }} { +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule(name_text, 'ipv6') }} + } +{% endfor %} +{% endif %} + +{% for set_name in ns.sets %} + set RECENT6_{{ set_name }} { + type ipv6_addr + size 65535 + flags dynamic + } +{% endfor %} +{% for set_name in ip6_fqdn %} + set FQDN_{{ set_name }} { + type ipv6_addr + flags interval + } +{% endfor %} +{% if geoip_updated.ipv6_name is vyos_defined %} +{% for setname in geoip_updated.ipv6_name %} + set {{ setname }} { + type ipv6_addr + flags interval + } +{% endfor %} +{% endif %} +{% endif %} +{{ group_tmpl.groups(group, True, True) }} +{% if zone is vyos_defined %} +{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }} +{% endif %} +{% if global_options.state_policy is vyos_defined %} + chain VYOS_STATE_POLICY6 { +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } +{% endif %} +} + +## Bridge Firewall +{% if first_install is not vyos_defined %} +delete table bridge vyos_filter +{% endif %} +table bridge vyos_filter { +{{ bridge_tmpl.bridge(bridge) }} +{{ group_tmpl.groups(group, False, False) }} + +} diff --git a/data/templates/frr/babeld.frr.j2 b/data/templates/frr/babeld.frr.j2 new file mode 100644 index 0000000..344a5f9 --- /dev/null +++ b/data/templates/frr/babeld.frr.j2 @@ -0,0 +1,85 @@ +{% from 'frr/distribute_list_macro.j2' import render_distribute_list %} +{% from 'frr/ipv6_distribute_list_macro.j2' import render_ipv6_distribute_list %} +! +{# Interface specific configuration #} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} +{% if iface_config.type is vyos_defined('wired') or iface_config.type is vyos_defined('wireless') %} + babel {{ iface_config.type }} +{% endif %} +{% if iface_config.split_horizon is vyos_defined("enable") %} + babel split-horizon +{% elif iface_config.split_horizon is vyos_defined("disable") %} + no babel split-horizon +{% endif %} +{% if iface_config.hello_interval is vyos_defined %} + babel hello-interval {{ iface_config.hello_interval }} +{% endif %} +{% if iface_config.update_interval is vyos_defined %} + babel update-interval {{ iface_config.update_interval }} +{% endif %} +{% if iface_config.rxcost is vyos_defined %} + babel rxcost {{ iface_config.rxcost }} +{% endif %} +{% if iface_config.rtt_decay is vyos_defined %} + babel rtt-decay {{ iface_config.rtt_decay }} +{% endif %} +{% if iface_config.rtt_min is vyos_defined %} + babel rtt-min {{ iface_config.rtt_min }} +{% endif %} +{% if iface_config.rtt_max is vyos_defined %} + babel rtt-max {{ iface_config.rtt_max }} +{% endif %} +{% if iface_config.max_rtt_penalty is vyos_defined %} + babel max-rtt-penalty {{ iface_config.max_rtt_penalty }} +{% endif %} +{% if iface_config.enable_timestamps is vyos_defined %} + babel enable-timestamps +{% endif %} +{% if iface_config.channel is vyos_defined %} + babel channel {{ iface_config.channel | replace("non-interfering", "noninterfering") }} +{% endif %} +exit +! +{% endfor %} +{% endif %} +! +{# Babel configuration #} +router babel +{% if parameters.diversity is vyos_defined %} + babel diversity +{% endif %} +{% if parameters.diversity_factor is vyos_defined %} + babel diversity-factor {{ parameters.diversity_factor }} +{% endif %} +{% if parameters.resend_delay is vyos_defined %} + babel resend-delay {{ parameters.resend_delay }} +{% endif %} +{% if parameters.smoothing_half_life is vyos_defined %} + babel smoothing-half-life {{ parameters.smoothing_half_life }} +{% endif %} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} + network {{ iface }} +{% endfor %} +{% endif %} +{% if redistribute is vyos_defined %} +{% for address_family in redistribute %} +{% for protocol, protocol_config in redistribute[address_family].items() %} +{% if protocol is vyos_defined('ospfv3') %} +{% set protocol = 'ospf6' %} +{% endif %} + redistribute {{ address_family }} {{ protocol }} +{% endfor %} +{% endfor %} +{% endif %} +{% if distribute_list.ipv4 is vyos_defined %} +{{ render_distribute_list(distribute_list.ipv4) }} +{% endif %} +{% if distribute_list.ipv6 is vyos_defined %} +{{ render_ipv6_distribute_list(distribute_list.ipv6) }} +{% endif %} +exit +! +end diff --git a/data/templates/frr/bfdd.frr.j2 b/data/templates/frr/bfdd.frr.j2 new file mode 100644 index 0000000..f3303e4 --- /dev/null +++ b/data/templates/frr/bfdd.frr.j2 @@ -0,0 +1,64 @@ +{% if profile is vyos_defined or peer is vyos_defined %} +bfd +{% if profile is vyos_defined %} +{% for profile_name, profile_config in profile.items() %} + profile {{ profile_name }} + detect-multiplier {{ profile_config.interval.multiplier }} + receive-interval {{ profile_config.interval.receive }} + transmit-interval {{ profile_config.interval.transmit }} +{% if profile_config.interval.echo_interval is vyos_defined %} + echo transmit-interval {{ profile_config.interval.echo_interval }} + echo receive-interval {{ profile_config.interval.echo_interval }} +{% endif %} +{% if profile_config.echo_mode is vyos_defined %} + echo-mode +{% endif %} +{% if profile_config.minimum_ttl is vyos_defined %} + minimum-ttl {{ profile_config.minimum_ttl }} +{% endif %} +{% if profile_config.passive is vyos_defined %} + passive-mode +{% endif %} +{% if profile_config.shutdown is vyos_defined %} + shutdown +{% else %} + no shutdown +{% endif %} + exit + ! +{% endfor %} +{% endif %} +{% if peer is vyos_defined %} +{% for peer_name, peer_config in peer.items() %} + peer {{ peer_name }} {{ 'multihop' if peer_config.multihop is vyos_defined }} {{ 'local-address ' ~ peer_config.source.address if peer_config.source.address is vyos_defined }} {{ 'interface ' ~ peer_config.source.interface if peer_config.source.interface is vyos_defined }} {{ 'vrf ' ~ peer_config.vrf if peer_config.vrf is vyos_defined }} + detect-multiplier {{ peer_config.interval.multiplier }} + receive-interval {{ peer_config.interval.receive }} + transmit-interval {{ peer_config.interval.transmit }} +{% if peer_config.interval.echo_interval is vyos_defined %} + echo transmit-interval {{ peer_config.interval.echo_interval }} + echo receive-interval {{ peer_config.interval.echo_interval }} +{% endif %} +{% if peer_config.echo_mode is vyos_defined %} + echo-mode +{% endif %} +{% if peer_config.minimum_ttl is vyos_defined %} + minimum-ttl {{ peer_config.minimum_ttl }} +{% endif %} +{% if peer_config.passive is vyos_defined %} + passive-mode +{% endif %} +{% if peer_config.profile is vyos_defined %} + profile {{ peer_config.profile }} +{% endif %} +{% if peer_config.shutdown is vyos_defined %} + shutdown +{% else %} + no shutdown +{% endif %} + exit + ! +{% endfor %} +{% endif %} +exit +! +{% endif %} diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 new file mode 100644 index 0000000..e5bfad5 --- /dev/null +++ b/data/templates/frr/bgpd.frr.j2 @@ -0,0 +1,664 @@ +{### MACRO definition for recurring peer patter, this can be either fed by a ###} +{### peer-group or an individual BGP neighbor ###} +{% macro bgp_neighbor(neighbor, config, peer_group=false) %} +{% if peer_group == true %} + neighbor {{ neighbor }} peer-group +{% elif config.peer_group is vyos_defined %} + neighbor {{ neighbor }} peer-group {{ config.peer_group }} +{% endif %} +{% if config.remote_as is vyos_defined %} + neighbor {{ neighbor }} remote-as {{ config.remote_as }} +{% endif %} +{% if config.local_role is vyos_defined %} +{% for role, strict in config.local_role.items() %} + neighbor {{ neighbor }} local-role {{ role }} {{ 'strict-mode' if strict }} +{% endfor %} +{% endif %} +{% if config.interface.remote_as is vyos_defined %} + neighbor {{ neighbor }} interface remote-as {{ config.interface.remote_as }} +{% endif %} +{% if config.advertisement_interval is vyos_defined %} + neighbor {{ neighbor }} advertisement-interval {{ config.advertisement_interval }} +{% endif %} +{% if config.bfd is vyos_defined %} + neighbor {{ neighbor }} bfd +{% if config.bfd.check_control_plane_failure is vyos_defined %} + neighbor {{ neighbor }} bfd check-control-plane-failure +{% endif %} +{% if config.bfd.profile is vyos_defined %} + neighbor {{ neighbor }} bfd profile {{ config.bfd.profile }} +{% endif %} +{% endif %} +{% if config.capability.dynamic is vyos_defined %} + neighbor {{ neighbor }} capability dynamic +{% endif %} +{% if config.capability.extended_nexthop is vyos_defined %} + neighbor {{ neighbor }} capability extended-nexthop +{% endif %} +{% if config.capability.software_version is vyos_defined %} + neighbor {{ neighbor }} capability software-version +{% endif %} +{% if config.description is vyos_defined %} + neighbor {{ neighbor }} description {{ config.description }} +{% endif %} +{% if config.disable_capability_negotiation is vyos_defined %} + neighbor {{ neighbor }} dont-capability-negotiate +{% endif %} +{% if config.disable_connected_check is vyos_defined %} + neighbor {{ neighbor }} disable-connected-check +{% endif %} +{% if config.ebgp_multihop is vyos_defined %} + neighbor {{ neighbor }} ebgp-multihop {{ config.ebgp_multihop }} +{% endif %} +{% if config.graceful_restart is vyos_defined %} +{% if config.graceful_restart is vyos_defined('enable') %} +{% set graceful_restart = 'graceful-restart' %} +{% elif config.graceful_restart is vyos_defined('disable') %} +{% set graceful_restart = 'graceful-restart-disable' %} +{% elif config.graceful_restart is vyos_defined('restart-helper') %} +{% set graceful_restart = 'graceful-restart-helper' %} +{% endif %} + neighbor {{ neighbor }} {{ graceful_restart }} +{% endif %} +{% if config.local_as is vyos_defined %} +{% for local_as, local_as_config in config.local_as.items() %} +{# There can be only one local-as value, this is checked in the Python code #} + neighbor {{ neighbor }} local-as {{ local_as }} {{ 'no-prepend' if local_as_config.no_prepend is vyos_defined }} {{ 'replace-as' if local_as_config.no_prepend is vyos_defined and local_as_config.no_prepend.replace_as is vyos_defined }} +{% endfor %} +{% endif %} +{% if config.override_capability is vyos_defined %} + neighbor {{ neighbor }} override-capability +{% endif %} +{% if config.passive is vyos_defined %} + neighbor {{ neighbor }} passive +{% endif %} +{% if config.password is vyos_defined %} + neighbor {{ neighbor }} password {{ config.password }} +{% endif %} +{% if config.path_attribute.discard is vyos_defined %} + neighbor {{ neighbor }} path-attribute discard {{ config.path_attribute.discard | join(' ') }} +{% endif %} +{% if config.path_attribute.treat_as_withdraw is vyos_defined %} + neighbor {{ neighbor }} path-attribute treat-as-withdraw {{ config.path_attribute.treat_as_withdraw }} +{% endif %} +{% if config.port is vyos_defined %} + neighbor {{ neighbor }} port {{ config.port }} +{% endif %} +{% if config.shutdown is vyos_defined %} + neighbor {{ neighbor }} shutdown +{% endif %} +{% if config.solo is vyos_defined %} + neighbor {{ neighbor }} solo +{% endif %} +{% if config.enforce_first_as is vyos_defined %} + neighbor {{ neighbor }} enforce-first-as +{% endif %} +{% if config.strict_capability_match is vyos_defined %} + neighbor {{ neighbor }} strict-capability-match +{% endif %} +{% if config.ttl_security.hops is vyos_defined %} + neighbor {{ neighbor }} ttl-security hops {{ config.ttl_security.hops }} +{% endif %} +{% if config.timers.connect is vyos_defined %} + neighbor {{ neighbor }} timers connect {{ config.timers.connect }} +{% endif %} +{% if config.timers.keepalive is vyos_defined and config.timers.holdtime is vyos_defined %} + neighbor {{ neighbor }} timers {{ config.timers.keepalive }} {{ config.timers.holdtime }} +{% endif %} +{% if config.update_source is vyos_defined %} + neighbor {{ neighbor }} update-source {{ config.update_source }} +{% endif %} +{% if config.interface is vyos_defined %} +{% if config.interface.peer_group is vyos_defined %} + neighbor {{ neighbor }} interface peer-group {{ config.interface.peer_group }} +{% endif %} +{% if config.interface.source_interface is vyos_defined %} + neighbor {{ neighbor }} interface {{ config.interface.source_interface }} +{% endif %} +{% if config.interface.v6only is vyos_defined %} +{% if config.interface.v6only.peer_group is vyos_defined %} + neighbor {{ neighbor }} interface v6only peer-group {{ config.interface.v6only.peer_group }} +{% endif %} +{% if config.interface.v6only.remote_as is vyos_defined %} + neighbor {{ neighbor }} interface v6only remote-as {{ config.interface.v6only.remote_as }} +{% endif %} +{% endif %} +{% endif %} + ! +{% if config.address_family is vyos_defined %} +{% for afi, afi_config in config.address_family.items() %} +{% if afi == 'ipv4_unicast' %} + address-family ipv4 unicast +{% elif afi == 'ipv4_multicast' %} + address-family ipv4 multicast +{% elif afi == 'ipv4_labeled_unicast' %} + address-family ipv4 labeled-unicast +{% elif afi == 'ipv4_vpn' %} + address-family ipv4 vpn +{% elif afi == 'ipv4_flowspec' %} + address-family ipv4 flowspec +{% elif afi == 'ipv6_unicast' %} + address-family ipv6 unicast +{% elif afi == 'ipv6_multicast' %} + address-family ipv6 multicast +{% elif afi == 'ipv6_labeled_unicast' %} + address-family ipv6 labeled-unicast +{% elif afi == 'ipv6_vpn' %} + address-family ipv6 vpn +{% elif afi == 'ipv6_flowspec' %} + address-family ipv6 flowspec +{% elif afi == 'l2vpn_evpn' %} + address-family l2vpn evpn +{% endif %} +{% if afi_config.addpath_tx_all is vyos_defined %} + neighbor {{ neighbor }} addpath-tx-all-paths +{% endif %} +{% if afi_config.addpath_tx_per_as is vyos_defined %} + neighbor {{ neighbor }} addpath-tx-bestpath-per-AS +{% endif %} +{% if afi_config.allowas_in is vyos_defined %} + neighbor {{ neighbor }} allowas-in {{ afi_config.allowas_in.number if afi_config.allowas_in.number is vyos_defined }} +{% endif %} +{% if afi_config.as_override is vyos_defined %} + neighbor {{ neighbor }} as-override +{% endif %} +{% if afi_config.conditionally_advertise is vyos_defined %} +{% if afi_config.conditionally_advertise.advertise_map is vyos_defined %} +{% set exist_non_exist_map = 'exist-map' %} +{% if afi_config.conditionally_advertise.exist_map is vyos_defined %} +{% set exist_non_exist_map = 'exist-map ' ~ afi_config.conditionally_advertise.exist_map %} +{% elif afi_config.conditionally_advertise.non_exist_map is vyos_defined %} +{% set exist_non_exist_map = 'non-exist-map ' ~ afi_config.conditionally_advertise.non_exist_map %} +{% endif %} + neighbor {{ neighbor }} advertise-map {{ afi_config.conditionally_advertise.advertise_map }} {{ exist_non_exist_map }} +{% endif %} +{% endif %} +{% if afi_config.remove_private_as is vyos_defined %} + neighbor {{ neighbor }} remove-private-AS {{ 'all' if afi_config.remove_private_as.all is vyos_defined }} +{% endif %} +{% if afi_config.route_reflector_client is vyos_defined %} + neighbor {{ neighbor }} route-reflector-client +{% endif %} +{% if afi_config.weight is vyos_defined %} + neighbor {{ neighbor }} weight {{ afi_config.weight }} +{% endif %} +{% if afi_config.attribute_unchanged is vyos_defined %} + neighbor {{ neighbor }} attribute-unchanged {{ 'as-path ' if afi_config.attribute_unchanged.as_path is vyos_defined }}{{ 'med ' if afi_config.attribute_unchanged.med is vyos_defined }}{{ 'next-hop ' if afi_config.attribute_unchanged.next_hop is vyos_defined }} +{% endif %} +{% if afi_config.capability.orf.prefix_list.send is vyos_defined %} + neighbor {{ neighbor }} capability orf prefix-list send +{% endif %} +{% if afi_config.capability.orf.prefix_list.receive is vyos_defined %} + neighbor {{ neighbor }} capability orf prefix-list receive +{% endif %} +{% if afi_config.default_originate is vyos_defined %} + neighbor {{ neighbor }} default-originate {{ 'route-map ' ~ afi_config.default_originate.route_map if afi_config.default_originate.route_map is vyos_defined }} +{% endif %} +{% if afi_config.distribute_list.export is vyos_defined %} + neighbor {{ neighbor }} distribute-list {{ afi_config.distribute_list.export }} out +{% endif %} +{% if afi_config.distribute_list.import is vyos_defined %} + neighbor {{ neighbor }} distribute-list {{ afi_config.distribute_list.import }} in +{% endif %} +{% if afi_config.filter_list.export is vyos_defined %} + neighbor {{ neighbor }} filter-list {{ afi_config.filter_list.export }} out +{% endif %} +{% if afi_config.filter_list.import is vyos_defined %} + neighbor {{ neighbor }} filter-list {{ afi_config.filter_list.import }} in +{% endif %} +{% if afi_config.maximum_prefix is vyos_defined %} + neighbor {{ neighbor }} maximum-prefix {{ afi_config.maximum_prefix }} +{% endif %} +{% if afi_config.maximum_prefix_out is vyos_defined %} + neighbor {{ neighbor }} maximum-prefix-out {{ afi_config.maximum_prefix_out }} +{% endif %} +{% if afi_config.nexthop_self is vyos_defined %} + neighbor {{ neighbor }} next-hop-self {{ 'force' if afi_config.nexthop_self.force is vyos_defined }} +{% endif %} +{% if afi_config.route_server_client is vyos_defined %} + neighbor {{ neighbor }} route-server-client +{% endif %} +{% if afi_config.route_map.export is vyos_defined %} + neighbor {{ neighbor }} route-map {{ afi_config.route_map.export }} out +{% endif %} +{% if afi_config.route_map.import is vyos_defined %} + neighbor {{ neighbor }} route-map {{ afi_config.route_map.import }} in +{% endif %} +{% if afi_config.prefix_list.export is vyos_defined %} + neighbor {{ neighbor }} prefix-list {{ afi_config.prefix_list.export }} out +{% endif %} +{% if afi_config.prefix_list.import is vyos_defined %} + neighbor {{ neighbor }} prefix-list {{ afi_config.prefix_list.import }} in +{% endif %} +{% if afi_config.soft_reconfiguration.inbound is vyos_defined %} + neighbor {{ neighbor }} soft-reconfiguration inbound +{% endif %} +{% if afi_config.unsuppress_map is vyos_defined %} + neighbor {{ neighbor }} unsuppress-map {{ afi_config.unsuppress_map }} +{% endif %} +{% if afi_config.disable_send_community.extended is vyos_defined %} + no neighbor {{ neighbor }} send-community extended +{% endif %} +{% if afi_config.disable_send_community.standard is vyos_defined %} + no neighbor {{ neighbor }} send-community standard +{% endif %} + neighbor {{ neighbor }} activate + exit-address-family + ! +{% endfor %} +{% endif %} +{% endmacro %} +! +router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} +{% if parameters.ebgp_requires_policy is vyos_defined %} + bgp ebgp-requires-policy +{% else %} + no bgp ebgp-requires-policy +{% endif %} +{# Option must be set before any neighbor - see https://vyos.dev/T3463 #} + no bgp default ipv4-unicast +{# Workaround for T2100 until we have decided about a migration script #} + no bgp network import-check +{% if address_family is vyos_defined %} +{% for afi, afi_config in address_family.items() %} + ! +{% if afi == 'ipv4_unicast' %} + address-family ipv4 unicast +{% elif afi == 'ipv4_multicast' %} + address-family ipv4 multicast +{% elif afi == 'ipv4_labeled_unicast' %} + address-family ipv4 labeled-unicast +{% elif afi == 'ipv4_vpn' %} + address-family ipv4 vpn +{% elif afi == 'ipv4_flowspec' %} + address-family ipv4 flowspec +{% elif afi == 'ipv6_unicast' %} + address-family ipv6 unicast +{% elif afi == 'ipv6_multicast' %} + address-family ipv6 multicast +{% elif afi == 'ipv6_labeled_unicast' %} + address-family ipv6 labeled-unicast +{% elif afi == 'ipv6_vpn' %} + address-family ipv6 vpn +{% elif afi == 'ipv6_flowspec' %} + address-family ipv6 flowspec +{% elif afi == 'l2vpn_evpn' %} + address-family l2vpn evpn +{% if afi_config.rd is vyos_defined %} + rd {{ afi_config.rd }} +{% endif %} +{% endif %} +{% if afi_config.aggregate_address is vyos_defined %} +{% for aggregate, aggregate_config in afi_config.aggregate_address.items() %} + aggregate-address {{ aggregate }} {{ 'as-set' if aggregate_config.as_set is vyos_defined }} {{ 'summary-only' if aggregate_config.summary_only is vyos_defined }} {{ 'route-map ' ~ aggregate_config.route_map if aggregate_config.route_map is vyos_defined }} +{% endfor %} +{% endif %} +{% if afi_config.maximum_paths.ebgp is vyos_defined %} + maximum-paths {{ afi_config.maximum_paths.ebgp }} +{% endif %} +{% if afi_config.maximum_paths.ibgp is vyos_defined %} + maximum-paths ibgp {{ afi_config.maximum_paths.ibgp }} +{% endif %} +{% if afi_config.redistribute is vyos_defined %} +{% for protocol, protocol_config in afi_config.redistribute.items() %} +{% if protocol == 'table' %} + redistribute table {{ protocol_config.table }} +{% else %} +{% set redistribution_protocol = protocol %} +{% if protocol == 'ospfv3' %} +{% set redistribution_protocol = 'ospf6' %} +{% endif %} + redistribute {{ redistribution_protocol }} {{ 'metric ' ~ protocol_config.metric if protocol_config.metric is vyos_defined }} {{ 'route-map ' ~ protocol_config.route_map if protocol_config.route_map is vyos_defined }} + {####### we need this blank line!! #######} + +{% endif %} +{% endfor %} +{% endif %} +{% if afi_config.network is vyos_defined %} +{% for network, network_config in afi_config.network.items() %} + network {{ network }} {{ 'route-map ' ~ network_config.route_map if network_config.route_map is vyos_defined }} {{ 'backdoor' if network_config.backdoor is vyos_defined }} {{ 'rd ' ~ network_config.rd if network_config.rd is vyos_defined }} {{ 'label ' ~ network_config.label if network_config.label is vyos_defined }} +{####### we need this blank line!! #######} + +{% endfor %} +{% endif %} +{% if afi_config.advertise is vyos_defined %} +{% for adv_afi, adv_afi_config in afi_config.advertise.items() %} +{% if adv_afi_config.unicast is vyos_defined %} + advertise {{ adv_afi }} unicast {{ 'route-map ' ~ adv_afi_config.unicast.route_map if adv_afi_config.unicast.route_map is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} +{% if afi_config.distance.external is vyos_defined and afi_config.distance.internal is vyos_defined and afi_config.distance.local is vyos_defined %} + distance bgp {{ afi_config.distance.external }} {{ afi_config.distance.internal }} {{ afi_config.distance.local }} +{% endif %} +{% if afi_config.distance.prefix is vyos_defined %} +{% for prefix in afi_config.distance.prefix %} + distance {{ afi_config.distance.prefix[prefix].distance }} {{ prefix }} +{% endfor %} +{% endif %} +{% if afi_config.export.vpn is vyos_defined %} + export vpn +{% endif %} +{% if afi_config.import.vpn is vyos_defined %} + import vpn +{% endif %} +{% if afi_config.import.vrf is vyos_defined %} +{% for vrf in afi_config.import.vrf %} + import vrf {{ vrf }} +{% endfor %} +{% endif %} +{% if afi_config.label.vpn.export is vyos_defined %} + label vpn export {{ afi_config.label.vpn.export }} +{% endif %} +{% if afi_config.label.vpn.allocation_mode.per_nexthop is vyos_defined %} + label vpn export allocation-mode per-nexthop +{% endif %} +{% if afi_config.local_install is vyos_defined %} +{% for interface in afi_config.local_install.interface %} + local-install {{ interface }} +{% endfor %} +{% endif %} +{% if afi_config.advertise_all_vni is vyos_defined %} + advertise-all-vni +{% endif %} +{% if afi_config.advertise_default_gw is vyos_defined %} + advertise-default-gw +{% endif %} +{% if afi_config.advertise_pip is vyos_defined %} + advertise-pip ip {{ afi_config.advertise_pip }} +{% endif %} +{% if afi_config.advertise_svi_ip is vyos_defined %} + advertise-svi-ip +{% endif %} +{% if afi_config.default_originate.ipv4 is vyos_defined %} + default-originate ipv4 +{% endif %} +{% if afi_config.default_originate.ipv6 is vyos_defined %} + default-originate ipv6 +{% endif %} +{% if afi_config.disable_ead_evi_rx is vyos_defined %} + disable-ead-evi-rx +{% endif %} +{% if afi_config.disable_ead_evi_tx is vyos_defined %} + disable-ead-evi-tx +{% endif %} +{% if afi_config.ead_es_frag.evi_limit is vyos_defined %} + ead-es-frag evi-limit {{ afi_config.ead_es_frag.evi_limit }} +{% endif %} +{% if afi_config.ead_es_route_target.export is vyos_defined %} +{% for route_target in afi_config.ead_es_route_target.export %} + ead-es-route-target export {{ route_target }} +{% endfor %} +{% endif %} +{% if afi_config.rt_auto_derive is vyos_defined %} + autort rfc8365-compatible +{% endif %} +{% if afi_config.flooding.disable is vyos_defined %} + flooding disable +{% endif %} +{% if afi_config.flooding.head_end_replication is vyos_defined %} + flooding head-end-replication +{% endif %} +{% if afi_config.mac_vrf.soo is vyos_defined %} + mac-vrf soo {{ afi_config.mac_vrf.soo }} +{% endif %} +{% if afi_config.nexthop.vpn.export is vyos_defined %} + nexthop vpn export {{ afi_config.nexthop.vpn.export }} +{% endif %} +{% if afi_config.rd.vpn.export is vyos_defined %} + rd vpn export {{ afi_config.rd.vpn.export }} +{% endif %} +{% if afi_config.route_target.vpn.both is vyos_defined %} + route-target vpn both {{ afi_config.route_target.vpn.both }} +{% else %} +{% if afi_config.route_target.vpn.export is vyos_defined %} + route-target vpn export {{ afi_config.route_target.vpn.export }} +{% endif %} +{% if afi_config.route_target.vpn.import is vyos_defined %} + route-target vpn import {{ afi_config.route_target.vpn.import }} +{% endif %} +{% endif %} +{% if afi_config.route_target.both is vyos_defined %} +{% for route_target in afi_config.route_target.both %} + route-target both {{ route_target }} +{% endfor %} +{% endif %} +{% if afi_config.route_target.export is vyos_defined %} +{% for route_target in afi_config.route_target.export %} + route-target export {{ route_target }} +{% endfor %} +{% endif %} +{% if afi_config.route_target.import is vyos_defined %} +{% for route_target in afi_config.route_target.import %} + route-target import {{ route_target }} +{% endfor %} +{% endif %} +{% if afi_config.route_map.vpn.export is vyos_defined %} + route-map vpn export {{ afi_config.route_map.vpn.export }} +{% endif %} +{% if afi_config.route_map.vpn.import is vyos_defined %} + route-map vpn import {{ afi_config.route_map.vpn.import }} +{% endif %} +{% if afi_config.sid.vpn.export is vyos_defined %} + sid vpn export {{ afi_config.sid.vpn.export }} +{% endif %} +{% if afi_config.vni is vyos_defined %} +{% for vni, vni_config in afi_config.vni.items() %} + vni {{ vni }} +{% if vni_config.advertise_default_gw is vyos_defined %} + advertise-default-gw +{% endif %} +{% if vni_config.advertise_svi_ip is vyos_defined %} + advertise-svi-ip +{% endif %} +{% if vni_config.rd is vyos_defined %} + rd {{ vni_config.rd }} +{% endif %} +{% if vni_config.route_target.both is vyos_defined %} +{% for route_target in vni_config.route_target.both %} + route-target both {{ route_target }} +{% endfor %} +{% endif %} +{% if vni_config.route_target.export is vyos_defined %} +{% for route_target in vni_config.route_target.export %} + route-target export {{ route_target }} +{% endfor %} +{% endif %} +{% if vni_config.route_target.import is vyos_defined %} +{% for route_target in vni_config.route_target.import %} + route-target import {{ route_target }} +{% endfor %} +{% endif %} + exit-vni +{% endfor %} +{% endif %} + exit-address-family + ! +{% endfor %} +{% endif %} + ! +{% if bmp is vyos_defined %} +{% if bmp.mirror_buffer_limit is vyos_defined %} + bmp mirror buffer-limit {{ bmp.mirror_buffer_limit }} + ! +{% endif %} +{% if bmp.target is vyos_defined %} +{% for bmp, bmp_config in bmp.target.items() %} + bmp targets {{ bmp }} +{% if bmp_config.mirror is vyos_defined %} + bmp mirror +{% endif %} +{% if bmp_config.monitor is vyos_defined %} +{% if bmp_config.monitor.ipv4_unicast.pre_policy is vyos_defined %} + bmp monitor ipv4 unicast pre-policy +{% endif %} +{% if bmp_config.monitor.ipv4_unicast.post_policy is vyos_defined %} + bmp monitor ipv4 unicast post-policy +{% endif %} +{% if bmp_config.monitor.ipv6_unicast.pre_policy is vyos_defined %} + bmp monitor ipv6 unicast pre-policy +{% endif %} +{% if bmp_config.monitor.ipv6_unicast.post_policy is vyos_defined %} + bmp monitor ipv6 unicast post-policy +{% endif %} +{% endif %} +{% if bmp_config.address is vyos_defined %} + bmp connect {{ bmp_config.address }} port {{ bmp_config.port }} min-retry {{ bmp_config.min_retry }} max-retry {{ bmp_config.max_retry }} +{% endif %} +{% endfor %} + exit +{% endif %} +{% endif %} +{% if peer_group is vyos_defined %} +{% for peer, config in peer_group.items() %} +{{ bgp_neighbor(peer, config, true) }} +{% endfor %} +{% endif %} + ! +{% if neighbor is vyos_defined %} +{% for peer, config in neighbor.items() %} +{{ bgp_neighbor(peer, config) }} +{% endfor %} +{% endif %} + ! +{% if listen.limit is vyos_defined %} + bgp listen limit {{ listen.limit }} +{% endif %} +{% if listen.range is vyos_defined %} +{% for prefix, options in listen.range.items() %} +{% if options.peer_group is vyos_defined %} + bgp listen range {{ prefix }} peer-group {{ options.peer_group }} +{% endif %} +{% endfor %} +{% endif %} +{% if parameters.allow_martian_nexthop is vyos_defined %} + bgp allow-martian-nexthop +{% endif %} +{% if parameters.disable_ebgp_connected_route_check is vyos_defined %} + bgp disable-ebgp-connected-route-check +{% endif %} +{% if parameters.always_compare_med is vyos_defined %} + bgp always-compare-med +{% endif %} +{% if parameters.bestpath.as_path is vyos_defined %} +{% for option in parameters.bestpath.as_path %} +{# replace is required for multipath-relax option #} + bgp bestpath as-path {{ option | replace('_', '-') }} +{% endfor %} +{% endif %} +{% if parameters.bestpath.bandwidth is vyos_defined %} + bgp bestpath bandwidth {{ parameters.bestpath.bandwidth }} +{% endif %} +{% if parameters.bestpath.compare_routerid is vyos_defined %} + bgp bestpath compare-routerid +{% endif %} +{% if parameters.bestpath.med is vyos_defined %} + bgp bestpath med {{ parameters.bestpath.med | join(' ') | replace('_', '-') }} +{% endif %} +{% if parameters.bestpath.peer_type is vyos_defined %} + bgp bestpath peer-type {{ 'multipath-relax' if parameters.bestpath.peer_type.multipath_relax is vyos_defined }} +{% endif %} +{% if parameters.cluster_id is vyos_defined %} + bgp cluster-id {{ parameters.cluster_id }} +{% endif %} +{% if parameters.conditional_advertisement.timer is vyos_defined %} + bgp conditional-advertisement timer {{ parameters.conditional_advertisement.timer }} +{% endif %} +{% if parameters.confederation.identifier is vyos_defined %} + bgp confederation identifier {{ parameters.confederation.identifier }} +{% endif %} +{% if parameters.confederation.peers is vyos_defined %} + bgp confederation peers {{ parameters.confederation.peers | join(' ') }} +{% endif %} +{% if parameters.dampening.half_life is vyos_defined %} +{# Doesn't work in current FRR configuration; vtysh (bgp dampening 16 751 2001 61) #} + bgp dampening {{ parameters.dampening.half_life }} {{ parameters.dampening.re_use if parameters.dampening.re_use is vyos_defined }} {{ parameters.dampening.start_suppress_time if parameters.dampening.start_suppress_time is vyos_defined }} {{ parameters.dampening.max_suppress_time if parameters.dampening.max_suppress_time is vyos_defined }} +{% endif %} +{% if parameters.default.local_pref is vyos_defined %} + bgp default local-preference {{ parameters.default.local_pref }} +{% endif %} +{% if parameters.deterministic_med is vyos_defined %} + bgp deterministic-med +{% endif %} +{% if parameters.distance.global.external is vyos_defined and parameters.distance.global.internal is vyos_defined and parameters.distance.global.local is vyos_defined %} + distance bgp {{ parameters.distance.global.external }} {{ parameters.distance.global.internal }} {{ parameters.distance.global.local }} +{% endif %} +{% if parameters.distance.prefix is vyos_defined %} +{% for prefix in parameters.distance.prefix %} + distance {{ parameters.distance.prefix[prefix].distance }} {{ prefix }} +{% endfor %} +{% endif %} +{% if parameters.fast_convergence is vyos_defined %} + bgp fast-convergence +{% endif %} +{% if parameters.graceful_restart is vyos_defined %} + bgp graceful-restart {{ 'stalepath-time ' ~ parameters.graceful_restart.stalepath_time if parameters.graceful_restart.stalepath_time is vyos_defined }} +{% endif %} +{% if parameters.graceful_shutdown is vyos_defined %} + bgp graceful-shutdown +{% endif %} +{% if parameters.no_hard_administrative_reset is vyos_defined %} + no bgp hard-administrative-reset +{% endif %} +{% if parameters.labeled_unicast is vyos_defined %} + bgp labeled-unicast {{ parameters.labeled_unicast }} +{% endif %} +{% if parameters.log_neighbor_changes is vyos_defined %} + bgp log-neighbor-changes +{% endif %} +{% if parameters.minimum_holdtime is vyos_defined %} + bgp minimum-holdtime {{ parameters.minimum_holdtime }} +{% endif %} +{% if parameters.network_import_check is vyos_defined %} + bgp network import-check +{% endif %} +{% if parameters.route_reflector_allow_outbound_policy is vyos_defined %} +bgp route-reflector allow-outbound-policy +{% endif %} +{% if parameters.no_client_to_client_reflection is vyos_defined %} + no bgp client-to-client reflection +{% endif %} +{% if parameters.no_fast_external_failover is vyos_defined %} + no bgp fast-external-failover +{% endif %} +{% if parameters.no_suppress_duplicates is vyos_defined %} + no bgp suppress-duplicates +{% endif %} +{% if parameters.reject_as_sets is vyos_defined %} + bgp reject-as-sets +{% endif %} +{% if parameters.router_id is vyos_defined and parameters.router_id is not none %} + bgp router-id {{ parameters.router_id }} +{% endif %} +{% if parameters.shutdown is vyos_defined %} + bgp shutdown +{% endif %} +{% if parameters.suppress_fib_pending is vyos_defined %} + bgp suppress-fib-pending +{% endif %} +{% if parameters.tcp_keepalive.idle is vyos_defined and parameters.tcp_keepalive.interval is vyos_defined and parameters.tcp_keepalive.probes is vyos_defined %} + bgp tcp-keepalive {{ parameters.tcp_keepalive.idle }} {{ parameters.tcp_keepalive.interval }} {{ parameters.tcp_keepalive.probes }} +{% endif %} +{% if srv6.locator is vyos_defined %} + segment-routing srv6 + locator {{ srv6.locator }} + exit +{% endif %} +{% if sid.vpn.per_vrf.export is vyos_defined %} + sid vpn per-vrf export {{ sid.vpn.per_vrf.export }} +{% endif %} +{% if timers.keepalive is vyos_defined and timers.holdtime is vyos_defined %} + timers bgp {{ timers.keepalive }} {{ timers.holdtime }} +{% endif %} +exit +! +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} +{% if iface_config.mpls.forwarding is vyos_defined %} + mpls bgp forwarding +{% endif %} +exit +! +{% endfor %} +{% endif %} diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl new file mode 100644 index 0000000..339b4e5 --- /dev/null +++ b/data/templates/frr/daemons.frr.tmpl @@ -0,0 +1,113 @@ +# +# The watchfrr, zebra, mgmtd and staticd daemons are always started. +# +# Note: The following FRR-services must be kept disabled because they are replaced by other packages in VyOS: +# +# pimd Replaced by package igmpproxy. +# nhrpd Replaced by package opennhrp. +# pbrd Replaced by PBR in nftables. +# vrrpd Replaced by package keepalived. +# +# And these must be disabled aswell since they are currently missing a VyOS CLI: +# +# eigrp +# sharpd +# fabricd +# pathd +# +# The zebra, mgmtd and staticd daemons are always started and can not be disabled +# +#zebra=yes +#mgmtd=yes +#staticd=yes + +bgpd=yes +ospfd=yes +ospf6d=yes +ripd=yes +ripngd=yes +isisd=yes +pimd=no +pim6d=yes +ldpd=yes +nhrpd=no +eigrpd=no +babeld=yes +sharpd=no +pbrd=no +bfdd=yes +fabricd=no +vrrpd=no +pathd=no + +# +# Define defaults for all services even those who shall be kept disabled. +# + +zebra_options=" --daemon -A 127.0.0.1 -s 90000000{{ ' -M snmp' if snmp.zebra is vyos_defined }}{{ ' -M irdp' if irdp is vyos_defined }}" +mgmtd_options=" --daemon -A 127.0.0.1" +staticd_options="--daemon -A 127.0.0.1" +bgpd_options=" --daemon -A 127.0.0.1 -M rpki{{ ' -M snmp' if snmp.bgpd is vyos_defined }}{{ ' -M bmp' if bmp is vyos_defined }}" +ospfd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ospfd is vyos_defined }}" +ospf6d_options=" --daemon -A ::1{{ ' -M snmp' if snmp.ospf6d is vyos_defined }}" +ripd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ripd is vyos_defined }}" +ripngd_options=" --daemon -A ::1" +isisd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.isisd is vyos_defined }}" +pimd_options=" --daemon -A 127.0.0.1" +pim6d_options=" --daemon -A ::1" +ldpd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ldpd is vyos_defined }}" +nhrpd_options=" --daemon -A 127.0.0.1" +eigrpd_options=" --daemon -A 127.0.0.1" +babeld_options=" --daemon -A 127.0.0.1" +sharpd_options=" --daemon -A 127.0.0.1" +pbrd_options=" --daemon -A 127.0.0.1" +bfdd_options=" --daemon -A 127.0.0.1" +fabricd_options="--daemon -A 127.0.0.1" +vrrpd_options=" --daemon -A 127.0.0.1" +pathd_options=" --daemon -A 127.0.0.1" + +#frr_global_options="" + +#zebra_wrap="" +#mgmtd_wrap="" +#staticd_wrap="" +#bgpd_wrap="" +#ospfd_wrap="" +#ospf6d_wrap="" +#ripd_wrap="" +#ripngd_wrap="" +#isisd_wrap="" +#pimd_wrap="" +#pim6d_wrap="" +#ldpd_wrap="" +#nhrpd_wrap="" +#eigrpd_wrap="" +#babeld_wrap="" +#sharpd_wrap="" +#pbrd_wrap="" +#bfdd_wrap="" +#fabricd_wrap="" +#vrrpd_wrap="" +#pathd_wrap="" + +#all_wrap="" + +# +# Other options. +# +# For more information see: +# https://github.com/FRRouting/frr/blob/stable/9.0/tools/etc/frr/daemons +# https://docs.frrouting.org/en/stable-9.0/setup.html +# + +vtysh_enable=yes +watchfrr_enable=yes +valgrind_enable=no + +#watchfrr_options="" + +frr_profile="traditional" + +MAX_FDS={{ descriptors }} + +#FRR_NO_ROOT="yes" diff --git a/data/templates/frr/distribute_list_macro.j2 b/data/templates/frr/distribute_list_macro.j2 new file mode 100644 index 0000000..c10bf73 --- /dev/null +++ b/data/templates/frr/distribute_list_macro.j2 @@ -0,0 +1,30 @@ +{% macro render_distribute_list(distribute_list) %} +{% if distribute_list.access_list.in is vyos_defined %} + distribute-list {{ distribute_list.access_list.in }} in +{% endif %} +{% if distribute_list.access_list.out is vyos_defined %} + distribute-list {{ distribute_list.access_list.out }} out +{% endif %} +{% if distribute_list.interface is vyos_defined %} +{% for interface, interface_config in distribute_list.interface.items() %} +{% if interface_config.access_list.in is vyos_defined %} + distribute-list {{ interface_config.access_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.access_list.out is vyos_defined %} + distribute-list {{ interface_config.access_list.out }} out {{ interface }} +{% endif %} +{% if interface_config.prefix_list.in is vyos_defined %} + distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.prefix_list.out is vyos_defined %} + distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} +{% endif %} +{% endfor %} +{% endif %} +{% if distribute_list.prefix_list.in is vyos_defined %} + distribute-list prefix {{ distribute_list.prefix_list.in }} in +{% endif %} +{% if distribute_list.prefix_list.out is vyos_defined %} + distribute-list prefix {{ distribute_list.prefix_list.out }} out +{% endif %} +{% endmacro %} diff --git a/data/templates/frr/eigrpd.frr.j2 b/data/templates/frr/eigrpd.frr.j2 new file mode 100644 index 0000000..d16963a --- /dev/null +++ b/data/templates/frr/eigrpd.frr.j2 @@ -0,0 +1,31 @@ +! +router eigrp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} +{% if maximum_paths is vyos_defined %} + maximum-paths {{ maximum_paths }} +{% endif %} +{% if metric.weights is vyos_defined %} + metric weights {{ metric.weights }} +{% endif %} +{% if network is vyos_defined %} +{% for net in network %} + network {{ net }} +{% endfor %} +{% endif %} +{% if passive_interface is vyos_defined %} +{% for interface in passive_interface %} + passive-interface {{ interface }} +{% endfor %} +{% endif %} +{% if redistribute is vyos_defined %} +{% for protocol in redistribute %} + redistribute {{ protocol }} +{% endfor %} +{% endif %} +{% if router_id is vyos_defined %} + eigrp router-id {{ router_id }} +{% endif %} +{% if variance is vyos_defined %} + variance {{ variance }} +{% endif %} +exit +! diff --git a/data/templates/frr/evpn.mh.frr.j2 b/data/templates/frr/evpn.mh.frr.j2 new file mode 100644 index 0000000..03aaac4 --- /dev/null +++ b/data/templates/frr/evpn.mh.frr.j2 @@ -0,0 +1,16 @@ +! +interface {{ ifname }} +{% if evpn.es_df_pref is vyos_defined %} + evpn mh es-df-pref {{ evpn.es_df_pref }} +{% endif %} +{% if evpn.es_id is vyos_defined %} + evpn mh es-id {{ evpn.es_id }} +{% endif %} +{% if evpn.es_sys_mac is vyos_defined %} + evpn mh es-sys-mac {{ evpn.es_sys_mac }} +{% endif %} +{% if evpn.uplink is vyos_defined %} + evpn mh uplink +{% endif %} +exit +! diff --git a/data/templates/frr/ipv6_distribute_list_macro.j2 b/data/templates/frr/ipv6_distribute_list_macro.j2 new file mode 100644 index 0000000..c365fbd --- /dev/null +++ b/data/templates/frr/ipv6_distribute_list_macro.j2 @@ -0,0 +1,30 @@ +{% macro render_ipv6_distribute_list(distribute_list) %} +{% if distribute_list.access_list.in is vyos_defined %} + ipv6 distribute-list {{ distribute_list.access_list.in }} in +{% endif %} +{% if distribute_list.access_list.out is vyos_defined %} + ipv6 distribute-list {{ distribute_list.access_list.out }} out +{% endif %} +{% if distribute_list.interface is vyos_defined %} +{% for interface, interface_config in distribute_list.interface.items() %} +{% if interface_config.access_list.in is vyos_defined %} + ipv6 distribute-list {{ interface_config.access_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.access_list.out is vyos_defined %} + ipv6 distribute-list {{ interface_config.access_list.out }} out {{ interface }} +{% endif %} +{% if interface_config.prefix_list.in is vyos_defined %} + ipv6 distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.prefix_list.out is vyos_defined %} + ipv6 distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} +{% endif %} +{% endfor %} +{% endif %} +{% if distribute_list.prefix_list.in is vyos_defined %} + ipv6 distribute-list prefix {{ distribute_list.prefix_list.in }} in +{% endif %} +{% if distribute_list.prefix_list.out is vyos_defined %} + ipv6 distribute-list prefix {{ distribute_list.prefix_list.out }} out +{% endif %} +{% endmacro %} diff --git a/data/templates/frr/isisd.frr.j2 b/data/templates/frr/isisd.frr.j2 new file mode 100644 index 0000000..1e1cc3c --- /dev/null +++ b/data/templates/frr/isisd.frr.j2 @@ -0,0 +1,242 @@ +! +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} + ip router isis VyOS + ipv6 router isis VyOS +{% if iface_config.bfd is vyos_defined %} + isis bfd +{% if iface_config.bfd.profile is vyos_defined %} + isis bfd profile {{ iface_config.bfd.profile }} +{% endif %} +{% endif %} +{% if iface_config.network.point_to_point is vyos_defined %} + isis network point-to-point +{% endif %} +{% if iface_config.circuit_type is vyos_defined %} + isis circuit-type {{ iface_config.circuit_type }} +{% endif %} +{% if iface_config.hello_interval is vyos_defined %} + isis hello-interval {{ iface_config.hello_interval }} +{% endif %} +{% if iface_config.hello_multiplier is vyos_defined %} + isis hello-multiplier {{ iface_config.hello_multiplier }} +{% endif %} +{% if iface_config.hello_padding is vyos_defined %} + isis hello padding +{% endif %} +{% if iface_config.ldp_sync.disable is vyos_defined %} + no isis mpls ldp-sync +{% elif iface_config.ldp_sync.holddown is vyos_defined %} + isis mpls ldp-sync + isis mpls ldp-sync holddown {{ iface_config.ldp_sync.holddown }} +{% endif %} +{% if iface_config.metric is vyos_defined %} + isis metric {{ iface_config.metric }} +{% endif %} +{% if iface_config.passive is vyos_defined %} + isis passive +{% endif %} +{% if iface_config.password.md5 is vyos_defined %} + isis password md5 {{ iface_config.password.md5 }} +{% elif iface_config.password.plaintext_password is vyos_defined %} + isis password clear {{ iface_config.password.plaintext_password }} +{% endif %} +{% if iface_config.priority is vyos_defined %} + isis priority {{ iface_config.priority }} +{% endif %} +{% if iface_config.psnp_interval is vyos_defined %} + isis psnp-interval {{ iface_config.psnp_interval }} +{% endif %} +{% if iface_config.no_three_way_handshake is vyos_defined %} + no isis three-way-handshake +{% endif %} +exit +! +{% endfor %} +{% endif %} +! +router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }} + net {{ net }} +{% if advertise_high_metrics is vyos_defined %} +advertise-high-metrics +{% endif %} +{% if advertise_passive_only is vyos_defined %} +advertise-passive-only +{% endif %} +{% if dynamic_hostname is vyos_defined %} + hostname dynamic +{% endif %} +{% if purge_originator is vyos_defined %} + purge-originator +{% endif %} +{% if set_attached_bit is vyos_defined %} + set-attached-bit +{% endif %} +{% if set_overload_bit is vyos_defined %} + set-overload-bit +{% endif %} +{% if domain_password.md5 is vyos_defined %} + domain-password md5 {{ domain_password.plaintext_password }} +{% elif domain_password.plaintext_password is vyos_defined %} + domain-password clear {{ domain_password.plaintext_password }} +{% endif %} +{% if log_adjacency_changes is vyos_defined %} + log-adjacency-changes +{% endif %} +{% if lsp_gen_interval is vyos_defined %} + lsp-gen-interval {{ lsp_gen_interval }} +{% endif %} +{% if lsp_mtu is vyos_defined %} + lsp-mtu {{ lsp_mtu }} +{% endif %} +{% if lsp_refresh_interval is vyos_defined %} + lsp-refresh-interval {{ lsp_refresh_interval }} +{% endif %} +{% if max_lsp_lifetime is vyos_defined %} + max-lsp-lifetime {{ max_lsp_lifetime }} +{% endif %} +{% if ldp_sync.holddown is vyos_defined %} + mpls ldp-sync holddown {{ ldp_sync.holddown }} +{% elif ldp_sync is vyos_defined %} + mpls ldp-sync +{% endif %} +{% if spf_interval is vyos_defined %} + spf-interval {{ spf_interval }} +{% endif %} +{% if traffic_engineering.enable is vyos_defined %} + mpls-te on +{% endif %} +{% if traffic_engineering.address is vyos_defined %} + mpls-te router-address {{ traffic_engineering.address }} +{% endif %} +{% if traffic_engineering.inter_as is vyos_defined %} +{% set level = '' %} +{% if traffic_engineering.inter_as.level_1 is vyos_defined %} +{% set level = ' level-1' %} +{% endif %} +{% if traffic_engineering.inter_as.level_1_2 is vyos_defined %} +{% set level = ' level-1-2' %} +{% endif %} +{% if traffic_engineering.inter_as.level_2 is vyos_defined %} +{% set level = ' level-2-only' %} +{% endif %} + mpls-te inter-as{{ level }} +{% endif %} +{% if segment_routing is vyos_defined %} +{% if segment_routing.maximum_label_depth is vyos_defined %} + segment-routing node-msd {{ segment_routing.maximum_label_depth }} +{% endif %} +{% if segment_routing.global_block is vyos_defined %} +{% if segment_routing.local_block is vyos_defined %} + segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }} local-block {{ segment_routing.local_block.low_label_value }} {{ segment_routing.local_block.high_label_value }} +{% else %} + segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }} +{% endif %} +{% endif %} +{% if segment_routing.prefix is vyos_defined %} +{% for prefix, prefix_config in segment_routing.prefix.items() %} +{% if prefix_config.absolute is vyos_defined %} +{% if prefix_config.absolute.value is vyos_defined %} + segment-routing prefix {{ prefix }} absolute {{ prefix_config.absolute.value }} {{ 'explicit-null' if prefix_config.absolute.explicit_null is vyos_defined }} {{ 'no-php-flag' if prefix_config.absolute.no_php_flag is vyos_defined }} +{% endif %} +{% endif %} +{% if prefix_config.index is vyos_defined %} +{% if prefix_config.index.value is vyos_defined %} + segment-routing prefix {{ prefix }} index {{ prefix_config.index.value }} {{ 'explicit-null' if prefix_config.index.explicit_null is vyos_defined }} {{ 'no-php-flag' if prefix_config.index.no_php_flag is vyos_defined }} +{% endif %} +{% endif %} +{% endfor %} +{% endif %} + segment-routing on +{% endif %} +{% if spf_delay_ietf.init_delay is vyos_defined %} + spf-delay-ietf init-delay {{ spf_delay_ietf.init_delay }} short-delay {{ spf_delay_ietf.short_delay }} long-delay {{ spf_delay_ietf.long_delay }} holddown {{ spf_delay_ietf.holddown }} time-to-learn {{ spf_delay_ietf.time_to_learn }} +{% endif %} +{% if area_password.md5 is vyos_defined %} + area-password md5 {{ area_password.md5 }} +{% elif area_password.plaintext_password is vyos_defined %} + area-password clear {{ area_password.plaintext_password }} +{% endif %} +{% if default_information.originate is vyos_defined %} +{% for afi, afi_config in default_information.originate.items() %} +{% for level, level_config in afi_config.items() %} + default-information originate {{ afi }} {{ level | replace('_', '-') }} {{ 'always' if level_config.always is vyos_defined }} {{ 'route-map ' ~ level_config.route_map if level_config.route_map is vyos_defined }} {{ 'metric ' ~ level_config.metric if level_config.metric is vyos_defined }} +{% endfor %} +{% endfor %} +{% endif %} +{% if fast_reroute.lfa is vyos_defined %} +{% if fast_reroute.lfa.local is vyos_defined %} +{% if fast_reroute.lfa.local.load_sharing.disable.level_1 is vyos_defined %} + fast-reroute load-sharing disable level-1 +{% elif fast_reroute.lfa.local.load_sharing.disable.level_2 is vyos_defined %} + fast-reroute load-sharing disable level-2 +{% elif fast_reroute.lfa.local.load_sharing.disable is vyos_defined %} + fast-reroute load-sharing disable +{% endif %} +{% if fast_reroute.lfa.local.priority_limit is vyos_defined %} +{% for priority, priority_limit_options in fast_reroute.lfa.local.priority_limit.items() %} +{% for level in priority_limit_options %} + fast-reroute priority-limit {{ priority }} {{ level | replace('_', '-') }} +{% endfor %} +{% endfor %} +{% endif %} +{% if fast_reroute.lfa.local.tiebreaker is vyos_defined %} +{% for tiebreaker, tiebreaker_options in fast_reroute.lfa.local.tiebreaker.items() %} +{% for index, index_options in tiebreaker_options.items() %} +{% for index_value, index_value_options in index_options.items() %} +{% for level in index_value_options %} + fast-reroute lfa tiebreaker {{ tiebreaker | replace('_', '-') }} index {{ index_value }} {{ level | replace('_', '-') }} +{% endfor %} +{% endfor %} +{% endfor %} +{% endfor %} +{% endif %} +{% endif %} +{% if fast_reroute.lfa.remote.prefix_list is vyos_defined %} +{% for prefix_list, prefix_list_options in fast_reroute.lfa.remote.prefix_list.items() %} +{% if prefix_list_options.level_1 is vyos_defined %} +fast-reroute remote-lfa prefix-list {{ prefix_list }} level-1 +{% endif %} +{% if prefix_list_options.level_2 is vyos_defined %} +fast-reroute remote-lfa prefix-list {{ prefix_list }} level-2 +{% endif %} +{% if prefix_list is vyos_defined and prefix_list_options.level_1 is not vyos_defined and prefix_list_options.level_2 is not vyos_defined %} +fast-reroute remote-lfa prefix-list {{ prefix_list }} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} +{% if redistribute.ipv4 is vyos_defined %} +{% for protocol, protocol_options in redistribute.ipv4.items() %} +{% for level, level_config in protocol_options.items() %} +{% if level_config.metric is vyos_defined %} + redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} metric {{ level_config.metric }} +{% elif level_config.route_map is vyos_defined %} + redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} route-map {{ level_config.route_map }} +{% else %} + redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} +{% endif %} +{% endfor %} +{% endfor %} +{% endif %} +{% if redistribute.ipv6 is vyos_defined %} +{% for protocol, protocol_options in redistribute.ipv6.items() %} +{% for level, level_config in protocol_options.items() %} +{% if level_config.metric is vyos_defined %} + redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} metric {{ level_config.metric }} +{% elif level_config.route_map is vyos_defined %} + redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} route-map {{ level_config.route_map }} +{% else %} + redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} +{% endif %} +{% endfor %} +{% endfor %} +{% endif %} +{% if level is vyos_defined('level-2') %} + is-type level-2-only +{% elif level is vyos_defined %} + is-type {{ level }} +{% endif %} +exit +! diff --git a/data/templates/frr/ldpd.frr.j2 b/data/templates/frr/ldpd.frr.j2 new file mode 100644 index 0000000..9a893cc --- /dev/null +++ b/data/templates/frr/ldpd.frr.j2 @@ -0,0 +1,149 @@ +! +{% if ldp is vyos_defined %} +mpls ldp +{% if ldp.router_id is vyos_defined %} + router-id {{ ldp.router_id }} +{% endif %} +{% if ldp.parameters.cisco_interop_tlv is vyos_defined %} + dual-stack cisco-interop +{% endif %} +{% if ldp.parameters.transport_prefer_ipv4 is vyos_defined %} + dual-stack transport-connection prefer ipv4 +{% endif %} +{% if ldp.parameters.ordered_control is vyos_defined %} + ordered-control +{% endif %} +{% if ldp.neighbor is vyos_defined %} +{% for neighbor, neighbor_config in ldp.neighbor.items() %} +{% if neighbor_config.password is vyos_defined %} + neighbor {{ neighbor }} password {{ neighbor_config.password }} +{% endif %} +{% if neighbor_config.ttl_security is vyos_defined %} +{% if neighbor_config.ttl_security.disable is vyos_defined %} + neighbor {{ neighbor }} ttl-security disable +{% else %} + neighbor {{ neighbor }} ttl-security hops {{ neighbor_config.ttl_security }} +{% endif %} +{% endif %} +{% if neighbor_config.session_holdtime is vyos_defined %} + neighbor {{ neighbor }} session holdtime {{ neighbor_config.session_holdtime }} +{% endif %} +{% endfor %} +{% endif %} + ! +{% if ldp.discovery.transport_ipv4_address is vyos_defined %} + address-family ipv4 +{% if ldp.allocation.ipv4.access_list is vyos_defined %} + label local allocate for {{ ldp.allocation.ipv4.access_list }} +{% else %} + label local allocate host-routes +{% endif %} +{% if ldp.discovery.transport_ipv4_address is vyos_defined %} + discovery transport-address {{ ldp.discovery.transport_ipv4_address }} +{% endif %} +{% if ldp.discovery.hello_ipv4_holdtime is vyos_defined %} + discovery hello holdtime {{ ldp.discovery.hello_ipv4_holdtime }} +{% endif %} +{% if ldp.discovery.hello_ipv4_interval is vyos_defined %} + discovery hello interval {{ ldp.discovery.hello_ipv4_interval }} +{% endif %} +{% if ldp.discovery.session_ipv4_holdtime is vyos_defined %} + session holdtime {{ ldp.discovery.session_ipv4_holdtime }} +{% endif %} +{% if ldp.import.ipv4.import_filter.filter_access_list is vyos_defined %} +{% if ldp.import.ipv4.import_filter.neighbor_access_list is vyos_defined %} + label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} from {{ ldp.import.ipv4.import_filter.neighbor_access_list }} +{% else %} + label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} +{% endif %} +{% endif %} +{% if ldp.export.ipv4.explicit_null is vyos_defined %} + label local advertise explicit-null +{% endif %} +{% if ldp.export.ipv4.export_filter.filter_access_list is vyos_defined %} +{% if ldp.export.ipv4.export_filter.neighbor_access_list is vyos_defined %} + label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} to {{ ldp.export.ipv4.export_filter.neighbor_access_list }} +{% else %} + label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} +{% endif %} +{% endif %} +{% if ldp.targeted_neighbor is vyos_defined %} +{% if ldp.targeted_neighbor.ipv4.enable is vyos_defined %} + discovery targeted-hello accept +{% endif %} +{% if ldp.targeted_neighbor.ipv4.hello_holdtime is vyos_defined %} + discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv4.hello_holdtime }} +{% endif %} +{% if ldp.targeted_neighbor.ipv4.hello_interval is vyos_defined %} + discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv4.hello_interval }} +{% endif %} +{% for addresses in ldp.targeted_neighbor.ipv4.address %} + neighbor {{ addresses }} targeted +{% endfor %} +{% endif %} +{% if ldp.interface is vyos_defined %} +{% for interface in ldp.interface %} + interface {{ interface }} + exit +{% endfor %} +{% endif %} + exit-address-family +{% else %} + no address-family ipv4 +{% endif %} + ! +{% if ldp.discovery.transport_ipv6_address is vyos_defined %} + address-family ipv6 +{% if ldp.allocation.ipv6.access_list6 is vyos_defined %} + label local allocate for {{ ldp.allocation.ipv6.access_list6 }} +{% else %} + label local allocate host-routes +{% endif %} +{% if ldp.discovery.transport_ipv6_address is vyos_defined %} + discovery transport-address {{ ldp.discovery.transport_ipv6_address }} +{% endif %} +{% if ldp.discovery.hello_ipv6_holdtime is vyos_defined %} + discovery hello holdtime {{ ldp.discovery.hello_ipv6_holdtime }} +{% endif %} +{% if ldp.discovery.hello_ipv6_interval is vyos_defined %} + discovery hello interval {{ ldp.discovery.hello_ipv6_interval }} +{% endif %} +{% if ldp.discovery.session_ipv6_holdtime is vyos_defined %} + session holdtime {{ ldp.discovery.session_ipv6_holdtime }} +{% endif %} +{% if ldp.import.ipv6.import_filter.filter_access_list6 is vyos_defined %} + label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} {{ 'from ' ~ ldp.import.ipv6.import_filter.neighbor_access_list6 if ldp.import.ipv6.import_filter.neighbor_access_list6 is vyos_defined }} +{% endif %} +{% if ldp.export.ipv6.explicit_null is vyos_defined %} + label local advertise explicit-null +{% endif %} +{% if ldp.export.ipv6.export_filter.filter_access_list6 is vyos_defined %} + label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} {{ 'to ' ~ ldp.export.ipv6.export_filter.neighbor_access_list6 if ldp.export.ipv6.export_filter.neighbor_access_list6 is vyos_defined }} +{% endif %} +{% if ldp.targeted_neighbor is vyos_defined %} +{% if ldp.targeted_neighbor.ipv6.enable is vyos_defined %} + discovery targeted-hello accept +{% endif %} +{% if ldp.targeted_neighbor.ipv6.hello_holdtime is vyos_defined %} + discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv6.hello_holdtime }} +{% endif %} +{% if ldp.targeted_neighbor.ipv6.hello_interval is vyos_defined %} + discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv6.hello_interval }} +{% endif %} +{% for addresses in ldp.targeted_neighbor.ipv6.address %} + neighbor {{ addresses }} targeted +{% endfor %} +{% endif %} +{% if ldp.interface is vyos_defined %} +{% for interface in ldp.interface %} + interface {{ interface }} +{% endfor %} +{% endif %} + exit-address-family +{% else %} + no address-family ipv6 +{% endif %} + ! +exit +{% endif %} +! diff --git a/data/templates/frr/ospf6d.frr.j2 b/data/templates/frr/ospf6d.frr.j2 new file mode 100644 index 0000000..5f758f9 --- /dev/null +++ b/data/templates/frr/ospf6d.frr.j2 @@ -0,0 +1,116 @@ +! +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} +{% if iface_config.area is vyos_defined %} + ipv6 ospf6 area {{ iface_config.area }} +{% endif %} +{% if iface_config.cost is vyos_defined %} + ipv6 ospf6 cost {{ iface_config.cost }} +{% endif %} +{% if iface_config.priority is vyos_defined %} + ipv6 ospf6 priority {{ iface_config.priority }} +{% endif %} +{% if iface_config.hello_interval is vyos_defined %} + ipv6 ospf6 hello-interval {{ iface_config.hello_interval }} +{% endif %} +{% if iface_config.retransmit_interval is vyos_defined %} + ipv6 ospf6 retransmit-interval {{ iface_config.retransmit_interval }} +{% endif %} +{% if iface_config.transmit_delay is vyos_defined %} + ipv6 ospf6 transmit-delay {{ iface_config.transmit_delay }} +{% endif %} +{% if iface_config.dead_interval is vyos_defined %} + ipv6 ospf6 dead-interval {{ iface_config.dead_interval }} +{% endif %} +{% if iface_config.bfd is vyos_defined %} + ipv6 ospf6 bfd +{% endif %} +{% if iface_config.bfd.profile is vyos_defined %} + ipv6 ospf6 bfd profile {{ iface_config.bfd.profile }} +{% endif %} +{% if iface_config.mtu_ignore is vyos_defined %} + ipv6 ospf6 mtu-ignore +{% endif %} +{% if iface_config.ifmtu is vyos_defined %} + ipv6 ospf6 ifmtu {{ iface_config.ifmtu }} +{% endif %} +{% if iface_config.network is vyos_defined %} + ipv6 ospf6 network {{ iface_config.network }} +{% endif %} +{% if iface_config.instance_id is vyos_defined %} + ipv6 ospf6 instance-id {{ iface_config.instance_id }} +{% endif %} +{% if iface_config.passive is vyos_defined %} + ipv6 ospf6 passive +{% endif %} +exit +! +{% endfor %} +{% endif %} +! +router ospf6 {{ 'vrf ' ~ vrf if vrf is vyos_defined }} +{% if area is vyos_defined %} +{% for area_id, area_config in area.items() %} +{% if area_config.area_type is vyos_defined %} +{% for type, type_config in area_config.area_type.items() %} + area {{ area_id }} {{ type }} {{ 'default-information-originate' if type_config.default_information_originate is vyos_defined }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} +{% endfor %} +{% endif %} +{% if area_config.range is vyos_defined %} +{% for prefix, prefix_config in area_config.range.items() %} + area {{ area_id }} range {{ prefix }} {{ 'advertise' if prefix_config.advertise is vyos_defined }} {{ 'not-advertise' if prefix_config.not_advertise is vyos_defined }} +{% endfor %} +{% endif %} +{% if area_config.export_list is vyos_defined %} + area {{ area_id }} export-list {{ area_config.export_list }} +{% endif %} +{% if area_config.import_list is vyos_defined %} + area {{ area_id }} import-list {{ area_config.import_list }} +{% endif %} +{% endfor %} +{% endif %} + auto-cost reference-bandwidth {{ auto_cost.reference_bandwidth }} +{% if default_information.originate is vyos_defined %} + default-information originate {{ 'always' if default_information.originate.always is vyos_defined }} {{ 'metric ' ~ default_information.originate.metric if default_information.originate.metric is vyos_defined }} {{ 'metric-type ' ~ default_information.originate.metric_type if default_information.originate.metric_type is vyos_defined }} {{ 'route-map ' ~ default_information.originate.route_map if default_information.originate.route_map is vyos_defined }} +{% endif %} +{% if distance.global is vyos_defined %} + distance {{ distance.global }} +{% endif %} +{% if distance.ospfv3 is vyos_defined %} + distance ospf6 {{ 'intra-area ' ~ distance.ospfv3.intra_area if distance.ospfv3.intra_area is vyos_defined }} {{ 'inter-area ' ~ distance.ospfv3.inter_area if distance.ospfv3.inter_area is vyos_defined }} {{ 'external ' ~ distance.ospfv3.external if distance.ospfv3.external is vyos_defined }} +{% endif %} +{% if graceful_restart is vyos_defined %} +{% if graceful_restart.grace_period is vyos_defined %} + graceful-restart grace-period {{ graceful_restart.grace_period }} +{% endif %} +{% if graceful_restart.helper.enable.router_id is vyos_defined %} +{% for router_id in graceful_restart.helper.enable.router_id %} + graceful-restart helper enable {{ router_id }} +{% endfor %} +{% elif graceful_restart.helper.enable is vyos_defined %} + graceful-restart helper enable +{% endif %} +{% if graceful_restart.helper.planned_only is vyos_defined %} + graceful-restart helper planned-only +{% endif %} +{% if graceful_restart.helper.lsa_check_disable is vyos_defined %} + graceful-restart helper lsa-check-disable +{% endif %} +{% if graceful_restart.helper.supported_grace_time is vyos_defined %} + graceful-restart helper supported-grace-time {{ graceful_restart.helper.supported_grace_time }} +{% endif %} +{% endif %} +{% if log_adjacency_changes is vyos_defined %} + log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is vyos_defined }} +{% endif %} +{% if parameters.router_id is vyos_defined %} + ospf6 router-id {{ parameters.router_id }} +{% endif %} +{% if redistribute is vyos_defined %} +{% for protocol, options in redistribute.items() %} + redistribute {{ protocol }} {{ 'metric ' ~ options.metric if options.metric is vyos_defined }} {{ 'metric-type ' ~ options.metric_type if options.metric_type is vyos_defined }} {{ 'route-map ' ~ options.route_map if options.route_map is vyos_defined }} +{% endfor %} +{% endif %} +exit +! diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 new file mode 100644 index 0000000..ab074b6 --- /dev/null +++ b/data/templates/frr/ospfd.frr.j2 @@ -0,0 +1,262 @@ +! +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} +{% if iface_config.authentication.plaintext_password is vyos_defined %} + ip ospf authentication-key {{ iface_config.authentication.plaintext_password }} +{% elif iface_config.authentication.md5 is vyos_defined %} + ip ospf authentication message-digest +{% if iface_config.authentication.md5.key_id is vyos_defined %} +{% for key, key_config in iface_config.authentication.md5.key_id.items() %} + ip ospf message-digest-key {{ key }} md5 {{ key_config.md5_key }} +{% endfor %} +{% endif %} +{% endif %} +{% if iface_config.area is vyos_defined %} + ip ospf area {{ iface_config.area }} +{% endif %} +{% if iface_config.bandwidth is vyos_defined %} + bandwidth {{ iface_config.bandwidth }} +{% endif %} +{% if iface_config.cost is vyos_defined %} + ip ospf cost {{ iface_config.cost }} +{% endif %} +{% if iface_config.priority is vyos_defined %} + ip ospf priority {{ iface_config.priority }} +{% endif %} +{% if iface_config.hello_interval is vyos_defined %} + ip ospf hello-interval {{ iface_config.hello_interval }} +{% endif %} +{% if iface_config.retransmit_interval is vyos_defined %} + ip ospf retransmit-interval {{ iface_config.retransmit_interval }} +{% endif %} +{% if iface_config.transmit_delay is vyos_defined %} + ip ospf transmit-delay {{ iface_config.transmit_delay }} +{% endif %} +{% if iface_config.dead_interval is vyos_defined %} + ip ospf dead-interval {{ iface_config.dead_interval }} +{% elif iface_config.hello_multiplier is vyos_defined %} + ip ospf dead-interval minimal hello-multiplier {{ iface_config.hello_multiplier }} +{% endif %} +{% if iface_config.bfd is vyos_defined %} + ip ospf bfd +{% endif %} +{% if iface_config.bfd.profile is vyos_defined %} + ip ospf bfd profile {{ iface_config.bfd.profile }} +{% endif %} +{% if iface_config.ldp_sync.disable is vyos_defined %} + no ip ospf mpls ldp-sync +{% elif iface_config.ldp_sync.holddown is vyos_defined %} + ip ospf mpls ldp-sync + ip ospf mpls ldp-sync holddown {{ iface_config.ldp_sync.holddown }} +{% endif %} +{% if iface_config.mtu_ignore is vyos_defined %} + ip ospf mtu-ignore +{% endif %} +{% if iface_config.network is vyos_defined %} + ip ospf network {{ iface_config.network }} +{% endif %} +{% if iface_config.passive is vyos_defined %} + {{ 'no ' if iface_config.passive.disable is vyos_defined }}ip ospf passive +{% endif %} +exit +! +{% endfor %} +{% endif %} +! +router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} +{% if access_list is vyos_defined %} +{% for acl, acl_config in access_list.items() %} +{% for protocol in acl_config.export if acl_config.export is vyos_defined %} + distribute-list {{ acl }} out {{ protocol }} +{% endfor %} +{% endfor %} +{% endif %} +{% if aggregation.timer is vyos_defined %} + aggregation timer {{ aggregation.timer }} +{% endif %} +{% if area is vyos_defined %} +{% for area_id, area_config in area.items() %} +{% if area_config.area_type is vyos_defined %} +{% for type, type_config in area_config.area_type.items() if type != 'normal' %} + area {{ area_id }} {{ type }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} +{% if type_config.default_cost is vyos_defined %} + area {{ area_id }} default-cost {{ type_config.default_cost }} +{% endif %} +{% endfor %} +{% endif %} +{% if area_config.authentication is vyos_defined %} + area {{ area_id }} authentication {{ 'message-digest' if area_config.authentication is vyos_defined('md5') }} +{% endif %} +{% for network in area_config.network if area_config.network is vyos_defined %} + network {{ network }} area {{ area_id }} +{% endfor %} +{% if area_config.range is vyos_defined %} +{% for range, range_config in area_config.range.items() %} +{% if range_config.not_advertise is vyos_defined %} + area {{ area_id }} range {{ range }} not-advertise +{% else %} + area {{ area_id }} range {{ range }} +{% endif %} +{% if range_config.cost is vyos_defined %} + area {{ area_id }} range {{ range }} cost {{ range_config.cost }} +{% endif %} +{% if range_config.substitute is vyos_defined %} + area {{ area_id }} range {{ range }} substitute {{ range_config.substitute }} +{% endif %} +{% endfor %} +{% endif %} +{% if area_config.export_list is vyos_defined %} + area {{ area_id }} export-list {{ area_config.export_list }} +{% endif %} +{% if area_config.import_list is vyos_defined %} + area {{ area_id }} import-list {{ area_config.import_list }} +{% endif %} +{% if area_config.shortcut is vyos_defined %} + area {{ area_id }} shortcut {{ area_config.shortcut }} +{% endif %} +{% if area_config.virtual_link is vyos_defined %} +{% for link, link_config in area_config.virtual_link.items() %} +{% if link_config.authentication.plaintext_password is vyos_defined %} + area {{ area_id }} virtual-link {{ link }} authentication-key {{ link_config.authentication.plaintext_password }} +{% elif link_config.authentication.md5.key_id is vyos_defined %} +{% for key, key_config in link_config.authentication.md5.key_id.items() %} + area {{ area_id }} virtual-link {{ link }} message-digest-key {{ key }} md5 {{ key_config.md5_key }} +{% endfor %} +{% endif %} +{# The following values are default values #} + area {{ area_id }} virtual-link {{ link }} hello-interval {{ link_config.hello_interval }} retransmit-interval {{ link_config.retransmit_interval }} transmit-delay {{ link_config.transmit_delay }} dead-interval {{ link_config.dead_interval }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if auto_cost.reference_bandwidth is vyos_defined %} + auto-cost reference-bandwidth {{ auto_cost.reference_bandwidth }} +{% endif %} +{% if capability.opaque is vyos_defined %} + capability opaque +{% endif %} +{% if default_information.originate is vyos_defined %} + default-information originate {{ 'always' if default_information.originate.always is vyos_defined }} {{ 'metric ' + default_information.originate.metric if default_information.originate.metric is vyos_defined }} {{ 'metric-type ' + default_information.originate.metric_type if default_information.originate.metric_type is vyos_defined }} {{ 'route-map ' + default_information.originate.route_map if default_information.originate.route_map is vyos_defined }} +{% endif %} +{% if default_metric is vyos_defined %} + default-metric {{ default_metric }} +{% endif %} +{% if maximum_paths is vyos_defined %} + maximum-paths {{ maximum_paths }} +{% endif %} +{% if ldp_sync.holddown is vyos_defined %} + mpls ldp-sync holddown {{ ldp_sync.holddown }} +{% elif ldp_sync is vyos_defined %} + mpls ldp-sync +{% endif %} +{% if distance.global is vyos_defined %} + distance {{ distance.global }} +{% endif %} +{% if distance.ospf is vyos_defined %} + distance ospf {{ 'intra-area ' + distance.ospf.intra_area if distance.ospf.intra_area is vyos_defined }} {{ 'inter-area ' + distance.ospf.inter_area if distance.ospf.inter_area is vyos_defined }} {{ 'external ' + distance.ospf.external if distance.ospf.external is vyos_defined }} +{% endif %} +{% if graceful_restart is vyos_defined %} +{% if graceful_restart.grace_period is vyos_defined %} + graceful-restart grace-period {{ graceful_restart.grace_period }} +{% endif %} +{% if graceful_restart.helper.enable.router_id is vyos_defined %} +{% for router_id in graceful_restart.helper.enable.router_id %} + graceful-restart helper enable {{ router_id }} +{% endfor %} +{% elif graceful_restart.helper.enable is vyos_defined %} + graceful-restart helper enable +{% endif %} +{% if graceful_restart.helper.planned_only is vyos_defined %} + graceful-restart helper planned-only +{% endif %} +{% if graceful_restart.helper.no_strict_lsa_checking is vyos_defined %} + no graceful-restart helper strict-lsa-checking +{% endif %} +{% if graceful_restart.helper.supported_grace_time is vyos_defined %} + graceful-restart helper supported-grace-time {{ graceful_restart.helper.supported_grace_time }} +{% endif %} +{% endif %} +{% if log_adjacency_changes is vyos_defined %} + log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is vyos_defined }} +{% endif %} +{% if max_metric.router_lsa.administrative is vyos_defined %} + max-metric router-lsa administrative +{% endif %} +{% if max_metric.router_lsa.on_shutdown is vyos_defined %} + max-metric router-lsa on-shutdown {{ max_metric.router_lsa.on_shutdown }} +{% endif %} +{% if max_metric.router_lsa.on_startup is vyos_defined %} + max-metric router-lsa on-startup {{ max_metric.router_lsa.on_startup }} +{% endif %} +{% if mpls_te.enable is vyos_defined %} + mpls-te on + mpls-te router-address {{ mpls_te.router_address }} +{% endif %} +{% if neighbor is vyos_defined %} +{% for address, address_config in neighbor.items() %} + neighbor {{ address }} {{ 'priority ' + address_config.priority if address_config.priority is vyos_defined }} {{ 'poll-interval ' + address_config.poll_interval if address_config.poll_interval is vyos_defined }} +{% endfor %} +{% endif %} +{% if parameters.abr_type is vyos_defined %} + ospf abr-type {{ parameters.abr_type }} +{% endif %} +{% if parameters.opaque_lsa is vyos_defined %} + ospf opaque-lsa +{% endif %} +{% if parameters.rfc1583_compatibility is vyos_defined %} + ospf rfc1583compatibility +{% endif %} +{% if parameters.router_id is vyos_defined %} + ospf router-id {{ parameters.router_id }} +{% endif %} +{% if passive_interface is vyos_defined('default') %} + passive-interface default +{% endif %} +{% if redistribute is vyos_defined %} +{% for protocol, options in redistribute.items() %} +{% if protocol == 'table' %} +{% for table, table_options in options.items() %} + redistribute {{ protocol }} {{ table }} {{ 'metric ' ~ table_options.metric if table_options.metric is vyos_defined }} {{ 'metric-type ' ~ table_options.metric_type if table_options.metric_type is vyos_defined }} {{ 'route-map ' ~ table_options.route_map if table_options.route_map is vyos_defined }} +{% endfor %} +{% else %} + redistribute {{ protocol }} {{ 'metric ' ~ options.metric if options.metric is vyos_defined }} {{ 'metric-type ' ~ options.metric_type if options.metric_type is vyos_defined }} {{ 'route-map ' ~ options.route_map if options.route_map is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} +{% if refresh.timers is vyos_defined %} + refresh timer {{ refresh.timers }} +{% endif %} +{% if summary_address is vyos_defined %} +{% for prefix, prefix_options in summary_address.items() %} + summary-address {{ prefix }} {{ 'tag ' + prefix_options.tag if prefix_options.tag is vyos_defined }}{{ 'no-advertise' if prefix_options.no_advertise is vyos_defined }} +{% endfor %} +{% endif %} +{% if segment_routing is vyos_defined %} +{% if segment_routing.maximum_label_depth is vyos_defined %} + segment-routing node-msd {{ segment_routing.maximum_label_depth }} +{% endif %} +{% if segment_routing.global_block is vyos_defined %} +{% if segment_routing.local_block is vyos_defined %} + segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }} local-block {{ segment_routing.local_block.low_label_value }} {{ segment_routing.local_block.high_label_value }} +{% else %} + segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }} +{% endif %} +{% endif %} +{% if segment_routing.prefix is vyos_defined %} +{% for prefix, prefix_config in segment_routing.prefix.items() %} +{% if prefix_config.index is vyos_defined %} +{% if prefix_config.index.value is vyos_defined %} + segment-routing prefix {{ prefix }} index {{ prefix_config.index.value }} {{ 'explicit-null' if prefix_config.index.explicit_null is vyos_defined }} {{ 'no-php-flag' if prefix_config.index.no_php_flag is vyos_defined }} +{% endif %} +{% endif %} +{% endfor %} +{% endif %} + segment-routing on +{% endif %} +{% if timers.throttle.spf.delay is vyos_defined and timers.throttle.spf.initial_holdtime is vyos_defined and timers.throttle.spf.max_holdtime is vyos_defined %} +{# Timer values have default values #} + timers throttle spf {{ timers.throttle.spf.delay }} {{ timers.throttle.spf.initial_holdtime }} {{ timers.throttle.spf.max_holdtime }} +{% endif %} +exit +! diff --git a/data/templates/frr/pim6d.frr.j2 b/data/templates/frr/pim6d.frr.j2 new file mode 100644 index 0000000..bac716f --- /dev/null +++ b/data/templates/frr/pim6d.frr.j2 @@ -0,0 +1,81 @@ +! +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +! +interface {{ iface }} + ipv6 pim +{% if iface_config.no_bsm is vyos_defined %} + no ipv6 pim bsm +{% endif %} +{% if iface_config.dr_priority is vyos_defined %} + ipv6 pim drpriority {{ iface_config.dr_priority }} +{% endif %} +{% if iface_config.hello is vyos_defined %} + ipv6 pim hello {{ iface_config.hello }} +{% endif %} +{% if iface_config.no_unicast_bsm is vyos_defined %} + no ipv6 pim unicast-bsm +{% endif %} +{% if iface_config.passive is vyos_defined %} + ipv6 pim passive +{% endif %} +{% if iface_config.mld is vyos_defined and iface_config.mld.disable is not vyos_defined %} + ipv6 mld +{% if iface_config.mld.version is vyos_defined %} + ipv6 mld version {{ iface_config.mld.version }} +{% endif %} +{% if iface_config.mld.interval is vyos_defined %} + ipv6 mld query-interval {{ iface_config.mld.interval }} +{% endif %} +{% if iface_config.mld.max_response_time is vyos_defined %} + ipv6 mld query-max-response-time {{ iface_config.mld.max_response_time // 100 }} +{% endif %} +{% if iface_config.mld.last_member_query_count is vyos_defined %} + ipv6 mld last-member-query-count {{ iface_config.mld.last_member_query_count }} +{% endif %} +{% if iface_config.mld.last_member_query_interval is vyos_defined %} + ipv6 mld last-member-query-interval {{ iface_config.mld.last_member_query_interval // 100 }} +{% endif %} +{% if iface_config.mld.join is vyos_defined %} +{% for group, group_config in iface_config.mld.join.items() %} +{% if group_config.source is vyos_defined %} +{% for source in group_config.source %} + ipv6 mld join {{ group }} {{ source }} +{% endfor %} +{% else %} + ipv6 mld join {{ group }} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} +exit +{% endfor %} +{% endif %} +! +{% if join_prune_interval is vyos_defined %} +ipv6 pim join-prune-interval {{ join_prune_interval }} +{% endif %} +{% if keep_alive_timer is vyos_defined %} +ipv6 pim keep-alive-timer {{ keep_alive_timer }} +{% endif %} +{% if packets is vyos_defined %} +ipv6 pim packets {{ packets }} +{% endif %} +{% if register_suppress_time is vyos_defined %} +ipv6 pim register-suppress-time {{ register_suppress_time }} +{% endif %} +{% if rp.address is vyos_defined %} +{% for address, address_config in rp.address.items() %} +{% if address_config.group is vyos_defined %} +{% for group in address_config.group %} +ipv6 pim rp {{ address }} {{ group }} +{% endfor %} +{% endif %} +{% if address_config.prefix_list6 is vyos_defined %} +ipv6 pim rp {{ address }} prefix-list {{ address_config.prefix_list6 }} +{% endif %} +{% endfor %} +{% endif %} +{% if rp.keep_alive_timer is vyos_defined %} +ipv6 pim rp keep-alive-timer {{ rp.keep_alive_timer }} +{% endif %} diff --git a/data/templates/frr/pimd.frr.j2 b/data/templates/frr/pimd.frr.j2 new file mode 100644 index 0000000..68edf4a --- /dev/null +++ b/data/templates/frr/pimd.frr.j2 @@ -0,0 +1,95 @@ +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +! +interface {{ iface }} + ip pim +{% if iface_config.bfd is vyos_defined %} + ip pim bfd {{ 'profile ' ~ iface_config.bfd.profile if iface_config.bfd.profile is vyos_defined }} +{% endif %} +{% if iface_config.no_bsm is vyos_defined %} + no ip pim bsm +{% endif %} +{% if iface_config.dr_priority is vyos_defined %} + ip pim drpriority {{ iface_config.dr_priority }} +{% endif %} +{% if iface_config.hello is vyos_defined %} + ip pim hello {{ iface_config.hello }} +{% endif %} +{% if iface_config.no_unicast_bsm is vyos_defined %} + no ip pim unicast-bsm +{% endif %} +{% if iface_config.passive is vyos_defined %} + ip pim passive +{% endif %} +{% if iface_config.source_address is vyos_defined %} + ip pim use-source {{ iface_config.source_address }} +{% endif %} +{% if iface_config.igmp is vyos_defined and iface_config.igmp.disable is not vyos_defined %} + ip igmp +{% if iface_config.igmp.query_interval %} + ip igmp query-interval {{ iface_config.igmp.query_interval }} +{% endif %} +{% if iface_config.igmp.query_max_response_time %} + ip igmp query-max-response-time {{ iface_config.igmp.query_max_response_time }} +{% endif %} +{% if iface_config.igmp.version is vyos_defined %} + ip igmp version {{ iface_config.igmp.version }} +{% endif %} +{% if iface_config.igmp.join is vyos_defined %} +{% for join, join_config in iface_config.igmp.join.items() %} +{% if join_config.source_address is vyos_defined %} +{% for source_address in join_config.source_address %} + ip igmp join {{ join }} {{ source_address }} +{% endfor %} +{% else %} + ip igmp join {{ join }} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} +exit +{% endfor %} +{% endif %} +! +{% if ecmp is vyos_defined %} +ip pim ecmp {{ 'rebalance' if ecmp.rebalance is vyos_defined }} +{% endif %} +{% if join_prune_interval is vyos_defined %} +ip pim join-prune-interval {{ join_prune_interval }} +{% endif %} +{% if keep_alive_timer is vyos_defined %} +ip pim keep-alive-timer {{ keep_alive_timer }} +{% endif %} +{% if packets is vyos_defined %} +ip pim packets {{ packets }} +{% endif %} +{% if register_accept_list.prefix_list is vyos_defined %} +ip pim register-accept-list {{ register_accept_list.prefix_list }} +{% endif %} +{% if register_suppress_time is vyos_defined %} +ip pim register-suppress-time {{ register_suppress_time }} +{% endif %} +{% if rp.address is vyos_defined %} +{% for address, address_config in rp.address.items() %} +{% for group in address_config.group %} +ip pim rp {{ address }} {{ group }} +{% endfor %} +{% endfor %} +{% endif %} +{% if rp.keep_alive_timer is vyos_defined %} +ip pim rp keep-alive-timer {{ rp.keep_alive_timer }} +{% endif %} +{% if no_v6_secondary is vyos_defined %} +no ip pim send-v6-secondary +{% endif %} +{% if spt_switchover.infinity_and_beyond is vyos_defined %} +ip pim spt-switchover infinity-and-beyond {{ 'prefix-list ' ~ spt_switchover.infinity_and_beyond.prefix_list if spt_switchover.infinity_and_beyond.prefix_list is defined }} +{% endif %} +{% if ssm.prefix_list is vyos_defined %} +ip pim ssm prefix-list {{ ssm.prefix_list }} +{% endif %} +! +{% if igmp.watermark_warning is vyos_defined %} +ip igmp watermark-warn {{ igmp.watermark_warning }} +{% endif %} +! diff --git a/data/templates/frr/policy.frr.j2 b/data/templates/frr/policy.frr.j2 new file mode 100644 index 0000000..ed5876a --- /dev/null +++ b/data/templates/frr/policy.frr.j2 @@ -0,0 +1,377 @@ +{% if access_list is vyos_defined %} +{% for acl, acl_config in access_list.items() | natural_sort %} +{% if acl_config.description is vyos_defined %} +access-list {{ acl }} remark {{ acl_config.description }} +{% endif %} +{% if acl_config.rule is vyos_defined %} +{% for rule, rule_config in acl_config.rule.items() | natural_sort %} +{% set ip = '' %} +{% set src = '' %} +{% set src_mask = '' %} +{% if rule_config.source.any is vyos_defined %} +{% set src = 'any' %} +{% elif rule_config.source.host is vyos_defined %} +{% set src = 'host ' ~ rule_config.source.host %} +{% elif rule_config.source.network is vyos_defined %} +{% set src = rule_config.source.network %} +{% set src_mask = rule_config.source.inverse_mask %} +{% endif %} +{% set dst = '' %} +{% set dst_mask = '' %} +{% if (acl | int >= 100 and acl | int <= 199) or (acl | int >= 2000 and acl | int <= 2699) %} +{% set ip = 'ip' %} +{% set dst = 'any' %} +{% if rule_config.destination.any is vyos_defined %} +{% set dst = 'any' %} +{% elif rule_config.destination.host is vyos_defined %} +{% set dst = 'host ' ~ rule_config.destination.host %} +{% elif rule_config.destination.network is vyos_defined %} +{% set dst = rule_config.destination.network %} +{% set dst_mask = rule_config.destination.inverse_mask %} +{% endif %} +{% endif %} +access-list {{ acl }} seq {{ rule }} {{ rule_config.action }} {{ ip }} {{ src }} {{ src_mask }} {{ dst }} {{ dst_mask }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if access_list6 is vyos_defined %} +{% for acl, acl_config in access_list6.items() | natural_sort %} +{% if acl_config.description is vyos_defined %} +ipv6 access-list {{ acl }} remark {{ acl_config.description }} +{% endif %} +{% if acl_config.rule is vyos_defined %} +{% for rule, rule_config in acl_config.rule.items() | natural_sort %} +{% set src = '' %} +{% if rule_config.source.any is vyos_defined %} +{% set src = 'any' %} +{% elif rule_config.source.network is vyos_defined %} +{% set src = rule_config.source.network %} +{% endif %} +ipv6 access-list {{ acl }} seq {{ rule }} {{ rule_config.action }} {{ src }} {{ 'exact-match' if rule_config.source.exact_match is vyos_defined }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if as_path_list is vyos_defined %} +{% for acl, acl_config in as_path_list.items() | natural_sort %} +{% if acl_config.rule is vyos_defined %} +{% for rule, rule_config in acl_config.rule.items() | natural_sort %} +bgp as-path access-list {{ acl }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if community_list is vyos_defined %} +{% for list, list_config in community_list.items() | natural_sort %} +{% if list_config.rule is vyos_defined %} +{% for rule, rule_config in list_config.rule.items() | natural_sort %} +{# by default, if casting to int fails it returns 0 #} +{% if list | int != 0 %} +bgp community-list {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% else %} +bgp community-list expanded {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if extcommunity_list is vyos_defined %} +{% for list, list_config in extcommunity_list.items() | natural_sort %} +{% if list_config.rule is vyos_defined %} +{% for rule, rule_config in list_config.rule.items() | natural_sort %} +{# by default, if casting to int fails it returns 0 #} +{% if list | int != 0 %} +bgp extcommunity-list {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% else %} +bgp extcommunity-list expanded {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if large_community_list is vyos_defined %} +{% for list, list_config in large_community_list.items() | natural_sort %} +{% if list_config.rule is vyos_defined %} +{% for rule, rule_config in list_config.rule.items() | natural_sort %} +{# by default, if casting to int fails it returns 0 #} +{% if list | int != 0 %} +bgp large-community-list {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% else %} +bgp large-community-list expanded {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if prefix_list is vyos_defined %} +{% for prefix_list, prefix_list_config in prefix_list.items() | natural_sort %} +{% if prefix_list_config.description is vyos_defined %} +ip prefix-list {{ prefix_list }} description {{ prefix_list_config.description }} +{% endif %} +{% if prefix_list_config.rule is vyos_defined %} +{% for rule, rule_config in prefix_list_config.rule.items() | natural_sort %} +{% if rule_config.prefix is vyos_defined %} +ip prefix-list {{ prefix_list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.prefix }} {{ 'ge ' ~ rule_config.ge if rule_config.ge is vyos_defined }} {{ 'le ' ~ rule_config.le if rule_config.le is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if prefix_list6 is vyos_defined %} +{% for prefix_list, prefix_list_config in prefix_list6.items() | natural_sort %} +{% if prefix_list_config.description is vyos_defined %} +ipv6 prefix-list {{ prefix_list }} description {{ prefix_list_config.description }} +{% endif %} +{% if prefix_list_config.rule is vyos_defined %} +{% for rule, rule_config in prefix_list_config.rule.items() | natural_sort %} +{% if rule_config.prefix is vyos_defined %} +ipv6 prefix-list {{ prefix_list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.prefix }} {{ 'ge ' ~ rule_config.ge if rule_config.ge is vyos_defined }} {{ 'le ' ~ rule_config.le if rule_config.le is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if route_map is vyos_defined %} +{% for route_map, route_map_config in route_map.items() | natural_sort %} +{% if route_map_config.rule is vyos_defined %} +{% for rule, rule_config in route_map_config.rule.items() | natural_sort %} +route-map {{ route_map }} {{ rule_config.action }} {{ rule }} +{% if rule_config.call is vyos_defined %} + call {{ rule_config.call }} +{% endif %} +{% if rule_config.continue is vyos_defined %} + on-match goto {{ rule_config.continue }} +{% endif %} +{% if rule_config.description is vyos_defined %} + description {{ rule_config.description }} +{% endif %} +{% if rule_config.match is vyos_defined %} +{% if rule_config.match.as_path is vyos_defined %} + match as-path {{ rule_config.match.as_path }} +{% endif %} +{% if rule_config.match.community.community_list is vyos_defined %} + match community {{ rule_config.match.community.community_list }} {{ 'exact-match' if rule_config.match.community.exact_match is vyos_defined }} +{% endif %} +{% if rule_config.match.extcommunity is vyos_defined %} + match extcommunity {{ rule_config.match.extcommunity }} +{% endif %} +{% if rule_config.match.evpn.default_route is vyos_defined %} + match evpn default-route +{% endif %} +{% if rule_config.match.evpn.rd is vyos_defined %} + match evpn rd {{ rule_config.match.evpn.rd }} +{% endif %} +{% if rule_config.match.evpn.route_type is vyos_defined %} + match evpn route-type {{ rule_config.match.evpn.route_type }} +{% endif %} +{% if rule_config.match.evpn.vni is vyos_defined %} + match evpn vni {{ rule_config.match.evpn.vni }} +{% endif %} +{% if rule_config.match.interface is vyos_defined %} + match interface {{ rule_config.match.interface }} +{% endif %} +{% if rule_config.match.ip.address.access_list is vyos_defined %} + match ip address {{ rule_config.match.ip.address.access_list }} +{% endif %} +{% if rule_config.match.ip.address.prefix_list is vyos_defined %} + match ip address prefix-list {{ rule_config.match.ip.address.prefix_list }} +{% endif %} +{% if rule_config.match.ip.address.prefix_len is vyos_defined %} + match ip address prefix-len {{ rule_config.match.ip.address.prefix_len }} +{% endif %} +{% if rule_config.match.ip.nexthop.access_list is vyos_defined %} + match ip next-hop {{ rule_config.match.ip.nexthop.access_list }} +{% endif %} +{% if rule_config.match.ip.nexthop.address is vyos_defined %} + match ip next-hop address {{ rule_config.match.ip.nexthop.address }} +{% endif %} +{% if rule_config.match.ip.nexthop.prefix_len is vyos_defined %} + match ip next-hop prefix-len {{ rule_config.match.ip.nexthop.prefix_len }} +{% endif %} +{% if rule_config.match.ip.nexthop.prefix_list is vyos_defined %} + match ip next-hop prefix-list {{ rule_config.match.ip.nexthop.prefix_list }} +{% endif %} +{% if rule_config.match.ip.nexthop.type is vyos_defined %} + match ip next-hop type {{ rule_config.match.ip.nexthop.type }} +{% endif %} +{% if rule_config.match.ip.route_source.access_list is vyos_defined %} + match ip route-source {{ rule_config.match.ip.route_source.access_list }} +{% endif %} +{% if rule_config.match.ip.route_source.prefix_list is vyos_defined %} + match ip route-source prefix-list {{ rule_config.match.ip.route_source.prefix_list }} +{% endif %} +{% if rule_config.match.ipv6.address.access_list is vyos_defined %} + match ipv6 address {{ rule_config.match.ipv6.address.access_list }} +{% endif %} +{% if rule_config.match.ipv6.address.prefix_list is vyos_defined %} + match ipv6 address prefix-list {{ rule_config.match.ipv6.address.prefix_list }} +{% endif %} +{% if rule_config.match.ipv6.address.prefix_len is vyos_defined %} + match ipv6 address prefix-len {{ rule_config.match.ipv6.address.prefix_len }} +{% endif %} +{% if rule_config.match.ipv6.nexthop.address is vyos_defined %} + match ipv6 next-hop address {{ rule_config.match.ipv6.nexthop.address }} +{% endif %} +{% if rule_config.match.ipv6.nexthop.access_list is vyos_defined %} + match ipv6 next-hop {{ rule_config.match.ipv6.nexthop.access_list }} +{% endif %} +{% if rule_config.match.ipv6.nexthop.prefix_list is vyos_defined %} + match ipv6 next-hop prefix-list {{ rule_config.match.ipv6.nexthop.prefix_list }} +{% endif %} +{% if rule_config.match.ipv6.nexthop.type is vyos_defined %} + match ipv6 next-hop type {{ rule_config.match.ipv6.nexthop.type }} +{% endif %} +{% if rule_config.match.large_community.large_community_list is vyos_defined %} + match large-community {{ rule_config.match.large_community.large_community_list }} +{% endif %} +{% if rule_config.match.local_preference is vyos_defined %} + match local-preference {{ rule_config.match.local_preference }} +{% endif %} +{% if rule_config.match.metric is vyos_defined %} + match metric {{ rule_config.match.metric }} +{% endif %} +{% if rule_config.match.origin is vyos_defined %} + match origin {{ rule_config.match.origin }} +{% endif %} +{% if rule_config.match.peer is vyos_defined %} + match peer {{ rule_config.match.peer }} +{% endif %} +{% if rule_config.match.protocol is vyos_defined %} +{% set source_protocol = 'ospf6' if rule_config.match.protocol == 'ospfv3' else rule_config.match.protocol %} + match source-protocol {{ source_protocol }} +{% endif %} +{% if rule_config.match.rpki is vyos_defined %} + match rpki {{ rule_config.match.rpki }} +{% endif %} +{% if rule_config.match.tag is vyos_defined %} + match tag {{ rule_config.match.tag }} +{% endif %} +{% endif %} +{% if rule_config.on_match.next is vyos_defined %} + on-match next +{% endif %} +{% if rule_config.on_match.goto is vyos_defined %} + on-match goto {{ rule_config.on_match.goto }} +{% endif %} +{% if rule_config.set is vyos_defined %} +{% if rule_config.set.aggregator.as is vyos_defined and rule_config.set.aggregator.ip is vyos_defined %} + set aggregator as {{ rule_config.set.aggregator.as }} {{ rule_config.set.aggregator.ip }} +{% endif %} +{% if rule_config.set.as_path.exclude is vyos_defined %} + set as-path exclude {{ rule_config.set.as_path.exclude }} +{% endif %} +{% if rule_config.set.as_path.prepend is vyos_defined %} + set as-path prepend {{ rule_config.set.as_path.prepend }} +{% endif %} +{% if rule_config.set.as_path.prepend_last_as is vyos_defined %} + set as-path prepend last-as {{ rule_config.set.as_path.prepend_last_as }} +{% endif %} +{% if rule_config.set.atomic_aggregate is vyos_defined %} + set atomic-aggregate +{% endif %} +{% if rule_config.set.community.delete is vyos_defined %} + set comm-list {{ rule_config.set.community.delete }} delete +{% endif %} +{% if rule_config.set.community.replace is vyos_defined %} + set community {{ rule_config.set.community.replace | join(' ') | replace("local-as" , "local-AS") }} +{% endif %} +{% if rule_config.set.community.add is vyos_defined %} + set community {{ rule_config.set.community.add | join(' ') | replace("local-as" , "local-AS") }} additive +{% endif %} +{% if rule_config.set.community.none is vyos_defined %} + set community none +{% endif %} +{% if rule_config.set.distance is vyos_defined %} + set distance {{ rule_config.set.distance }} +{% endif %} +{% if rule_config.set.evpn.gateway.ipv4 is vyos_defined %} + set evpn gateway-ip ipv4 {{ rule_config.set.evpn.gateway.ipv4 }} +{% endif %} +{% if rule_config.set.evpn.gateway.ipv6 is vyos_defined %} + set evpn gateway-ip ipv6 {{ rule_config.set.evpn.gateway.ipv6 }} +{% endif %} +{% if rule_config.set.extcommunity.bandwidth is vyos_defined %} + set extcommunity bandwidth {{ rule_config.set.extcommunity.bandwidth }} {{ 'non-transitive' if rule_config.set.extcommunity.bandwidth_non_transitive is vyos_defined }} +{% endif %} +{% if rule_config.set.extcommunity.rt is vyos_defined %} + set extcommunity rt {{ rule_config.set.extcommunity.rt | join(' ') }} +{% endif %} +{% if rule_config.set.extcommunity.soo is vyos_defined %} + set extcommunity soo {{ rule_config.set.extcommunity.soo | join(' ') }} +{% endif %} +{% if rule_config.set.extcommunity.none is vyos_defined %} + set extcommunity none +{% endif %} +{% if rule_config.set.ip_next_hop is vyos_defined %} + set ip next-hop {{ rule_config.set.ip_next_hop }} +{% endif %} +{% if rule_config.set.ipv6_next_hop.global is vyos_defined %} + set ipv6 next-hop global {{ rule_config.set.ipv6_next_hop.global }} +{% endif %} +{% if rule_config.set.ipv6_next_hop.local is vyos_defined %} + set ipv6 next-hop local {{ rule_config.set.ipv6_next_hop.local }} +{% endif %} +{% if rule_config.set.ipv6_next_hop.peer_address is vyos_defined %} + set ipv6 next-hop peer-address +{% endif %} +{% if rule_config.set.ipv6_next_hop.prefer_global is vyos_defined %} + set ipv6 next-hop prefer-global +{% endif %} +{% if rule_config.set.l3vpn_nexthop.encapsulation.gre is vyos_defined %} +set l3vpn next-hop encapsulation gre +{% endif %} +{% if rule_config.set.large_community.replace is vyos_defined %} + set large-community {{ rule_config.set.large_community.replace | join(' ') }} +{% endif %} +{% if rule_config.set.large_community.add is vyos_defined %} + set large-community {{ rule_config.set.large_community.add | join(' ') }} additive +{% endif %} +{% if rule_config.set.large_community.none is vyos_defined %} + set large-community none +{% endif %} +{% if rule_config.set.large_community.delete is vyos_defined %} + set large-comm-list {{ rule_config.set.large_community.delete }} delete +{% endif %} +{% if rule_config.set.local_preference is vyos_defined %} + set local-preference {{ rule_config.set.local_preference }} +{% endif %} +{% if rule_config.set.metric is vyos_defined %} + set metric {{ rule_config.set.metric }} +{% endif %} +{% if rule_config.set.metric_type is vyos_defined %} + set metric-type {{ rule_config.set.metric_type }} +{% endif %} +{% if rule_config.set.origin is vyos_defined %} + set origin {{ rule_config.set.origin }} +{% endif %} +{% if rule_config.set.originator_id is vyos_defined %} + set originator-id {{ rule_config.set.originator_id }} +{% endif %} +{% if rule_config.set.src is vyos_defined %} + set src {{ rule_config.set.src }} +{% endif %} +{% if rule_config.set.table is vyos_defined %} + set table {{ rule_config.set.table }} +{% endif %} +{% if rule_config.set.tag is vyos_defined %} + set tag {{ rule_config.set.tag }} +{% endif %} +{% if rule_config.set.weight is vyos_defined %} + set weight {{ rule_config.set.weight }} +{% endif %} +{% endif %} +exit +! +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/frr/rip_ripng.frr.j2 b/data/templates/frr/rip_ripng.frr.j2 new file mode 100644 index 0000000..dd547bb --- /dev/null +++ b/data/templates/frr/rip_ripng.frr.j2 @@ -0,0 +1,36 @@ +{% if default_information is vyos_defined %} + default-information originate +{% endif %} +{% if default_metric is vyos_defined %} + default-metric {{ default_metric }} +{% endif %} +{% if passive_interface is vyos_defined %} +{% for interface in passive_interface %} + passive-interface {{ interface }} +{% endfor %} +{% endif %} +{% if network is vyos_defined %} +{% for prefix in network %} + network {{ prefix }} +{% endfor %} +{% endif %} +{% if interface is vyos_defined %} +{% for ifname in interface %} + network {{ ifname }} +{% endfor %} +{% endif %} +{% if route is vyos_defined %} +{% for prefix in route %} + route {{ prefix }} +{% endfor %} +{% endif %} +{# timers have default values #} + timers basic {{ timers['update'] }} {{ timers.timeout }} {{ timers.garbage_collection }} +{% if redistribute is vyos_defined %} +{% for protocol, protocol_config in redistribute.items() %} +{% if protocol is vyos_defined('ospfv3') %} +{% set protocol = 'ospf6' %} +{% endif %} + redistribute {{ protocol }} {{ 'metric ' ~ protocol_config.metric if protocol_config.metric is vyos_defined }} {{ 'route-map ' ~ protocol_config.route_map if protocol_config.route_map is vyos_defined }} +{% endfor %} +{% endif %} diff --git a/data/templates/frr/ripd.frr.j2 b/data/templates/frr/ripd.frr.j2 new file mode 100644 index 0000000..1445bf9 --- /dev/null +++ b/data/templates/frr/ripd.frr.j2 @@ -0,0 +1,75 @@ +{% from 'frr/distribute_list_macro.j2' import render_distribute_list %} +{# RIP key-chain definition #} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +{% if iface_config.authentication.md5 is vyos_defined %} +key chain {{ iface }}-rip +{% for key_id, key_options in iface_config.authentication.md5.items() %} + key {{ key_id }} +{% if key_options.password is vyos_defined %} + key-string {{ key_options.password }} +{% endif %} + exit +{% endfor %} +exit +{% endif %} +{% endfor %} +{% endif %} +! +{# Interface specific configuration #} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} +{% if iface_config.authentication.plaintext_password is vyos_defined %} + ip rip authentication mode text + ip rip authentication string {{ iface_config.authentication.plaintext_password }} +{% elif iface_config.authentication.md5 is vyos_defined %} + ip rip authentication key-chain {{ iface }}-rip + ip rip authentication mode md5 +{% endif %} +{% if iface_config.split_horizon.disable is vyos_defined %} + no ip rip split-horizon +{% endif %} +{% if iface_config.split_horizon.poison_reverse is vyos_defined %} + ip rip split-horizon poisoned-reverse +{% endif %} +{% if iface_config.receive.version is vyos_defined %} + ip rip receive version {{ iface_config.receive.version }} +{% endif %} +{% if iface_config.send.version is vyos_defined %} + ip rip send version {{ iface_config.send.version }} +{% endif %} +exit +! +{% endfor %} +{% endif %} +! +router rip +{% if default_distance is vyos_defined %} + distance {{ default_distance }} +{% endif %} +{% if network_distance is vyos_defined %} +{% for network, network_config in network_distance.items() %} +{% if network_config.distance is vyos_defined %} + distance {{ network_config.distance }} {{ network }} +{% endif %} +{% endfor %} +{% endif %} +{% if neighbor is vyos_defined %} +{% for address in neighbor %} + neighbor {{ address }} +{% endfor %} +{% endif %} +{% if distribute_list is vyos_defined %} +{{ render_distribute_list(distribute_list) }} +{% endif %} +{% include 'frr/rip_ripng.frr.j2' %} +{% if version is vyos_defined %} + version {{ version }} +{% endif %} +exit +! +{% if route_map is vyos_defined %} +ip protocol rip route-map {{ route_map }} +{% endif %} +! diff --git a/data/templates/frr/ripngd.frr.j2 b/data/templates/frr/ripngd.frr.j2 new file mode 100644 index 0000000..e857e94 --- /dev/null +++ b/data/templates/frr/ripngd.frr.j2 @@ -0,0 +1,31 @@ +{% from 'frr/ipv6_distribute_list_macro.j2' import render_ipv6_distribute_list %} +{# Interface specific configuration #} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} +{% if iface_config.split_horizon.disable is vyos_defined %} + no ipv6 rip split-horizon +{% endif %} +{% if iface_config.split_horizon.poison_reverse is vyos_defined %} + ipv6 rip split-horizon poisoned-reverse +{% endif %} +exit +{% endfor %} +{% endif %} +! +router ripng +{% if aggregate_address is vyos_defined %} +{% for prefix in aggregate_address %} + aggregate-address {{ prefix }} +{% endfor %} +{% endif %} +{% if distribute_list is vyos_defined %} +{{ render_ipv6_distribute_list(distribute_list) }} +{% endif %} +{% include 'frr/rip_ripng.frr.j2' %} +exit +! +{% if route_map is vyos_defined %} +ipv6 protocol ripng route-map {{ route_map }} +{% endif %} +! diff --git a/data/templates/frr/rpki.frr.j2 b/data/templates/frr/rpki.frr.j2 new file mode 100644 index 0000000..5972410 --- /dev/null +++ b/data/templates/frr/rpki.frr.j2 @@ -0,0 +1,24 @@ +! +{# as FRR does not support deleting the entire rpki section we leave it in place even when it's empty #} +rpki +{% if cache is vyos_defined %} +{% for peer, peer_config in cache.items() %} +{# port is mandatory and preference uses a default value #} +{% if peer_config.ssh.username is vyos_defined %} + rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} {{ peer_config.ssh.username }} {{ peer_config.ssh.private_key_file }} {{ peer_config.ssh.public_key_file }} preference {{ peer_config.preference }} +{% else %} + rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} preference {{ peer_config.preference }} +{% endif %} +{% endfor %} +{% endif %} +{% if expire_interval is vyos_defined %} + rpki expire_interval {{ expire_interval }} +{% endif %} +{% if polling_period is vyos_defined %} + rpki polling_period {{ polling_period }} +{% endif %} +{% if retry_interval is vyos_defined %} + rpki retry_interval {{ retry_interval }} +{% endif %} +exit +! diff --git a/data/templates/frr/static_mcast.frr.j2 b/data/templates/frr/static_mcast.frr.j2 new file mode 100644 index 0000000..491d4b5 --- /dev/null +++ b/data/templates/frr/static_mcast.frr.j2 @@ -0,0 +1,20 @@ +! +{% for route_gr in old_mroute %} +{% for nh in old_mroute[route_gr] %} +{% if old_mroute[route_gr][nh] %} +no ip mroute {{ route_gr }} {{ nh }} {{ old_mroute[route_gr][nh] }} +{% else %} +no ip mroute {{ route_gr }} {{ nh }} +{% endif %} +{% endfor %} +{% endfor %} +{% for route_gr in mroute %} +{% for nh in mroute[route_gr] %} +{% if mroute[route_gr][nh] %} +ip mroute {{ route_gr }} {{ nh }} {{ mroute[route_gr][nh] }} +{% else %} +ip mroute {{ route_gr }} {{ nh }} +{% endif %} +{% endfor %} +{% endfor %} +! diff --git a/data/templates/frr/static_routes_macro.j2 b/data/templates/frr/static_routes_macro.j2 new file mode 100644 index 0000000..cf80469 --- /dev/null +++ b/data/templates/frr/static_routes_macro.j2 @@ -0,0 +1,29 @@ +{% macro static_routes(ip_ipv6, prefix, prefix_config, table=None) %} +{% if prefix_config.blackhole is vyos_defined %} +{{ ip_ipv6 }} route {{ prefix }} blackhole {{ prefix_config.blackhole.distance if prefix_config.blackhole.distance is vyos_defined }} {{ 'tag ' ~ prefix_config.blackhole.tag if prefix_config.blackhole.tag is vyos_defined }} {{ 'table ' ~ table if table is vyos_defined and table is not none }} +{% endif %} +{% if prefix_config.reject is vyos_defined %} +{{ ip_ipv6 }} route {{ prefix }} reject {{ prefix_config.reject.distance if prefix_config.reject.distance is vyos_defined }} {{ 'tag ' ~ prefix_config.reject.tag if prefix_config.reject.tag is vyos_defined }} {{ 'table ' ~ table if table is vyos_defined }} +{% endif %} +{% if prefix_config.dhcp_interface is vyos_defined %} +{% set next_hop = prefix_config.dhcp_interface | get_dhcp_router %} +{% if next_hop is vyos_defined %} +{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ prefix_config.dhcp_interface }} {{ 'table ' ~ table if table is vyos_defined }} +{% endif %} +{% endif %} +{% if prefix_config.interface is vyos_defined %} +{% for interface, interface_config in prefix_config.interface.items() if interface_config.disable is not defined %} +{{ ip_ipv6 }} route {{ prefix }} {{ interface }} {{ interface_config.distance if interface_config.distance is vyos_defined }} {{ 'nexthop-vrf ' ~ interface_config.vrf if interface_config.vrf is vyos_defined }} {{ 'segments ' ~ interface_config.segments if interface_config.segments is vyos_defined }} {{ 'table ' ~ table if table is vyos_defined }} +{% endfor %} +{% endif %} +{% if prefix_config.next_hop is vyos_defined and prefix_config.next_hop is not none %} +{% for next_hop, next_hop_config in prefix_config.next_hop.items() if next_hop_config.disable is not defined %} +{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ next_hop_config.interface if next_hop_config.interface is vyos_defined }} {{ next_hop_config.distance if next_hop_config.distance is vyos_defined }} {{ 'nexthop-vrf ' ~ next_hop_config.vrf if next_hop_config.vrf is vyos_defined }} {{ 'bfd profile ' ~ next_hop_config.bfd.profile if next_hop_config.bfd.profile is vyos_defined }} {{ 'segments ' ~ next_hop_config.segments if next_hop_config.segments is vyos_defined }} {{ 'table ' ~ table if table is vyos_defined }} +{% if next_hop_config.bfd.multi_hop.source is vyos_defined %} +{% for source, source_config in next_hop_config.bfd.multi_hop.source.items() %} +{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} bfd multi-hop source {{ source }} profile {{ source_config.profile }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% endmacro %} diff --git a/data/templates/frr/staticd.frr.j2 b/data/templates/frr/staticd.frr.j2 new file mode 100644 index 0000000..992a043 --- /dev/null +++ b/data/templates/frr/staticd.frr.j2 @@ -0,0 +1,64 @@ +{% from 'frr/static_routes_macro.j2' import static_routes %} +! +{% set ip_prefix = 'ip' %} +{% set ipv6_prefix = 'ipv6' %} +{% if vrf is vyos_defined %} +{# We need to add an additional whitespace in front of the prefix #} +{# when VRFs are in use, thus we use a variable for prefix handling #} +{% set ip_prefix = ' ip' %} +{% set ipv6_prefix = ' ipv6' %} +vrf {{ vrf }} +{% endif %} +{# IPv4 routing #} +{% if route is vyos_defined %} +{% for prefix, prefix_config in route.items() %} +{{ static_routes(ip_prefix, prefix, prefix_config) }} +{% endfor %} +{% endif %} +{# IPv4 default routes from DHCP interfaces #} +{% if dhcp is vyos_defined %} +{% for interface, interface_config in dhcp.items() if interface_config.dhcp_options.no_default_route is not vyos_defined %} +{% set next_hop = interface | get_dhcp_router %} +{% if next_hop is vyos_defined %} +{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.dhcp_options.default_route_distance if interface_config.dhcp_options.default_route_distance is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} +{# IPv4 default routes from PPPoE interfaces #} +{% if pppoe is vyos_defined %} +{% for interface, interface_config in pppoe.items() if interface_config.no_default_route is not vyos_defined %} +{{ ip_prefix }} route 0.0.0.0/0 {{ interface }} tag 210 {{ interface_config.default_route_distance if interface_config.default_route_distance is vyos_defined }} +{% endfor %} +{% endif %} +{# IPv6 routing #} +{% if route6 is vyos_defined %} +{% for prefix, prefix_config in route6.items() %} +{{ static_routes(ipv6_prefix, prefix, prefix_config) }} +{% endfor %} +{% endif %} +{% if vrf is vyos_defined %} +exit-vrf +{% endif %} +! +{# Policy route tables #} +{% if table is vyos_defined %} +{% for table_id, table_config in table.items() %} +{% if table_config.route is vyos_defined %} +{% for prefix, prefix_config in table_config.route.items() %} +{{ static_routes('ip', prefix, prefix_config, table_id) }} +{% endfor %} +{% endif %} +! +{% if table_config.route6 is vyos_defined %} +{% for prefix, prefix_config in table_config.route6.items() %} +{{ static_routes('ipv6', prefix, prefix_config, table_id) }} +{% endfor %} +{% endif %} +! +{% endfor %} +{% endif %} +! +{% if route_map is vyos_defined %} +ip protocol static route-map {{ route_map }} +! +{% endif %} diff --git a/data/templates/frr/zebra.route-map.frr.j2 b/data/templates/frr/zebra.route-map.frr.j2 new file mode 100644 index 0000000..669d583 --- /dev/null +++ b/data/templates/frr/zebra.route-map.frr.j2 @@ -0,0 +1,14 @@ +! +{% if nht.no_resolve_via_default is vyos_defined %} +no {{ afi }} nht resolve-via-default +{% endif %} +! +{% if protocol is vyos_defined %} +{% for protocol_name, protocol_config in protocol.items() %} +{% if protocol_name is vyos_defined('ospfv3') %} +{% set protocol_name = 'ospf6' %} +{% endif %} +{{ afi }} protocol {{ protocol_name }} route-map {{ protocol_config.route_map }} +{% endfor %} +{% endif %} +! diff --git a/data/templates/frr/zebra.segment_routing.frr.j2 b/data/templates/frr/zebra.segment_routing.frr.j2 new file mode 100644 index 0000000..7b12fcd --- /dev/null +++ b/data/templates/frr/zebra.segment_routing.frr.j2 @@ -0,0 +1,23 @@ +! +{% if srv6.locator is vyos_defined %} +segment-routing + srv6 + locators +{% for locator, locator_config in srv6.locator.items() %} + locator {{ locator }} +{% if locator_config.prefix is vyos_defined %} + prefix {{ locator_config.prefix }} block-len {{ locator_config.block_len }} node-len {{ locator_config.node_len }} func-bits {{ locator_config.func_bits }} +{% endif %} +{% if locator_config.behavior_usid is vyos_defined %} + behavior usid +{% endif %} + exit + ! +{% endfor %} + exit + ! +exit +! +exit +! +{% endif %} diff --git a/data/templates/frr/zebra.vrf.route-map.frr.j2 b/data/templates/frr/zebra.vrf.route-map.frr.j2 new file mode 100644 index 0000000..8ebb825 --- /dev/null +++ b/data/templates/frr/zebra.vrf.route-map.frr.j2 @@ -0,0 +1,30 @@ +! +{% if name is vyos_defined %} +{% for vrf, vrf_config in name.items() %} +vrf {{ vrf }} +{% if vrf_config.ip.nht.no_resolve_via_default is vyos_defined %} + no ip nht resolve-via-default +{% endif %} +{% if vrf_config.ipv6.nht.no_resolve_via_default is vyos_defined %} + no ipv6 nht resolve-via-default +{% endif %} +{% if vrf_config.ip.protocol is vyos_defined %} +{% for protocol_name, protocol_config in vrf_config.ip.protocol.items() %} + ip protocol {{ protocol_name }} route-map {{ protocol_config.route_map }} +{% endfor %} +{% endif %} +{% if vrf_config.ipv6.protocol is vyos_defined %} +{% for protocol_name, protocol_config in vrf_config.ipv6.protocol.items() %} +{% if protocol_name is vyos_defined('ospfv3') %} +{% set protocol_name = 'ospf6' %} +{% endif %} + ipv6 protocol {{ protocol_name }} route-map {{ protocol_config.route_map }} +{% endfor %} +{% endif %} +{% if vrf_config.vni is vyos_defined %} + vni {{ vrf_config.vni }} +{% endif %} +exit-vrf +{% endfor %} +! +{% endif %} diff --git a/data/templates/getty/serial-getty.service.j2 b/data/templates/getty/serial-getty.service.j2 new file mode 100644 index 0000000..0183eae --- /dev/null +++ b/data/templates/getty/serial-getty.service.j2 @@ -0,0 +1,37 @@ +[Unit] +Description=Serial Getty on %I +Documentation=man:agetty(8) man:systemd-getty-generator(8) +Documentation=http://0pointer.de/blog/projects/serial-console.html +BindsTo=dev-%i.device +After=dev-%i.device systemd-user-sessions.service plymouth-quit-wait.service getty-pre.target +After=vyos-router.service + +# If additional gettys are spawned during boot then we should make +# sure that this is synchronized before getty.target, even though +# getty.target didn't actually pull it in. +Before=getty.target +IgnoreOnIsolate=yes + +# IgnoreOnIsolate causes issues with sulogin, if someone isolates +# rescue.target or starts rescue.service from multi-user.target or +# graphical.target. +Conflicts=rescue.service +Before=rescue.service + +[Service] +# The '-o' option value tells agetty to replace 'login' arguments with an +# option to preserve environment (-p), followed by '--' for safety, and then +# the entered username. +ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud {{ speed }} %I $TERM +Type=idle +Restart=always +UtmpIdentifier=%I +TTYPath=/dev/%I +TTYReset=yes +TTYVHangup=yes +KillMode=process +IgnoreSIGPIPE=no +SendSIGHUP=yes + +[Install] +WantedBy=getty.target diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2 new file mode 100644 index 0000000..5e9b95c --- /dev/null +++ b/data/templates/grub/grub_common.j2 @@ -0,0 +1,27 @@ +# load EFI video modules +if [ "${grub_platform}" == "efi" ]; then + insmod efi_gop + insmod efi_uga +fi + +# create and activate serial console +function setup_serial { + # initialize the first serial port by default + if [ "${console_type}" == "ttyS" ]; then + if [ "${console_num}" == "0" ]; then + serial --unit=0 --speed=${console_speed} + else + serial --unit=${console_num} --speed=115200 + fi + else + serial --unit=0 --speed=${console_speed} + fi + terminal_output --append serial console + terminal_input --append serial console +} + +setup_serial + +{% if search_root %} +{{ search_root }} +{% endif %} diff --git a/data/templates/grub/grub_compat.j2 b/data/templates/grub/grub_compat.j2 new file mode 100644 index 0000000..8fb4f71 --- /dev/null +++ b/data/templates/grub/grub_compat.j2 @@ -0,0 +1,63 @@ +{# j2lint: disable=S6 #} +### Generated by VyOS image-tools v.{{ tools_version }} ### +{% macro menu_name(mode) -%} +{% if mode == 'normal' -%} + VyOS +{%- elif mode == 'pw_reset' -%} + Lost password change +{%- else -%} + Unknown +{%- endif %} +{%- endmacro %} +{% macro console_name(type) -%} +{% if type == 'tty' -%} + KVM +{%- elif type == 'ttyS' -%} + Serial +{%- else -%} + Unknown +{%- endif %} +{%- endmacro %} +{% macro console_opts(type) -%} +{% if type == 'tty' -%} + console=ttyS0,{{ console_speed }} console=tty0 +{%- elif type == 'ttyS' -%} + console=tty0 console=ttyS0,{{ console_speed }} +{%- else -%} + console=tty0 console=ttyS0,{{ console_speed }} +{%- endif %} +{%- endmacro %} +{% macro passwd_opts(mode) -%} +{% if mode == 'pw_reset' -%} + init=/opt/vyatta/sbin/standalone_root_pw_reset +{%- endif %} +{%- endmacro %} +set default={{ default }} +set timeout={{ timeout }} +{% if console_type == 'ttyS' %} +{% if console_num == '0' %} +serial --unit=0 --speed={{ console_speed }} +{% else %} +serial --unit={{ console_num }} --speed=115200 +{% endif %} +{% else %} +serial --unit=0 --speed={{ console_speed }} +{% endif %} +terminal_output --append serial +terminal_input serial console +{% for mod in modules %} +insmod {{ mod }} +{% endfor %} +{% if root %} +set root={{ root }} +{% endif %} +{% if search_root %} +{{ search_root }} +{% endif %} + +{% for v in versions %} +menuentry "{{ menu_name(v.bootmode) }} {{ v.version }} ({{ console_name(v.console_type) }} console)" { + linux /boot/{{ v.version }}/vmlinuz {{ v.boot_opts }} {{ console_opts(v.console_type) }} {{ passwd_opts(v.bootmode) }} + initrd /boot/{{ v.version }}/initrd.img +} +{% endfor %} diff --git a/data/templates/grub/grub_main.j2 b/data/templates/grub/grub_main.j2 new file mode 100644 index 0000000..0c7ea02 --- /dev/null +++ b/data/templates/grub/grub_main.j2 @@ -0,0 +1,7 @@ +load_env +insmod regexp + +for cfgfile in ${prefix}/grub.cfg.d/*-autoload.cfg +do + source ${cfgfile} +done diff --git a/data/templates/grub/grub_menu.j2 b/data/templates/grub/grub_menu.j2 new file mode 100644 index 0000000..e73005f --- /dev/null +++ b/data/templates/grub/grub_menu.j2 @@ -0,0 +1,5 @@ +for cfgfile in ${config_directory}/vyos-versions/*.cfg +do + source "${cfgfile}" +done +source ${config_directory}/50-vyos-options.cfg diff --git a/data/templates/grub/grub_modules.j2 b/data/templates/grub/grub_modules.j2 new file mode 100644 index 0000000..24b540c --- /dev/null +++ b/data/templates/grub/grub_modules.j2 @@ -0,0 +1,3 @@ +{% for mod_name in mods_list %} +insmod {{ mod_name | e }} +{% endfor %} diff --git a/data/templates/grub/grub_options.j2 b/data/templates/grub/grub_options.j2 new file mode 100644 index 0000000..a00bf4e --- /dev/null +++ b/data/templates/grub/grub_options.j2 @@ -0,0 +1,46 @@ +submenu "Boot options" { + submenu "Select boot mode" { + menuentry "Normal" { + set bootmode="normal" + export bootmode + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "Password reset" { + set bootmode="pw_reset" + export bootmode + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "System recovery" { + set bootmode="recovery" + export bootmode + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "Load the whole root filesystem to RAM" { + set boot_toram="yes" + export boot_toram + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + } + submenu "Select console type" { + menuentry "tty (graphical)" { + set console_type="tty" + export console_type + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "ttyS (serial)" { + set console_type="ttyS" + export console_type + setup_serial + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + } + menuentry "Enter console number" { + read console_num + export console_num + setup_serial + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "Current: boot mode: ${bootmode}, console: ${console_type}${console_num}" { + echo + } +} diff --git a/data/templates/grub/grub_vars.j2 b/data/templates/grub/grub_vars.j2 new file mode 100644 index 0000000..e0002e8 --- /dev/null +++ b/data/templates/grub/grub_vars.j2 @@ -0,0 +1,4 @@ +{% for var_name, var_value in vars.items() %} +set {{ var_name | e }}="{{ var_value | e }}" +export {{ var_name | e }} +{% endfor %} diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2 new file mode 100644 index 0000000..de85f14 --- /dev/null +++ b/data/templates/grub/grub_vyos_version.j2 @@ -0,0 +1,32 @@ +{% if boot_opts_config is vyos_defined %} +{% if boot_opts_config %} +{% set boot_opts_rendered = boot_opts_default + " " + boot_opts_config %} +{% else %} +{% set boot_opts_rendered = boot_opts_default %} +{% endif %} +{% elif boot_opts != '' %} +{% set boot_opts_rendered = boot_opts %} +{% else %} +{% set boot_opts_rendered = boot_opts_default %} +{% endif %} +menuentry "{{ version_name }}" --id {{ version_uuid }} { + set boot_opts="{{ boot_opts_rendered }}" + if [ "${console_type}" == "ttyS" ]; then + set console_opts="console=${console_type}${console_num},${console_speed}" + else + set console_opts="console=${console_type}${console_num}" + fi + # load rootfs to RAM + if [ "${boot_toram}" == "yes" ]; then + set boot_opts="${boot_opts} toram" + fi + if [ "${bootmode}" == "pw_reset" ]; then + set boot_opts="${boot_opts} ${console_opts} init=/usr/libexec/vyos/system/standalone_root_pw_reset" + elif [ "${bootmode}" == "recovery" ]; then + set boot_opts="${boot_opts} ${console_opts} init=/usr/bin/busybox init" + else + set boot_opts="${boot_opts} ${console_opts}" + fi + linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts} + initrd "/boot/{{ version_name }}/initrd.img" +} diff --git a/data/templates/high-availability/10-override.conf.j2 b/data/templates/high-availability/10-override.conf.j2 new file mode 100644 index 0000000..c153f09 --- /dev/null +++ b/data/templates/high-availability/10-override.conf.j2 @@ -0,0 +1,16 @@ +### Autogenerated by ${vyos_conf_scripts_dir}/high-availability.py ### +{% set snmp = '--snmp' if vrrp.snmp is vyos_defined else '' %} +[Unit] +After=vyos-router.service +# Only start if there is our configuration file - remove Debian default +# config file from the condition list +ConditionFileNotEmpty= +ConditionFileNotEmpty=/run/keepalived/keepalived.conf + +[Service] +KillMode=process +Type=simple +# Read configuration variable file if it is present +ExecStart= +ExecStart=/usr/sbin/keepalived --use-file /run/keepalived/keepalived.conf --pid /run/keepalived/keepalived.pid --dont-fork {{ snmp }} +PIDFile=/run/keepalived/keepalived.pid diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2 new file mode 100644 index 0000000..c0d66ae --- /dev/null +++ b/data/templates/high-availability/keepalived.conf.j2 @@ -0,0 +1,243 @@ +# Autogenerated by VyOS +# Do not edit this file, all your changes will be lost +# on next commit or reboot + +# Global definitions configuration block +global_defs { + dynamic_interfaces + script_user root +{% if vrrp.global_parameters.startup_delay is vyos_defined %} + vrrp_startup_delay {{ vrrp.global_parameters.startup_delay }} +{% endif %} +{% if vrrp.global_parameters.garp is vyos_defined %} +{% if vrrp.global_parameters.garp.interval is vyos_defined %} + vrrp_garp_interval {{ vrrp.global_parameters.garp.interval }} +{% endif %} +{% if vrrp.global_parameters.garp.master_delay is vyos_defined %} + vrrp_garp_master_delay {{ vrrp.global_parameters.garp.master_delay }} +{% endif %} +{% if vrrp.global_parameters.garp.master_refresh is vyos_defined %} + vrrp_garp_master_refresh {{ vrrp.global_parameters.garp.master_refresh }} +{% endif %} +{% if vrrp.global_parameters.garp.master_refresh_repeat is vyos_defined %} + vrrp_garp_master_refresh_repeat {{ vrrp.global_parameters.garp.master_refresh_repeat }} +{% endif %} +{% if vrrp.global_parameters.garp.master_repeat is vyos_defined %} + vrrp_garp_master_repeat {{ vrrp.global_parameters.garp.master_repeat }} +{% endif %} +{% endif %} +{% if vrrp.global_parameters.version is vyos_defined %} + vrrp_version {{ vrrp.global_parameters.version }} +{% endif %} + notify_fifo /run/keepalived/keepalived_notify_fifo + notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py +} + +{# Sync group has own health-check scripts T6020 #} +{% if vrrp.sync_group is vyos_defined %} +{% for name, sync_group_config in vrrp.sync_group.items() if sync_group_config.disable is not vyos_defined %} +{% if sync_group_config.health_check is vyos_defined %} +vrrp_script healthcheck_sg_{{ name }} { +{% if sync_group_config.health_check.script is vyos_defined %} + script "{{ sync_group_config.health_check.script }}" +{% elif sync_group_config.health_check.ping is vyos_defined %} + script "/usr/bin/ping -c1 {{ sync_group_config.health_check.ping }}" +{% endif %} + interval {{ sync_group_config.health_check.interval }} + fall {{ sync_group_config.health_check.failure_count }} + rise 1 +} +{% endif %} +{% endfor %} +{% endif %} + +{% if vrrp.group is vyos_defined %} +{% for name, group_config in vrrp.group.items() if group_config.disable is not vyos_defined %} +{% if group_config.health_check is vyos_defined %} +vrrp_script healthcheck_{{ name }} { +{% if group_config.health_check.script is vyos_defined %} + script "{{ group_config.health_check.script }}" +{% elif group_config.health_check.ping is vyos_defined %} + script "/usr/bin/ping -c1 {{ group_config.health_check.ping }}" +{% endif %} + interval {{ group_config.health_check.interval }} + fall {{ group_config.health_check.failure_count }} + rise 1 +} +{% endif %} +vrrp_instance {{ name }} { +{% if group_config.description is vyos_defined %} + # {{ group_config.description }} +{% endif %} + state BACKUP + interface {{ group_config.interface }} + virtual_router_id {{ group_config.vrid }} + priority {{ group_config.priority }} + advert_int {{ group_config.advertise_interval }} +{% if group_config.garp is vyos_defined %} +{% if group_config.garp.interval is vyos_defined %} + garp_interval {{ group_config.garp.interval }} +{% endif %} +{% if group_config.garp.master_delay is vyos_defined %} + garp_master_delay {{ group_config.garp.master_delay }} +{% endif %} +{% if group_config.garp.master_repeat is vyos_defined %} + garp_master_repeat {{ group_config.garp.master_repeat }} +{% endif %} +{% if group_config.garp.master_refresh is vyos_defined %} + garp_master_refresh {{ group_config.garp.master_refresh }} +{% endif %} +{% if group_config.garp.master_refresh_repeat is vyos_defined %} + garp_master_refresh_repeat {{ group_config.garp.master_refresh_repeat }} +{% endif %} +{% endif %} +{% if group_config.track.exclude_vrrp_interface is vyos_defined %} + dont_track_primary +{% endif %} +{% if group_config.no_preempt is not vyos_defined and group_config.preempt_delay is vyos_defined %} + preempt_delay {{ group_config.preempt_delay }} +{% elif group_config.no_preempt is vyos_defined %} + nopreempt +{% endif %} +{% if group_config.peer_address is vyos_defined %} + unicast_peer { +{% for peer_address in group_config.peer_address %} + {{ peer_address }} +{% endfor %} + } +{% endif %} +{% if group_config.hello_source_address is vyos_defined %} +{% if group_config.peer_address is vyos_defined %} + unicast_src_ip {{ group_config.hello_source_address }} +{% else %} + mcast_src_ip {{ group_config.hello_source_address }} +{% endif %} +{% endif %} +{% if group_config.rfc3768_compatibility is vyos_defined and group_config.peer_address is vyos_defined %} + use_vmac {{ group_config.interface }}v{{ group_config.vrid }}v{{ '4' if group_config['address'] | first | is_ipv4 else '6' }} + vmac_xmit_base +{% elif group_config.rfc3768_compatibility is vyos_defined %} + use_vmac {{ group_config.interface }}v{{ group_config.vrid }}v{{ '4' if group_config['address'] | first | is_ipv4 else '6' }} +{% endif %} +{% if group_config.authentication is vyos_defined %} + authentication { + auth_pass "{{ group_config.authentication.password }}" +{% if group_config.authentication.type is vyos_defined('plaintext-password') %} + auth_type PASS +{% else %} + auth_type {{ group_config.authentication.type | upper }} +{% endif %} + } +{% endif %} +{% if group_config.address is vyos_defined %} + virtual_ipaddress { +{% for addr, addr_config in group_config.address.items() %} + {{ addr }}{{ ' dev ' + addr_config.interface if addr_config.interface is vyos_defined }} +{% endfor %} + } +{% endif %} +{% if group_config.excluded_address is vyos_defined %} + virtual_ipaddress_excluded { +{% for addr, addr_config in group_config.excluded_address.items() %} + {{ addr }}{{ ' dev ' + addr_config.interface if addr_config.interface is vyos_defined }} +{% endfor %} + } +{% endif %} +{% if group_config.track.interface is vyos_defined %} + track_interface { +{% for interface in group_config.track.interface %} + {{ interface }} +{% endfor %} + } +{% endif %} +{# Sync group member can't use own health check script #} +{% if group_config.health_check is vyos_defined and group_config._is_sync_group_member is not vyos_defined %} + track_script { + healthcheck_{{ name }} + } +{% endif %} +} +{% endfor %} +{% endif %} + +{% if vrrp.sync_group is vyos_defined %} +{% for name, sync_group_config in vrrp.sync_group.items() if sync_group_config.disable is not vyos_defined %} +vrrp_sync_group {{ name }} { + group { +{% if sync_group_config.member is vyos_defined %} +{% for member in sync_group_config.member %} + {{ member }} +{% endfor %} +{% endif %} + } + +{% if sync_group_config.health_check is vyos_defined %} + track_script { + healthcheck_sg_{{ name }} + } +{% endif %} + +{% if conntrack_sync_group is vyos_defined(name) %} +{% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %} + notify_master "{{ vyos_helper }} master {{ name }}" + notify_backup "{{ vyos_helper }} backup {{ name }}" + notify_fault "{{ vyos_helper }} fault {{ name }}" +{% endif %} +} +{% endfor %} +{% endif %} + +{% if virtual_server is vyos_defined %} +# Virtual-server configuration +{% for vserver, vserver_config in virtual_server.items() %} +# Vserver {{ vserver }} +{% if vserver_config.port is vyos_defined %} +virtual_server {{ vserver_config.address }} {{ vserver_config.port }} { +{% else %} +virtual_server fwmark {{ vserver_config.fwmark }} { +{% endif %} + delay_loop {{ vserver_config.delay_loop }} +{% if vserver_config.algorithm is vyos_defined('round-robin') %} + lb_algo rr +{% elif vserver_config.algorithm is vyos_defined('weighted-round-robin') %} + lb_algo wrr +{% elif vserver_config.algorithm is vyos_defined('least-connection') %} + lb_algo lc +{% elif vserver_config.algorithm is vyos_defined('weighted-least-connection') %} + lb_algo wlc +{% elif vserver_config.algorithm is vyos_defined('source-hashing') %} + lb_algo sh +{% elif vserver_config.algorithm is vyos_defined('destination-hashing') %} + lb_algo dh +{% elif vserver_config.algorithm is vyos_defined('locality-based-least-connection') %} + lb_algo lblc +{% endif %} +{% if vserver_config.forward_method is vyos_defined('nat') %} + lb_kind NAT +{% elif vserver_config.forward_method is vyos_defined('direct') %} + lb_kind DR +{% elif vserver_config.forward_method is vyos_defined('tunnel') %} + lb_kind TUN +{% endif %} + persistence_timeout {{ vserver_config.persistence_timeout }} + protocol {{ vserver_config.protocol | upper }} +{% if vserver_config.real_server is vyos_defined %} +{% for rserver, rserver_config in vserver_config.real_server.items() %} + real_server {{ rserver }} {{ rserver_config.port }} { + weight 1 +{% if rserver_config.health_check.script is vyos_defined %} + MISC_CHECK { + misc_path {{ rserver_config.health_check.script }} +{% else %} + {{ vserver_config.protocol | upper }}_CHECK { +{% if rserver_config.connection_timeout is vyos_defined %} + connect_timeout {{ rserver_config.connection_timeout }} +{% endif %} +{% endif %} + } + } +{% endfor %} +{% endif %} +} +{% endfor %} +{% endif %} diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 new file mode 100644 index 0000000..4619361 --- /dev/null +++ b/data/templates/https/nginx.default.j2 @@ -0,0 +1,69 @@ +### Autogenerated by service_https.py ### + +{% if enable_http_redirect is vyos_defined %} +server { + listen 80 default_server; + server_name {{ hostname }}; + return 301 https://$host$request_uri; +} +{% endif %} + +server { +{% if listen_address is vyos_defined %} +{% for address in listen_address %} + listen {{ address | bracketize_ipv6 }}:{{ port }} ssl; +{% endfor %} +{% else %} + listen {{ port }} ssl; + listen [::]:{{ port }} ssl; +{% endif %} + + server_name {{ hostname }}; + root /srv/localui; + +{% if request_body_size_limit is vyos_defined %} + client_max_body_size {{ request_body_size_limit }}M; +{% endif %} + + # SSL configuration +{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %} + ssl_certificate {{ certificates.cert_path }}; + ssl_certificate_key {{ certificates.key_path }}; +{% if certificates.dh_file is vyos_defined %} + ssl_dhparam {{ certificates.dh_file }}; +{% endif %} +{% else %} + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + include snippets/snakeoil.conf; +{% endif %} + + # Improve HTTPS performance with session resumption + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }}; + + # From LetsEncrypt + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + + # proxy settings for HTTP API, if enabled; 503, if not + location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) { +{% if api is vyos_defined %} + proxy_pass http://unix:/run/api.sock; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 600; + proxy_buffering off; +{% else %} + return 503; +{% endif %} +{% if allow_client.address is vyos_defined %} +{% for address in allow_client.address %} + allow {{ address }}; +{% endfor %} + deny all; +{% endif %} + } + error_page 497 =301 https://$host:{{ port }}$request_uri; +} diff --git a/data/templates/https/override.conf.j2 b/data/templates/https/override.conf.j2 new file mode 100644 index 0000000..c2c191b --- /dev/null +++ b/data/templates/https/override.conf.j2 @@ -0,0 +1,15 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + +[Service] +ExecStartPre= +ExecStartPre={{ vrf_command }}/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/nginx -g 'daemon on; master_process on;' +ExecReload= +ExecReload={{ vrf_command }}/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload +Restart=always +RestartPreventExitStatus= +RestartSec=10 diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2 new file mode 100644 index 0000000..aa4da76 --- /dev/null +++ b/data/templates/https/vyos-http-api.service.j2 @@ -0,0 +1,23 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +Description=VyOS HTTP API service +After=vyos-router.service +Requires=vyos-router.service +ConditionPathExists={{ api_config_state }} + +[Service] +ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server +ExecReload=kill -HUP $MAINPID +Type=idle + +SyslogIdentifier=vyos-http-api +SyslogFacility=daemon + +Restart=on-failure + +# Does't work but leave it here +User=root +Group=vyattacfg + +[Install] +WantedBy=vyos.target diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2 new file mode 100644 index 0000000..f6f03d0 --- /dev/null +++ b/data/templates/ids/fastnetmon.j2 @@ -0,0 +1,121 @@ +# enable this option if you want to send logs to local syslog facility +logging:logging_level = debug +logging:local_syslog_logging = on + +# list of all your networks in CIDR format +networks_list_path = /run/fastnetmon/networks_list + +# list networks in CIDR format which will be not monitored for attacks +white_list_path = /run/fastnetmon/excluded_networks_list + +# Enable/Disable any actions in case of attack +enable_ban = on +enable_ban_ipv6 = on + +## How many packets will be collected from attack traffic +ban_details_records_count = 500 + +## How long (in seconds) we should keep an IP in blocked state +## If you set 0 here it completely disables unban capability +{% if ban_time is vyos_defined %} +ban_time = {{ ban_time }} +{% endif %} + +# Check if the attack is still active, before triggering an unban callback with this option +# If the attack is still active, check each run of the unban watchdog +unban_only_if_attack_finished = on + +# enable per subnet speed meters +# For each subnet, list track speed in bps and pps for both directions +enable_subnet_counters = off + +{% if mode is vyos_defined('mirror') %} +mirror_afpacket = on +{% elif mode is vyos_defined('sflow') %} +sflow = on +{% if sflow.port is vyos_defined %} +sflow_port = {{ sflow.port }} +{% endif %} +{% if sflow.listen_address is vyos_defined %} +sflow_host = {{ sflow.listen_address }} +{% endif %} +{% endif %} + + +process_incoming_traffic = {{ 'on' if direction is vyos_defined and 'in' in direction else 'off' }} +process_outgoing_traffic = {{ 'on' if direction is vyos_defined and 'out' in direction else 'off' }} + +{% if threshold is vyos_defined %} +{% if threshold.general is vyos_defined %} +# General threshold +{% for thr, thr_value in threshold.general.items() %} +{% if thr is vyos_defined('fps') %} +ban_for_flows = on +threshold_flows = {{ thr_value }} +{% elif thr is vyos_defined('mbps') %} +ban_for_bandwidth = on +threshold_mbps = {{ thr_value }} +{% elif thr is vyos_defined('pps') %} +ban_for_pps = on +threshold_pps = {{ thr_value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if threshold.tcp is vyos_defined %} +# TCP threshold +{% for thr, thr_value in threshold.tcp.items() %} +{% if thr is vyos_defined('fps') %} +ban_for_tcp_flows = on +threshold_tcp_flows = {{ thr_value }} +{% elif thr is vyos_defined('mbps') %} +ban_for_tcp_bandwidth = on +threshold_tcp_mbps = {{ thr_value }} +{% elif thr is vyos_defined('pps') %} +ban_for_tcp_pps = on +threshold_tcp_pps = {{ thr_value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if threshold.udp is vyos_defined %} +# UDP threshold +{% for thr, thr_value in threshold.udp.items() %} +{% if thr is vyos_defined('fps') %} +ban_for_udp_flows = on +threshold_udp_flows = {{ thr_value }} +{% elif thr is vyos_defined('mbps') %} +ban_for_udp_bandwidth = on +threshold_udp_mbps = {{ thr_value }} +{% elif thr is vyos_defined('pps') %} +ban_for_udp_pps = on +threshold_udp_pps = {{ thr_value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if threshold.icmp is vyos_defined %} +# ICMP threshold +{% for thr, thr_value in threshold.icmp.items() %} +{% if thr is vyos_defined('fps') %} +ban_for_icmp_flows = on +threshold_icmp_flows = {{ thr_value }} +{% elif thr is vyos_defined('mbps') %} +ban_for_icmp_bandwidth = on +threshold_icmp_mbps = {{ thr_value }} +{% elif thr is vyos_defined('pps') %} +ban_for_icmp_pps = on +threshold_icmp_pps = {{ thr_value }} +{% endif %} +{% endfor %} +{% endif %} + +{% endif %} + +{% if listen_interface is vyos_defined %} +interfaces = {{ listen_interface | join(',') }} +{% endif %} + +{% if alert_script is vyos_defined %} +notify_script_path = {{ alert_script }} +{% endif %} diff --git a/data/templates/ids/fastnetmon_excluded_networks_list.j2 b/data/templates/ids/fastnetmon_excluded_networks_list.j2 new file mode 100644 index 0000000..c88a1c5 --- /dev/null +++ b/data/templates/ids/fastnetmon_excluded_networks_list.j2 @@ -0,0 +1,5 @@ +{% if excluded_network is vyos_defined %} +{% for net in excluded_network %} +{{ net }} +{% endfor %} +{% endif %} diff --git a/data/templates/ids/fastnetmon_networks_list.j2 b/data/templates/ids/fastnetmon_networks_list.j2 new file mode 100644 index 0000000..0a0576d --- /dev/null +++ b/data/templates/ids/fastnetmon_networks_list.j2 @@ -0,0 +1,5 @@ +{% if network is vyos_defined %} +{% for net in network %} +{{ net }} +{% endfor %} +{% endif %} diff --git a/data/templates/igmp-proxy/igmpproxy.conf.j2 b/data/templates/igmp-proxy/igmpproxy.conf.j2 new file mode 100644 index 0000000..85a04de --- /dev/null +++ b/data/templates/igmp-proxy/igmpproxy.conf.j2 @@ -0,0 +1,40 @@ +######################################################## +# +# autogenerated by protocols_igmp-proxy.py +# +# The configuration file must define one upstream interface, and one or more +# downstream interfaces. +# +# If multicast traffic originates outside the upstream subnet, the "altnet" +# option can be used in order to define legal multicast sources. +# +# The "quickleave" should be used to avoid saturation of the upstream link. The +# option should only be used if it's absolutely nessecary to accurately imitate +# just one Client. +# +######################################################## + +{% if disable_quickleave is not vyos_defined %} +quickleave +{% endif %} +{% if interface is vyos_defined %} +{% for iface, config in interface.items() %} + +# Configuration for {{ iface }} ({{ config.role }} interface) +{% if config.role is vyos_defined('disabled') %} +phyint {{ iface }} disabled +{% else %} +phyint {{ iface }} {{ config.role }} ratelimit 0 threshold {{ config.threshold }} +{% endif %} +{% if config.alt_subnet is vyos_defined %} +{% for subnet in config.alt_subnet %} + altnet {{ subnet }} +{% endfor %} +{% endif %} +{% if config.whitelist is vyos_defined %} +{% for subnet in config.whitelist %} + whitelist {{ subnet }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/iproute2/static.conf.j2 b/data/templates/iproute2/static.conf.j2 new file mode 100644 index 0000000..249483a --- /dev/null +++ b/data/templates/iproute2/static.conf.j2 @@ -0,0 +1,8 @@ +# Generated by VyOS (protocols_static.py), do not edit by hand +{% if table is vyos_defined %} +{% for t, t_options in table.items() %} +{% if t_options.description is vyos_defined %} +{{ "%-6s" | format(t) }} {{ "%-40s" | format(t_options.description | replace(" ", "_")) }} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/iproute2/vrf.conf.j2 b/data/templates/iproute2/vrf.conf.j2 new file mode 100644 index 0000000..d31d235 --- /dev/null +++ b/data/templates/iproute2/vrf.conf.j2 @@ -0,0 +1,9 @@ +### Autogenerated by vrf.py ### +# +# Routing table ID to name mapping reference +# id vrf name comment +{% if name is vyos_defined %} +{% for vrf, vrf_config in name.items() %} +{{ "%-10s" | format(vrf_config.table) }} {{ "%-16s" | format(vrf) }} {{ '# ' ~ vrf_config.description if vrf_config.description is vyos_defined }} +{% endfor %} +{% endif %} diff --git a/data/templates/ipsec/charon.j2 b/data/templates/ipsec/charon.j2 new file mode 100644 index 0000000..388559a --- /dev/null +++ b/data/templates/ipsec/charon.j2 @@ -0,0 +1,352 @@ +# Options for the charon IKE daemon. +charon { + # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + # accept_unencrypted_mainmode_messages = no + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should + # be saved under a unique file name derived from the public key of the + # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # /etc/swanctl/x509crl (vici), respectively. + # cache_crls = no + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + # cisco_unity = no + + # Cisco FlexVPN +{% if options is vyos_defined %} + cisco_flexvpn = {{ 'yes' if options.flexvpn is vyos_defined else 'no' }} +{% if options.virtual_ip is vyos_defined %} + install_virtual_ip = yes +{% endif %} +{% if options.interface is vyos_defined %} + install_virtual_ip_on = {{ options.interface }} +{% endif %} +{% endif %} + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + # delete_rekeyed = no + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal + # missing symbols immediately. + # dlopen_use_rtld_now = no + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Whether to follow IKEv2 redirects (RFC 5685). + # follow_redirects = yes + + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment + # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults + # to 1280 (use 0 for address family specific default values, which uses a + # lower value for IPv4). If specified this limit is used for both IPv4 and + # IPv6. + # fragment_size = 1280 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # Whether to ignore the traffic selectors from the kernel's acquire events + # for IKEv2 connections (they are not used for IKEv1). + # ignore_acquire_ts = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + # ikesa_table_segments = 1 + + # Size of the IKE_SA hash table. + # ikesa_table_size = 1 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + # init_limit_half_open = 0 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + install_routes = {{ install_routes }} + + # Install virtual IP addresses. + # install_virtual_ip = yes + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Initiate IKEv2 reauthentication with a make-before-break scheme. + # make_before_break = no + + # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about + # and track concurrently. + # max_ikev1_exchanges = 3 + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # Prefer locally configured proposals for IKE/IPsec over supplied ones as + # responder (disabling this can avoid keying retries due to + # INVALID_KE_PAYLOAD notifies). + # prefer_configured_proposals = yes + + # By default public IPv6 addresses are preferred over temporary ones (RFC + # 4941), to make connections more stable. Enable this option to reverse + # this. + # prefer_temporary_addrs = no + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if + # DNS resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Whether to enable Signature Authentication as per RFC 7427. + # signature_authentication = yes + + # Whether to enable constraints against IKEv2 signature schemes. + # signature_authentication_constraints = yes + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Number of iterations to test each algorithm. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is started. + start-scripts { + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is terminated. + stop-scripts { + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/data/templates/ipsec/charon/dhcp.conf.j2 b/data/templates/ipsec/charon/dhcp.conf.j2 new file mode 100644 index 0000000..aaa5613 --- /dev/null +++ b/data/templates/ipsec/charon/dhcp.conf.j2 @@ -0,0 +1,20 @@ +dhcp { + load = yes +{% if remote_access.dhcp.interface is vyos_defined %} + interface = {{ remote_access.dhcp.interface }} +{% endif %} +{% if remote_access.dhcp.server is vyos_defined %} + server = {{ remote_access.dhcp.server }} +{% endif %} + + # Always use the configured server address. + # force_server_address = no + + # Derive user-defined MAC address from hash of IKE identity and send client + # identity DHCP option. + # identity_lease = no + + # Use the DHCP server port (67) as source port when a unicast server address + # is configured. + # use_server_port = no +} diff --git a/data/templates/ipsec/charon/eap-radius.conf.j2 b/data/templates/ipsec/charon/eap-radius.conf.j2 new file mode 100644 index 0000000..3643774 --- /dev/null +++ b/data/templates/ipsec/charon/eap-radius.conf.j2 @@ -0,0 +1,117 @@ +eap-radius { + # Send RADIUS accounting information to RADIUS servers. + # accounting = no + + # Close the IKE_SA if there is a timeout during interim RADIUS accounting + # updates. + # accounting_close_on_timeout = yes + + # Interval in seconds for interim RADIUS accounting updates, if not + # specified by the RADIUS server in the Access-Accept message. + # accounting_interval = 0 + + # If enabled, accounting is disabled unless an IKE_SA has at least one + # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. + # accounting_requires_vip = no + + # If enabled, adds the Class attributes received in Access-Accept message to + # the RADIUS accounting messages. + # accounting_send_class = no + + # Use class attributes in Access-Accept messages as group membership + # information. + # class_group = no + + # Closes all IKE_SAs if communication with the RADIUS server times out. If + # it is not set only the current IKE_SA is closed. + # close_all_on_timeout = no + + # Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + # eap_start = no + + # Use filter_id attribute as group membership information. + # filter_id = no + + # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + # EAP method. + # id_prefix = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # NAS-Identifier to include in RADIUS messages. + nas_identifier = {{ remote_access.radius.nas_identifier if remote_access.radius.nas_identifier is vyos_defined else 'strongSwan' }} + + # Port of RADIUS server (authentication). + # port = 1812 + + # Base to use for calculating exponential back off. + # retransmit_base = 1.4 + +{% if remote_access.radius.timeout is vyos_defined %} + # Timeout in seconds before sending first retransmit. + retransmit_timeout = {{ remote_access.radius.timeout | float }} +{% endif %} + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 4 + + # Shared secret between RADIUS and NAS. If set, make sure to adjust the + # permissions of the config file accordingly. + # secret = + + # IP/Hostname of RADIUS server. + # server = + + # Number of sockets (ports) to use, increase for high load. + # sockets = 1 + + # Whether to include the UDP port in the Called- and Calling-Station-Id + # RADIUS attributes. + # station_id_with_port = yes + + dae { + # Enables support for the Dynamic Authorization Extension (RFC 5176). + # enable = no + + # Address to listen for DAE messages from the RADIUS server. + # listen = 0.0.0.0 + + # Port to listen for DAE requests. + # port = 3799 + + # Shared secret used to verify/sign DAE messages. If set, make sure to + # adjust the permissions of the config file accordingly. + # secret = + } + + forward { + # RADIUS attributes to be forwarded from IKEv2 to RADIUS. + # ike_to_radius = + + # Same as ike_to_radius but from RADIUS to IKEv2. + # radius_to_ike = + } + + # Section to specify multiple RADIUS servers. + servers { +{% if remote_access.radius.server is vyos_defined %} +{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %} + {{ server | replace('.', '-') }} { + address = {{ server }} + secret = {{ server_options.key }} + auth_port = {{ server_options.port }} +{% if server_options.disable_accounting is not vyos_defined %} + acct_port = {{ server_options.port | int + 1 }} +{% endif %} + sockets = 20 + } +{% endfor %} +{% endif %} + } + + # Section to configure multiple XAuth authentication rounds via RADIUS. + xauth { + } +} diff --git a/data/templates/ipsec/interfaces_use.conf.j2 b/data/templates/ipsec/interfaces_use.conf.j2 new file mode 100644 index 0000000..c1bf827 --- /dev/null +++ b/data/templates/ipsec/interfaces_use.conf.j2 @@ -0,0 +1,5 @@ +{% if interface is vyos_defined %} +charon { + interfaces_use = {{ ', '.join(interface) }} +} +{% endif %}
\ No newline at end of file diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2 new file mode 100644 index 0000000..eb74924 --- /dev/null +++ b/data/templates/ipsec/ios_profile.j2 @@ -0,0 +1,104 @@ +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <!-- Set the name to whatever you like, it is used in the profile list on the device --> + <key>PayloadDisplayName</key> + <string>{{ profile_name }}</string> + <!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles --> + <key>PayloadIdentifier</key> + <string>{{ rfqdn }}</string> + <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it --> + <key>PayloadUUID</key> + <string>{{ '' | get_uuid }}</string> + <key>PayloadType</key> + <string>Configuration</string> + <key>PayloadVersion</key> + <integer>1</integer> + <key>PayloadContent</key> + <array> + <!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names --> + <dict> + <!-- This is an extension of the identifier given above --> + <key>PayloadIdentifier</key> + <string>{{ rfqdn }}.conf1</string> + <!-- A globally unique identifier for this payload --> + <key>PayloadUUID</key> + <string>{{ '' | get_uuid }}</string> + <key>PayloadType</key> + <string>com.apple.vpn.managed</string> + <key>PayloadVersion</key> + <integer>1</integer> + <!-- This is the name of the VPN connection as seen in the VPN application later --> + <key>UserDefinedName</key> + <string>{{ vpn_name }}</string> + <key>VPNType</key> + <string>IKEv2</string> + <key>IKEv2</key> + <dict> + <!-- Hostname or IP address of the VPN server --> + <key>RemoteAddress</key> + <string>{{ remote }}</string> + <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. + IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> + <key>RemoteIdentifier</key> + <string>{{ authentication.local_id if authentication.local_id is vyos_defined else 'VyOS' }}</string> + <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> + <key>LocalIdentifier</key> + <string></string> + <!-- Optional, if it matches the CN of the root CA certificate (not the full subject DN) a certificate request will be sent + NOTE: If this is not configured make sure to configure leftsendcert=always on the server, otherwise it won't send its certificate --> + <key>ServerCertificateIssuerCommonName</key> + <string>{{ ca_cn }}</string> + <!-- Optional, the CN or one of the subjectAltNames of the server certificate to verify it, if not set RemoteIdentifier will be used --> + <key>ServerCertificateCommonName</key> + <string>{{ cert_cn }}</string> + <!-- The server is authenticated using a certificate --> + <key>AuthenticationMethod</key> + <string>Certificate</string> + <!-- The client uses EAP to authenticate --> + <key>ExtendedAuthEnabled</key> + <integer>1</integer> + <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES. + IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration --> + <key>IKESecurityAssociationParameters</key> + <dict> + <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2encryptionalgorithm --> + <key>EncryptionAlgorithm</key> + <string>{{ ike_encryption.encryption }}</string> + <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm --> + <key>IntegrityAlgorithm</key> + <string>{{ ike_encryption.hash }}</string> + <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2diffiehellmangroup --> + <key>DiffieHellmanGroup</key> + <integer>{{ ike_encryption.dh_group }}</integer> + </dict> + <key>ChildSecurityAssociationParameters</key> + <dict> + <key>EncryptionAlgorithm</key> + <string>{{ esp_encryption.encryption }}</string> + <key>IntegrityAlgorithm</key> + <string>{{ esp_encryption.hash }}</string> + <key>DiffieHellmanGroup</key> + <integer>{{ ike_encryption.dh_group }}</integer> + </dict> + </dict> + </dict> + <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration --> + <dict> + <key>PayloadIdentifier</key> + <string>org.example.ca</string> + <key>PayloadUUID</key> + <string>{{ '' | get_uuid }}</string> + <key>PayloadType</key> + <string>com.apple.security.root</string> + <key>PayloadVersion</key> + <integer>1</integer> + <!-- This is the Base64 (PEM) encoded CA certificate --> + <key>PayloadContent</key> + <data> + {{ ca_cert }} + </data> + </dict> + </array> +</dict> +</plist> diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2 new file mode 100644 index 0000000..d44d0f5 --- /dev/null +++ b/data/templates/ipsec/swanctl.conf.j2 @@ -0,0 +1,131 @@ +### Autogenerated by vpn_ipsec.py ### +{% import 'ipsec/swanctl/l2tp.j2' as l2tp_tmpl %} +{% import 'ipsec/swanctl/profile.j2' as profile_tmpl %} +{% import 'ipsec/swanctl/peer.j2' as peer_tmpl %} +{% import 'ipsec/swanctl/remote_access.j2' as remote_access_tmpl %} + +connections { +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} +{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} +{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if remote_access.connection is vyos_defined %} +{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %} +{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if l2tp %} +{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }} +{% endif %} +} + +pools { +{% if remote_access.pool is vyos_defined %} +{% for pool, pool_config in remote_access.pool.items() %} + {{ pool }} { +{% if pool_config.prefix is vyos_defined %} + addrs = {{ pool_config.prefix }} +{% endif %} +{% if pool_config.name_server is vyos_defined %} + dns = {{ pool_config.name_server | join(',') }} +{% endif %} +{% if pool_config.exclude is vyos_defined %} + split_exclude = {{ pool_config.exclude | join(',') }} +{% endif %} + } +{% endfor %} +{% endif %} +} + +secrets { +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} +{% for interface in profile_conf.bind.tunnel %} + ike-dmvpn-{{ interface }} { + secret = {{ profile_conf.authentication.pre_shared_secret }} + } +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} +{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %} +{% if peer_conf.authentication.mode is vyos_defined('x509') %} + private_{{ peer_name }} { + file = {{ peer_conf.authentication.x509.certificate }}.pem +{% if peer_conf.authentication.x509.passphrase is vyos_defined %} + secret = "{{ peer_conf.authentication.x509.passphrase }}" +{% endif %} + } +{% elif peer_conf.authentication.mode is vyos_defined('rsa') %} + rsa_{{ peer_name }}_local { + file = {{ peer_conf.authentication.rsa.local_key }}.pem +{% if peer_conf.authentication.rsa.passphrase is vyos_defined %} + secret = "{{ peer_conf.authentication.rsa.passphrase }}" +{% endif %} + } +{% endif %} +{% endfor %} +{% endif %} +{% if authentication.psk is vyos_defined %} +{% for psk, psk_config in authentication.psk.items() %} + ike-{{ psk }} { +{% if psk_config.id is vyos_defined %} + # ID's from auth psk <tag> id xxx +{% for id in psk_config.id %} +{% set gen_uuid = '' | generate_uuid4 %} + id-{{ gen_uuid }} = "{{ id }}" +{% endfor %} +{% endif %} + secret = "{{ psk_config.secret }}" + } +{% endfor %} +{% endif %} + +{% if remote_access.connection is vyos_defined %} +{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %} +{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %} + ike_{{ ra }} { +{% if ra_conf.authentication.local_id is vyos_defined %} + id = "{{ ra_conf.authentication.local_id }}" +{% elif ra_conf.local_address is vyos_defined %} + id = "{{ ra_conf.local_address }}" +{% endif %} + secret = "{{ ra_conf.authentication.pre_shared_secret }}" + } +{% endif %} +{% if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %} +{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %} + eap-{{ ra }}-{{ user }} { + secret = "{{ user_conf.password }}" + id-{{ ra }}-{{ user }} = "{{ user }}" + } +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if l2tp %} +{% if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %} + ike_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + secret = "{{ l2tp.authentication.pre_shared_secret }}" + } +{% elif l2tp.authentication.mode is vyos_defined('x509') %} + private_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + file = {{ l2tp.authentication.x509.certificate }}.pem +{% if l2tp.authentication.x509.passphrase is vyos_defined %} + secret = "{{ l2tp.authentication.x509.passphrase }}" +{% endif %} + } +{% endif %} +{% endif %} +} diff --git a/data/templates/ipsec/swanctl/l2tp.j2 b/data/templates/ipsec/swanctl/l2tp.j2 new file mode 100644 index 0000000..7e63865 --- /dev/null +++ b/data/templates/ipsec/swanctl/l2tp.j2 @@ -0,0 +1,30 @@ +{% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %} +{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is vyos_defined else None %} +{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is vyos_defined else None %} + l2tp_remote_access { + proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }} + local_addrs = {{ l2tp_outside_address }} + dpd_delay = 15s + dpd_timeout = 45s + rekey_time = {{ l2tp_ike.lifetime if l2tp_ike else l2tp.ike_lifetime }}s + reauth_time = 0 + local { + auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} +{% if l2tp.authentication.mode == 'x509' %} + certs = {{ l2tp.authentication.x509.certificate }}.pem +{% endif %} + } + remote { + auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} + } + children { + l2tp_remote_access_esp { + mode = transport + esp_proposals = {{ l2tp_esp | get_esp_ike_cipher(l2tp_ike) | join(',') if l2tp_esp else l2tp_esp_default }} + life_time = {{ l2tp_esp.lifetime if l2tp_esp else l2tp.lifetime }}s + local_ts = dynamic[/1701] + remote_ts = dynamic + } + } + } +{% endmacro %} diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 new file mode 100644 index 0000000..58f0199 --- /dev/null +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -0,0 +1,166 @@ +{% macro conn(peer, peer_conf, ike_group, esp_group) %} +{% set name = peer.replace("@", "") | dot_colon_to_dash %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[peer_conf.ike_group] %} + {{ name }} { + proposals = {{ ike | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} +{% if peer_conf.virtual_address is vyos_defined %} + vips = {{ peer_conf.virtual_address | join(', ') }} +{% endif %} + local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%any' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} + remote_addrs = {{ peer_conf.remote_address | join(",") if peer_conf.remote_address is vyos_defined and 'any' not in peer_conf.remote_address else '%any' }} +{% if peer_conf.authentication.mode is vyos_defined('x509') %} + send_cert = always +{% endif %} +{% if ike.dead_peer_detection is vyos_defined %} + dpd_timeout = {{ ike.dead_peer_detection.timeout }} + dpd_delay = {{ ike.dead_peer_detection.interval }} +{% endif %} +{% if ike.key_exchange is vyos_defined('ikev1') and ike.mode is vyos_defined('aggressive') %} + aggressive = yes +{% endif %} + rekey_time = {{ ike.lifetime }}s + mobike = {{ "no" if ike.disable_mobike is defined else "yes" }} +{% if peer[0:1] == '@' %} + keyingtries = 0 + reauth_time = 0 +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} + keyingtries = 0 +{% elif peer_conf.connection_type is vyos_defined('respond') %} + keyingtries = 1 +{% endif %} +{% if peer_conf.force_udp_encapsulation is vyos_defined %} + encap = yes +{% endif %} + local { +{% if peer_conf.authentication.local_id is vyos_defined %} + id = "{{ peer_conf.authentication.local_id }}" +{% endif %} + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} +{% if peer_conf.authentication.mode == 'x509' %} + certs = {{ peer_conf.authentication.x509.certificate }}.pem +{% elif peer_conf.authentication.mode == 'rsa' %} + pubkeys = {{ peer_conf.authentication.rsa.local_key }}.pem +{% endif %} + } + remote { + id = "{{ peer_conf.authentication.remote_id }}" + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} +{% if peer_conf.authentication.mode == 'rsa' %} + pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem +{% endif %} + } + children { +{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %} +{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %} + {{ name }}-vti { + esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }} +{% if vti_esp.life_bytes is vyos_defined %} + life_bytes = {{ vti_esp.life_bytes }} +{% endif %} +{% if vti_esp.life_packets is vyos_defined %} + life_packets = {{ vti_esp.life_packets }} +{% endif %} + life_time = {{ vti_esp.lifetime }}s + local_ts = 0.0.0.0/0,::/0 + remote_ts = 0.0.0.0/0,::/0 + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" +{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} +{# Thus we simply shift the key by one to also support a vti0 interface #} +{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %} + if_id_in = {{ if_id }} + if_id_out = {{ if_id }} + ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined else 'no' }} + mode = {{ vti_esp.mode }} +{% if peer[0:1] == '@' %} + start_action = none +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} + start_action = start +{% elif peer_conf.connection_type is vyos_defined('respond') %} + start_action = trap +{% elif peer_conf.connection_type is vyos_defined('none') %} + start_action = none +{% endif %} +{% if ike.dead_peer_detection is vyos_defined %} + dpd_action = {{ ike.dead_peer_detection.action }} +{% endif %} + close_action = {{ ike.close_action }} +{% if peer_conf.replay_window is vyos_defined %} + replay_window = {{ peer_conf.replay_window }} +{% endif %} + } +{% elif peer_conf.tunnel is vyos_defined %} +{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} +{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %} +{% set tunnel_esp = esp_group[tunnel_esp_name] %} +{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %} +{% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %} +{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} +{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %} +{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} + {{ name }}-tunnel-{{ tunnel_id }} { + esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }} +{% if tunnel_esp.life_bytes is vyos_defined %} + life_bytes = {{ tunnel_esp.life_bytes }} +{% endif %} +{% if tunnel_esp.life_packets is vyos_defined %} + life_packets = {{ tunnel_esp.life_packets }} +{% endif %} + life_time = {{ tunnel_esp.lifetime }}s +{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} +{% if tunnel_conf.local.prefix is vyos_defined %} +{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} + local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} +{% endif %} +{% if tunnel_conf.remote.prefix is vyos_defined %} +{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} + remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }} +{% endif %} +{% if tunnel_conf.priority is vyos_defined %} + priority = {{ tunnel_conf.priority }} +{% endif %} +{% elif tunnel_esp.mode == 'transport' %} + local_ts = {{ peer_conf.local_address }}{{ local_suffix }} + remote_ts = {{ peer_conf.remote_address | join(",") }}{{ remote_suffix }} +{% endif %} + ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined else 'no' }} + mode = {{ tunnel_esp.mode }} +{% if peer[0:1] == '@' %} + start_action = none +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} + start_action = start +{% elif peer_conf.connection_type is vyos_defined('respond') %} + start_action = trap +{% elif peer_conf.connection_type is vyos_defined('none') %} + start_action = none +{% endif %} +{% if ike.dead_peer_detection is vyos_defined %} + dpd_action = {{ ike.dead_peer_detection.action }} +{% endif %} + close_action = {{ ike.close_action }} +{% if peer_conf.replay_window is vyos_defined %} + replay_window = {{ peer_conf.replay_window }} +{% endif %} +{% if peer_conf.vti.bind is vyos_defined %} +{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} +{# Thus we simply shift the key by one to also support a vti0 interface #} +{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %} + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" + if_id_in = {{ if_id }} + if_id_out = {{ if_id }} +{% endif %} + } +{% if tunnel_conf.passthrough is vyos_defined %} + {{ name }}-tunnel-{{ tunnel_id }}-passthrough { + local_ts = {{ tunnel_conf.passthrough | join(",") }} + remote_ts = {{ tunnel_conf.passthrough | join(",") }} + start_action = trap + mode = pass + } +{% endif %} +{% endfor %} +{% endif %} + } + } +{% endmacro %} diff --git a/data/templates/ipsec/swanctl/profile.j2 b/data/templates/ipsec/swanctl/profile.j2 new file mode 100644 index 0000000..8519a84 --- /dev/null +++ b/data/templates/ipsec/swanctl/profile.j2 @@ -0,0 +1,43 @@ +{% macro conn(name, profile_conf, ike_group, esp_group) %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[profile_conf.ike_group] %} +{% set esp = esp_group[profile_conf.esp_group] %} +{% if profile_conf.bind.tunnel is vyos_defined %} +{% for interface in profile_conf.bind.tunnel %} + dmvpn-{{ name }}-{{ interface }} { + proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} + rekey_time = {{ ike.lifetime }}s + keyingtries = 0 +{% if ike.dead_peer_detection is vyos_defined %} + dpd_timeout = {{ ike.dead_peer_detection.timeout }} + dpd_delay = {{ ike.dead_peer_detection.interval }} +{% endif %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} + local { + auth = psk + } + remote { + auth = psk + } +{% endif %} + children { + dmvpn { + esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }} + rekey_time = {{ esp.lifetime }}s + rand_time = 540s + local_ts = dynamic[gre] + remote_ts = dynamic[gre] + mode = {{ esp.mode }} +{% if ike.dead_peer_detection.action is vyos_defined %} + dpd_action = {{ ike.dead_peer_detection.action }} +{% endif %} +{% if esp.compression is vyos_defined('enable') %} + ipcomp = yes +{% endif %} + } + } + } +{% endfor %} +{% endif %} +{% endmacro %} diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 new file mode 100644 index 0000000..6bced88 --- /dev/null +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -0,0 +1,61 @@ +{% macro conn(name, rw_conf, ike_group, esp_group) %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[rw_conf.ike_group] %} +{% set esp = esp_group[rw_conf.esp_group] %} + ra-{{ name }} { + remote_addrs = %any + local_addrs = {{ rw_conf.local_address if rw_conf.local_address is not vyos_defined('any') else '%any' }} # dhcp:{{ rw_conf.dhcp_interface if rw_conf.dhcp_interface is vyos_defined else 'no' }} + proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} + send_certreq = no + rekey_time = {{ ike.lifetime }}s + keyingtries = 0 +{% if rw_conf.unique is vyos_defined %} + unique = {{ rw_conf.unique }} +{% endif %} +{% if rw_conf.pool is vyos_defined %} + pools = {{ rw_conf.pool | join(',') }} +{% endif %} + local { +{% if rw_conf.authentication.local_id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %} +{# please use " quotes - else Apple iOS goes crazy #} + id = "{{ rw_conf.authentication.local_id }}" +{% endif %} +{% if rw_conf.authentication.server_mode == 'x509' %} + auth = pubkey + certs = {{ rw_conf.authentication.x509.certificate }}.pem +{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %} + auth = psk +{% endif %} + } + remote { +{% if rw_conf.authentication.client_mode == 'x509' %} + auth = pubkey +{% elif rw_conf.authentication.client_mode.startswith("eap") %} + auth = {{ rw_conf.authentication.client_mode }} + eap_id = {{ '%any' if rw_conf.authentication.eap_id == 'any' else rw_conf.authentication.eap_id }} +{% endif %} +{% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %} +{# pass all configured CAs as filenames, separated by commas #} +{# this will produce a string like "MyCA1.pem,MyCA2.pem" #} + cacerts = {{ '.pem,'.join(rw_conf.authentication.x509.ca_certificate) ~ '.pem' }} +{% endif %} + } + children { + ikev2-vpn { + esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }} + rekey_time = {{ esp.lifetime }}s + rand_time = 540s + dpd_action = clear + inactivity = {{ rw_conf.timeout }} +{% if rw_conf.replay_window is vyos_defined %} + replay_window = {{ rw_conf.replay_window }} +{% endif %} +{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %} +{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} + local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} + } + } + } +{% endmacro %} diff --git a/data/templates/ipsec/windows_profile.j2 b/data/templates/ipsec/windows_profile.j2 new file mode 100644 index 0000000..8c26944 --- /dev/null +++ b/data/templates/ipsec/windows_profile.j2 @@ -0,0 +1,4 @@ +Remove-VpnConnection -Name "{{ vpn_name }}" -Force -PassThru + +Add-VpnConnection -Name "{{ vpn_name }}" -ServerAddress "{{ remote }}" -TunnelType "Ikev2" +Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup None -DHGroup "Group{{ ike_encryption.dh_group }}" -PassThru -Force diff --git a/data/templates/lcd/LCDd.conf.j2 b/data/templates/lcd/LCDd.conf.j2 new file mode 100644 index 0000000..3631add --- /dev/null +++ b/data/templates/lcd/LCDd.conf.j2 @@ -0,0 +1,139 @@ +### Autogenerted by system-display.py ## + +# LCDd.conf -- configuration file for the LCDproc server daemon LCDd +# +# This file contains the configuration for the LCDd server. +# +# The format is ini-file-like. It is divided into sections that start at +# markers that look like [section]. Comments are all line-based comments, +# and are lines that start with '#' or ';'. +# +# The server has a 'central' section named [server]. For the menu there is +# a section called [menu]. Further each driver has a section which +# defines how the driver acts. +# +# The drivers are activated by specifying them in a driver= line in the +# server section, like: +# +# Driver=curses +# +# This tells LCDd to use the curses driver. +# The first driver that is loaded and is capable of output defines the +# size of the display. The default driver to use is curses. +# If the driver is specified using the -d <driver> command line option, +# the Driver= options in the config file are ignored. +# +# The drivers read their own options from the respective sections. + +## Server section with all kinds of settings for the LCDd server ## +[server] + +# Where can we find the driver modules ? +# NOTE: Always place a slash as last character ! +DriverPath=/usr/lib/x86_64-linux-gnu/lcdproc/ + +# Tells the server to load the given drivers. Multiple lines can be given. +# The name of the driver is case sensitive and determines the section +# where to look for further configuration options of the specific driver +# as well as the name of the dynamic driver module to load at runtime. +# The latter one can be changed by giving a File= directive in the +# driver specific section. +# +# The following drivers are supported: +# bayrad, CFontz, CFontzPacket, curses, CwLnx, ea65, EyeboxOne, futaba, +# g15, glcd, glcdlib, glk, hd44780, icp_a106, imon, imonlcd,, IOWarrior, +# irman, joy, lb216, lcdm001, lcterm, linux_input, lirc, lis, MD8800, +# mdm166a, ms6931, mtc_s16209x, MtxOrb, mx5000, NoritakeVFD, +# Olimex_MOD_LCD1x9, picolcd, pyramid, rawserial, sdeclcd, sed1330, +# sed1520, serialPOS, serialVFD, shuttleVFD, sli, stv5730, svga, t6963, +# text, tyan, ula200, vlsys_m428, xosd, yard2LCD + +{% if model is vyos_defined %} +{% if model.startswith('cfa-') %} +Driver=CFontzPacket +{% elif model == 'sdec' %} +Driver=sdeclcd +{% elif model == 'hd44780' %} +Driver=hd44780 +{% endif %} +{% endif %} + +# Tells the driver to bind to the given interface. [default: 127.0.0.1] +Bind=127.0.0.1 + +# Listen on this specified port. [default: 13666] +Port=13666 + +# Sets the reporting level; defaults to warnings and errors only. +# [default: 2; legal: 0-5] +ReportLevel=3 + +# Should we report to syslog instead of stderr? [default: no; legal: yes, no] +ReportToSyslog=yes + +# User to run as. LCDd will drop its root privileges and run as this user +# instead. [default: nobody] +User=nobody + +# The server will stay in the foreground if set to yes. +# [default: no, legal: yes, no] +Foreground=yes + +# Hello message: each entry represents a display line; default: builtin +Hello="Starting VyOS..." + +# GoodBye message: each entry represents a display line; default: builtin +GoodBye="VyOS shutdown..." + +# Sets the interval in microseconds for updating the display. +# [default: 125000 meaning 8Hz] +FrameInterval=500000 # 2 updates per second + +# Sets the default time in seconds to displays a screen. [default: 4] +WaitTime=1 + +# If set to no, LCDd will start with screen rotation disabled. This has the +# same effect as if the ToggleRotateKey had been pressed. Rotation will start +# if the ToggleRotateKey is pressed. Note that this setting does not turn off +# priority sorting of screens. [default: on; legal: on, off] +AutoRotate=on + +# If yes, the the serverscreen will be rotated as a usual info screen. If no, +# it will be a background screen, only visible when no other screens are +# active. The special value 'blank' is similar to no, but only a blank screen +# is displayed. [default: on; legal: on, off, blank] +ServerScreen=blank + +# Set master backlight setting. If set to 'open' a client may control the +# backlight for its own screens (only). [default: open; legal: off, open, on] +Backlight=on + +# Set master heartbeat setting. If set to 'open' a client may control the +# heartbeat for its own screens (only). [default: open; legal: off, open, on] +Heartbeat=off + +# set title scrolling speed [default: 10; legal: 0-10] +TitleSpeed=10 + +{% if model is vyos_defined %} +{% if model.startswith('cfa-') %} +## CrystalFontz packet driver (for CFA533, CFA631, CFA633 & CFA635) ## +[CFontzPacket] +Model={{ model.split('-')[1] }} +Device={{ device }} +Contrast=350 +Brightness=500 +OffBrightness=50 +Reboot=yes +USB=yes +{% elif model == 'sdec' %} +## SDEC driver for Lanner, Watchguard, Sophos sppliances ## +[sdeclcd] +# No options +{% elif model == 'hd44780' %} +[hd44780] +ConnectionType=ezio +Device={{ device }} +Size=16x2 +{% endif %} +{% endif %} diff --git a/data/templates/lcd/lcdproc.conf.j2 b/data/templates/lcd/lcdproc.conf.j2 new file mode 100644 index 0000000..c79f3cd --- /dev/null +++ b/data/templates/lcd/lcdproc.conf.j2 @@ -0,0 +1,60 @@ +### autogenerated by system-lcd.py ### + +# LCDproc client configuration file + +[lcdproc] +Server=127.0.0.1 +Port=13666 + +# set reporting level +ReportLevel=3 + +# report to to syslog ? +ReportToSyslog=true + +Foreground=yes + +[CPU] +Active=true +OnTime=1 +OffTime=2 +ShowInvisible=false + +[SMP-CPU] +Active=false + +[Memory] +Active=false + +[Load] +Active=false + +[Uptime] +Active=true + +[ProcSize] +Active=false + +[Disk] +Active=false + +[About] +Active=false + +[TimeDate] +Active=true +TimeFormat="%H:%M:%S" + +[OldTime] +Active=false + +[BigClock] +Active=false + +[MiniClock] +Active=false + +# Display the title bar in two-line mode. Note that with four lines or more +# the title is always shown. [default: true; legal: true, false] +ShowTitle=false + diff --git a/data/templates/lldp/lldpd.j2 b/data/templates/lldp/lldpd.j2 new file mode 100644 index 0000000..2238fe1 --- /dev/null +++ b/data/templates/lldp/lldpd.j2 @@ -0,0 +1,2 @@ +### Autogenerated by service_lldp.py ### +DAEMON_ARGS="-M 4 {{ '-x' if snmp is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}" diff --git a/data/templates/lldp/vyos.conf.j2 b/data/templates/lldp/vyos.conf.j2 new file mode 100644 index 0000000..4b4228c --- /dev/null +++ b/data/templates/lldp/vyos.conf.j2 @@ -0,0 +1,25 @@ +### Autogenerated by service_lldp.py ### + +configure system platform VyOS +configure system description "VyOS {{ version }}" +{% if interface is vyos_defined %} +{% set tmp = [] %} +{% for iface, iface_options in interface.items() if iface_options.disable is not vyos_defined %} +{% if iface == 'all' %} +{% set iface = '*' %} +{% endif %} +{% set _ = tmp.append(iface) %} +{% if iface_options.location is vyos_defined %} +{% if iface_options.location.elin is vyos_defined %} +configure ports {{ iface }} med location elin "{{ iface_options.location.elin }}" +{% endif %} +{% if iface_options.location.coordinate_based is vyos_defined %} +configure ports {{ iface }} med location coordinate latitude "{{ iface_options.location.coordinate_based.latitude }}" longitude "{{ iface_options.location.coordinate_based.longitude }}" altitude "{{ iface_options.location.coordinate_based.altitude }}m" datum "{{ iface_options.location.coordinate_based.datum }}" +{% endif %} +{% endif %} +{% endfor %} +configure system interface pattern "{{ tmp | join(",") }}" +{% endif %} +{% if management_address is vyos_defined %} +configure system ip management pattern {{ management_address | join(",") }} +{% endif %} diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 new file mode 100644 index 0000000..7917c82 --- /dev/null +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -0,0 +1,205 @@ +### Autogenerated by load-balancing_reverse-proxy.py ### + +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + +{% if global_parameters is vyos_defined %} +{% if global_parameters.max_connections is vyos_defined %} + maxconn {{ global_parameters.max_connections }} +{% endif %} + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + +{% if global_parameters.ssl_bind_ciphers is vyos_defined %} + # https://ssl-config.mozilla.org/#server=haproxy&version=2.6.12-1&config=intermediate&openssl=3.0.8-1&guideline=5.6 + ssl-default-bind-ciphers {{ global_parameters.ssl_bind_ciphers | join(':') | upper }} +{% endif %} + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 +{% if global_parameters.tls_version_min is vyos_defined('1.3') %} + ssl-default-bind-options force-tlsv13 +{% else %} + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets +{% endif %} +{% endif %} + +defaults + log global + mode http + option dontlognull + timeout connect 10s + timeout client 50s + timeout server 50s + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +# Frontend +{% if service is vyos_defined %} +{% for front, front_config in service.items() %} +frontend {{ front }} +{% set ssl_front = [] %} +{% if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %} +{% for cert in front_config.ssl.certificate %} +{% set _ = ssl_front.append('crt /run/haproxy/' ~ cert ~ '.pem') %} +{% endfor %} +{% endif %} +{% set ssl_directive = 'ssl' if ssl_front else '' %} +{% if front_config.listen_address is vyos_defined %} +{% for address in front_config.listen_address %} + bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }} +{% endfor %} +{% else %} + bind :::{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }} +{% endif %} +{% if front_config.redirect_http_to_https is vyos_defined %} + http-request redirect scheme https unless { ssl_fc } +{% endif %} +{% if front_config.mode is vyos_defined %} + mode {{ front_config.mode }} +{% if front_config.tcp_request.inspect_delay is vyos_defined %} + tcp-request inspect-delay {{ front_config.tcp_request.inspect_delay }} +{% endif %} +{# add tcp-request related directive if ssl is configed #} +{% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} +{% for rule, rule_config in front_config.rule.items() %} +{% if rule_config.ssl is vyos_defined %} + tcp-request content accept if { req_ssl_hello_type 1 } +{% break %} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} +{% if front_config.rule is vyos_defined %} +{% for rule, rule_config in front_config.rule.items() %} + # rule {{ rule }} +{% if rule_config.domain_name is vyos_defined %} +{% set rule_options = 'hdr(host)' %} +{% if rule_config.ssl is vyos_defined %} +{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %} +{% set rule_options = ssl_rule_translate[rule_config.ssl] %} +{% endif %} +{% for domain in rule_config.domain_name %} + acl {{ rule }} {{ rule_options }} -i {{ domain }} +{% endfor %} +{% endif %} +{# path url #} +{% if rule_config.url_path is vyos_defined %} +{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %} +{% for path, path_config in rule_config.url_path.items() %} +{% for url in path_config %} + acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }} +{% endfor %} +{% endfor %} +{% endif %} +{% if rule_config.set.backend is vyos_defined %} + use_backend {{ rule_config.set.backend }} if {{ rule }} +{% endif %} +{% if rule_config.set.redirect_location is vyos_defined %} + http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }} +{% endif %} +{# endpath #} +{% endfor %} +{% endif %} +{% if front_config.backend is vyos_defined %} +{% for backend in front_config.backend %} + default_backend {{ backend }} +{% endfor %} +{% endif %} + +{% endfor %} +{% endif %} + +# Backend +{% if backend is vyos_defined %} +{% for back, back_config in backend.items() %} +backend {{ back }} +{% if back_config.http_check is vyos_defined %} + option httpchk +{% endif %} +{% set send = '' %} +{% if back_config.http_check.method is vyos_defined %} +{% set send = send + ' meth ' + back_config.http_check.method | upper %} +{% endif %} +{% if back_config.http_check.uri is vyos_defined %} +{% set send = send + ' uri ' + back_config.http_check.uri %} +{% endif %} +{% if send != '' %} + http-check send{{ send }} +{% endif %} +{% if back_config.http_check.expect is vyos_defined %} +{% if back_config.http_check.expect.status is vyos_defined %} + http-check expect status {{ back_config.http_check.expect.status }} +{% elif back_config.http_check.expect.string is vyos_defined %} + http-check expect string {{ back_config.http_check.expect.string }} +{% endif %} +{% endif %} +{% if back_config.balance is vyos_defined %} +{% set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %} + balance {{ balance_translate[back_config.balance] }} +{% endif %} +{# If mode is not TCP skip Forwarded #} +{% if back_config.mode is not vyos_defined('tcp') %} + option forwardfor + http-request set-header X-Forwarded-Port %[dst_port] + http-request add-header X-Forwarded-Proto https if { ssl_fc } +{% endif %} +{% if back_config.mode is vyos_defined %} + mode {{ back_config.mode }} +{% endif %} +{% if back_config.rule is vyos_defined %} +{% for rule, rule_config in back_config.rule.items() %} +{% if rule_config.domain_name is vyos_defined and rule_config.set.server is vyos_defined %} +{% set rule_options = 'hdr(host)' %} +{% if rule_config.ssl is vyos_defined %} +{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %} +{% set rule_options = ssl_rule_translate[rule_config.ssl] %} +{% endif %} +{% for domain in rule_config.domain_name %} + acl {{ rule }} {{ rule_options }} -i {{ domain }} +{% endfor %} + use-server {{ rule_config.set.server }} if {{ rule }} +{% endif %} +{# path url #} +{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %} +{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %} +{% for path, path_config in rule_config.url_path.items() %} +{% for url in path_config %} + acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }} +{% endfor %} +{% endfor %} + http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }} +{% endif %} +{# endpath #} +{% endfor %} +{% endif %} +{% if back_config.server is vyos_defined %} +{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else ('ssl verify none' if back_config.ssl.no_verify is vyos_defined else '') %} +{% for server, server_config in back_config.server.items() %} + server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }} +{% endfor %} +{% endif %} +{% if back_config.timeout.check is vyos_defined %} + timeout check {{ back_config.timeout.check }}s +{% endif %} +{% if back_config.timeout.connect is vyos_defined %} + timeout connect {{ back_config.timeout.connect }}s +{% endif %} +{% if back_config.timeout.server is vyos_defined %} + timeout server {{ back_config.timeout.server }}s +{% endif %} + +{% endfor %} +{% endif %} diff --git a/data/templates/load-balancing/override_haproxy.conf.j2 b/data/templates/load-balancing/override_haproxy.conf.j2 new file mode 100644 index 0000000..395b5d2 --- /dev/null +++ b/data/templates/load-balancing/override_haproxy.conf.j2 @@ -0,0 +1,14 @@ +{% set haproxy_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service +ConditionPathExists=/run/haproxy/haproxy.cfg + +[Service] +EnvironmentFile= +Environment= +Environment="CONFIG=/run/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock" +ExecStart= +ExecStart={{ haproxy_command }}/usr/sbin/haproxy -Ws -f /run/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock +Restart=always +RestartSec=10 diff --git a/data/templates/load-balancing/wlb.conf.j2 b/data/templates/load-balancing/wlb.conf.j2 new file mode 100644 index 0000000..7f04d79 --- /dev/null +++ b/data/templates/load-balancing/wlb.conf.j2 @@ -0,0 +1,134 @@ +### Autogenerated by load-balancing_wan.py ### + +{% if disable_source_nat is vyos_defined %} +disable-source-nat +{% endif %} +{% if enable_local_traffic is vyos_defined %} +enable-local-traffic +{% endif %} +{% if sticky_connections is vyos_defined %} +sticky-connections inbound +{% endif %} +{% if flush_connections is vyos_defined %} +flush-conntrack +{% endif %} +{% if hook is vyos_defined %} +hook "{{ hook }}" +{% endif %} +{% if interface_health is vyos_defined %} +health { +{% for interface, interface_config in interface_health.items() %} + interface {{ interface }} { +{% if interface_config.failure_count is vyos_defined %} + failure-ct {{ interface_config.failure_count }} +{% endif %} +{% if interface_config.success_count is vyos_defined %} + success-ct {{ interface_config.success_count }} +{% endif %} +{% if interface_config.nexthop is vyos_defined %} + nexthop {{ interface_config.nexthop }} +{% endif %} +{% if interface_config.test is vyos_defined %} +{% for test_rule, test_config in interface_config.test.items() %} + rule {{ test_rule }} { +{% if test_config.type is vyos_defined %} +{% set type_translate = {'ping': 'ping', 'ttl': 'udp', 'user-defined': 'user-defined'} %} + type {{ type_translate[test_config.type] }} { +{% if test_config.ttl_limit is vyos_defined and test_config.type == 'ttl' %} + ttl {{ test_config.ttl_limit }} +{% endif %} +{% if test_config.test_script is vyos_defined and test_config.type == 'user-defined' %} + test-script {{ test_config.test_script }} +{% endif %} +{% if test_config.target is vyos_defined %} + target {{ test_config.target }} +{% endif %} + resp-time {{ test_config.resp_time | int * 1000 }} + } +{% endif %} + } +{% endfor %} +{% endif %} + } +{% endfor %} +} +{% endif %} + +{% if rule is vyos_defined %} +{% for rule, rule_config in rule.items() %} +rule {{ rule }} { +{% if rule_config.exclude is vyos_defined %} + exclude +{% endif %} +{% if rule_config.failover is vyos_defined %} + failover +{% endif %} +{% if rule_config.limit is vyos_defined %} + limit { +{% if rule_config.limit.burst is vyos_defined %} + burst {{ rule_config.limit.burst }} +{% endif %} +{% if rule_config.limit.rate is vyos_defined %} + rate {{ rule_config.limit.rate }} +{% endif %} +{% if rule_config.limit.period is vyos_defined %} + period {{ rule_config.limit.period }} +{% endif %} +{% if rule_config.limit.threshold is vyos_defined %} + thresh {{ rule_config.limit.threshold }} +{% endif %} + } +{% endif %} +{% if rule_config.per_packet_balancing is vyos_defined %} + per-packet-balancing +{% endif %} +{% if rule_config.protocol is vyos_defined %} + protocol {{ rule_config.protocol }} +{% endif %} +{% if rule_config.destination is vyos_defined %} + destination { +{% if rule_config.destination.address is vyos_defined %} + address "{{ rule_config.destination.address }}" +{% endif %} +{% if rule_config.destination.port is vyos_defined %} +{% if '-' in rule_config.destination.port %} + port-ipt "-m multiport --dports {{ rule_config.destination.port | replace('-', ':') }}" +{% elif ',' in rule_config.destination.port %} + port-ipt "-m multiport --dports {{ rule_config.destination.port }}" +{% else %} + port-ipt " --dport {{ rule_config.destination.port }}" +{% endif %} +{% endif %} + } +{% endif %} +{% if rule_config.source is vyos_defined %} + source { +{% if rule_config.source.address is vyos_defined %} + address "{{ rule_config.source.address }}" +{% endif %} +{% if rule_config.source.port is vyos_defined %} +{% if '-' in rule_config.source.port %} + port-ipt "-m multiport --sports {{ rule_config.source.port | replace('-', ':') }}" +{% elif ',' in rule_config.destination.port %} + port-ipt "-m multiport --sports {{ rule_config.source.port }}" +{% else %} + port.ipt " --sport {{ rule_config.source.port }}" +{% endif %} +{% endif %} + } +{% endif %} +{% if rule_config.inbound_interface is vyos_defined %} + inbound-interface {{ rule_config.inbound_interface }} +{% endif %} +{% if rule_config.interface is vyos_defined %} +{% for interface, interface_config in rule_config.interface.items() %} + interface {{ interface }} { +{% if interface_config.weight is vyos_defined %} + weight {{ interface_config.weight }} +{% endif %} + } +{% endfor %} +{% endif %} +} +{% endfor %} +{% endif %} diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2 new file mode 100644 index 0000000..695b66a --- /dev/null +++ b/data/templates/login/authorized_keys.j2 @@ -0,0 +1,8 @@ +### Automatically generated by system_login.py ### + +{% if authentication.public_keys is vyos_defined %} +{% for key, key_options in authentication.public_keys.items() %} +{# The whitespace after options is wisely chosen #} +{{ key_options.options ~ ' ' if key_options.options is vyos_defined }}{{ key_options.type }} {{ key_options.key }} {{ key }} +{% endfor %} +{% endif %} diff --git a/data/templates/login/autologout.j2 b/data/templates/login/autologout.j2 new file mode 100644 index 0000000..dc94eec --- /dev/null +++ b/data/templates/login/autologout.j2 @@ -0,0 +1,5 @@ +{% if timeout is vyos_defined %} +TMOUT={{ timeout }} +readonly TMOUT +export TMOUT +{% endif %} diff --git a/data/templates/login/default_motd.j2 b/data/templates/login/default_motd.j2 new file mode 100644 index 0000000..543c6f8 --- /dev/null +++ b/data/templates/login/default_motd.j2 @@ -0,0 +1,14 @@ +Welcome to VyOS! + + ┌── ┐ + . VyOS {{ version_data.version }} + └ ──┘ {{ version_data.release_train }} + + * Documentation: {{ version_data.documentation_url }} + * Project news: {{ version_data.project_news_url }} + * Bug reports: {{ version_data.bugtracker_url }} + +You can change this banner using "set system login banner post-login" command. + +VyOS is a free software distribution that includes multiple components, +you can check individual component licenses under /usr/share/doc/*/copyright diff --git a/data/templates/login/limits.j2 b/data/templates/login/limits.j2 new file mode 100644 index 0000000..31abc85 --- /dev/null +++ b/data/templates/login/limits.j2 @@ -0,0 +1,5 @@ +# Generated by system_login.py + +{% if max_login_session is vyos_defined %} +* - maxsyslogins {{ max_login_session }} +{% endif %} diff --git a/data/templates/login/nsswitch.conf.j2 b/data/templates/login/nsswitch.conf.j2 new file mode 100644 index 0000000..0adfb49 --- /dev/null +++ b/data/templates/login/nsswitch.conf.j2 @@ -0,0 +1,20 @@ +# automatically generated by system_login.py ### +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. + +passwd: {{ 'mapuid ' if radius is vyos_defined }}{{ 'tacplus ' if tacacs is vyos_defined }}files{{ ' mapname' if radius is vyos_defined }} +group: {{ 'mapname ' if radius is vyos_defined }}{{ 'tacplus ' if tacacs is vyos_defined }}files +shadow: files +gshadow: files + +# Per T2678, commenting out myhostname +hosts: files dns #myhostname +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/data/templates/login/pam_otp_ga.conf.j2 b/data/templates/login/pam_otp_ga.conf.j2 new file mode 100644 index 0000000..cf51ce0 --- /dev/null +++ b/data/templates/login/pam_otp_ga.conf.j2 @@ -0,0 +1,7 @@ +{% if authentication.otp.key is vyos_defined %} +{{ authentication.otp.key | upper }} +" RATE_LIMIT {{ authentication.otp.rate_limit }} {{ authentication.otp.rate_time }} +" WINDOW_SIZE {{ authentication.otp.window_size }} +" DISALLOW_REUSE +" TOTP_AUTH +{% endif %} diff --git a/data/templates/login/pam_radius_auth.conf.j2 b/data/templates/login/pam_radius_auth.conf.j2 new file mode 100644 index 0000000..75437ca --- /dev/null +++ b/data/templates/login/pam_radius_auth.conf.j2 @@ -0,0 +1,35 @@ +### Automatically generated by system_login.py ### +# RADIUS configuration file + +{% if radius is vyos_defined %} +{# RADIUS IPv6 source address must be specified in [] notation #} +{% set source_address = namespace() %} +{% if radius.source_address is vyos_defined %} +{% for address in radius.source_address %} +{% if address | is_ipv4 %} +{% set source_address.ipv4 = address %} +{% elif address | is_ipv6 %} +{% set source_address.ipv6 = "[" + address + "]" %} +{% endif %} +{% endfor %} +{% endif %} +{% if radius.server is vyos_defined %} +# server[:port] shared_secret timeout source_ip +{# .items() returns a tuple of two elements: key and value. 1 relates to the 2nd element i.e. the value and .priority relates to the key from the internal dict #} +{% for server, options in radius.server.items() | sort(attribute='1.priority') if not 'disable' in options %} +{# RADIUS IPv6 servers must be specified in [] notation #} +{% if server | is_ipv4 %} +{{ server }}:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv4 if source_address.ipv4 is vyos_defined }} +{% else %} +[{{ server }}]:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv6 if source_address.ipv6 is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} + +priv-lvl 15 +mapped_priv_user radius_priv_user + +{% if radius.vrf is vyos_defined %} +vrf-name {{ radius.vrf }} +{% endif %} +{% endif %} diff --git a/data/templates/login/tacplus_nss.conf.j2 b/data/templates/login/tacplus_nss.conf.j2 new file mode 100644 index 0000000..2a30b17 --- /dev/null +++ b/data/templates/login/tacplus_nss.conf.j2 @@ -0,0 +1,74 @@ +#%NSS_TACPLUS-1.0 +# Install this file as /etc/tacplus_nss.conf +# Edit /etc/nsswitch.conf to add tacplus to the passwd lookup, similar to this +# where tacplus precede compat (or files), and depending on local policy can +# follow or precede ldap, nis, etc. +# passwd: tacplus compat +# +# Servers are tried in the order listed, and once a server +# replies, no other servers are attempted in a given process instantiation +# +# This configuration is similar to the libpam_tacplus configuration, but +# is maintained as a configuration file, since nsswitch.conf doesn't +# support passing parameters. Parameters must start in the first +# column, and parsing stops at the first whitespace + +# if set, errors and other issues are logged with syslog +#debug=1 + +# min_uid is the minimum uid to lookup via tacacs. Setting this to 0 +# means uid 0 (root) is never looked up, good for robustness and performance +# Cumulus Linux ships with it set to 1001, so we never lookup our standard +# local users, including the cumulus uid of 1000. Should not be greater +# than the local tacacs{0..15} uids +min_uid=900 + +# This is a comma separated list of usernames that are never sent to +# a tacacs server, they cause an early not found return. +# +# "*" is not a wild card. While it's not a legal username, it turns out +# that during pathname completion, bash can do an NSS lookup on "*" +# To avoid server round trip delays, or worse, unreachable server delays +# on filename completion, we include "*" in the exclusion list. +exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }} + +# The include keyword allows centralizing the tacacs+ server information +# including the IP address and shared secret +# include=/etc/tacplus_servers + +# The server IP address can be optionally followed by a ':' and a port +# number (server=1.1.1.1:49). It is strongly recommended that you NOT +# add secret keys to this file, because it is world readable. +{% if tacacs.server is vyos_defined %} +{% for server, server_config in tacacs.server.items() %} +secret={{ server_config.key }} +server={{ server }}:{{ server_config.port }} + +{% endfor %} +{% endif %} + +{% if tacacs.vrf is vyos_defined %} +# If the management network is in a vrf, set this variable to the vrf name. +# This would usually be "mgmt". When this variable is set, the connection to the +# TACACS+ accounting servers will be made through the named vrf. +vrf={{ tacacs.vrf }} +{% endif %} + +{% if tacacs.source_address is vyos_defined %} +# Sets the IPv4 address used as the source IP address when communicating with +# the TACACS+ server. IPv6 addresses are not supported, nor are hostnames. +# The address must work when passsed to the bind() system call, that is, it must +# be valid for the interface being used. +source_ip={{ tacacs.source_address }} +{% endif %} + +# The connection timeout for an NSS library should be short, since it is +# invoked for many programs and daemons, and a failure is usually not +# catastrophic. Not set or set to a negative value disables use of poll(). +# This follows the include of tacplus_servers, so it can override any +# timeout value set in that file. +# It's important to have this set in this file, even if the same value +# as in tacplus_servers, since tacplus_servers should not be readable +# by users other than root. +timeout={{ tacacs.timeout }} + diff --git a/data/templates/login/tacplus_servers.j2 b/data/templates/login/tacplus_servers.j2 new file mode 100644 index 0000000..23e8e49 --- /dev/null +++ b/data/templates/login/tacplus_servers.j2 @@ -0,0 +1,58 @@ +# Automatically generated by system_login.py +# TACACS+ configuration file + +# This is a common file used by audisp-tacplus, libpam_tacplus, and +# libtacplus_map config files as shipped. +# +# Any tac_plus client config can go here that is common to all users of this +# file, but typically it's just the TACACS+ server IP address(es) and shared +# secret(s) +# +# This file should normally be mode 600, if you care about the security of your +# secret key. When set to mode 600 NSS lookups for TACACS users will only work +# for tacacs users that are logged in, via the local mapping. For root, lookups +# will work for any tacacs users, logged in or not. + +# Set a per-connection timeout of 10 seconds, and enable the use of poll() when +# trying to read from tacacs servers. Otherwise standard TCP timeouts apply. +# Not set or set to a negative value disables use of poll(). There are usually +# multiple connection attempts per login. +timeout={{ tacacs.timeout }} + +{% if tacacs.server is vyos_defined %} +{% for server, server_config in tacacs.server.items() %} +secret={{ server_config.key }} +server={{ server }}:{{ server_config.port }} +{% endfor %} +{% endif %} + +# If set, login/logout accounting records are sent to all servers in +# the list, otherwise only to the first responding server +# Also used by audisp-tacplus per-command accounting, if it sources this file. +acct_all=1 + +{% if tacacs.vrf is vyos_defined %} +# If the management network is in a vrf, set this variable to the vrf name. +# This would usually be "mgmt". When this variable is set, the connection to the +# TACACS+ accounting servers will be made through the named vrf. +vrf={{ tacacs.vrf }} +{% endif %} + +{% if tacacs.source_address is vyos_defined %} +# Sets the IPv4 address used as the source IP address when communicating with +# the TACACS+ server. IPv6 addresses are not supported, nor are hostnames. +# The address must work when passsed to the bind() system call, that is, it must +# be valid for the interface being used. +source_ip={{ tacacs.source_address }} +{% endif %} + +# If user_homedir=1, then tacacs users will be set to have a home directory +# based on their login name, rather than the mapped tacacsN home directory. +# mkhomedir_helper is used to create the directory if it does not exist (similar +# to use of pam_mkhomedir.so). This flag is ignored for users with restricted +# shells, e.g., users mapped to a tacacs privilege level that has enforced +# per-command authorization (see the tacplus-restrict man page). +user_homedir=1 + +service=shell +protocol=ssh diff --git a/data/templates/logs/logrotate/vyos-atop.j2 b/data/templates/logs/logrotate/vyos-atop.j2 new file mode 100644 index 0000000..2d078f3 --- /dev/null +++ b/data/templates/logs/logrotate/vyos-atop.j2 @@ -0,0 +1,20 @@ +/var/log/atop/atop.log { + daily + dateext + dateformat _%Y-%m-%d_%H-%M-%S + maxsize {{ max_size }}M + missingok + nocompress + nocreate + nomail + rotate {{ rotate }} + prerotate + # stop the service + systemctl stop atop.service + endscript + postrotate + # start atop service again + systemctl start atop.service + endscript +} + diff --git a/data/templates/logs/logrotate/vyos-rsyslog.j2 b/data/templates/logs/logrotate/vyos-rsyslog.j2 new file mode 100644 index 0000000..f2e4d2a --- /dev/null +++ b/data/templates/logs/logrotate/vyos-rsyslog.j2 @@ -0,0 +1,13 @@ +/var/log/messages { + create + missingok + nomail + notifempty + rotate {{ rotate }} + size {{ max_size }}M + postrotate + # inform rsyslog service about rotation + /usr/lib/rsyslog/rsyslog-rotate + endscript +} + diff --git a/data/templates/macsec/wpa_supplicant.conf.j2 b/data/templates/macsec/wpa_supplicant.conf.j2 new file mode 100644 index 0000000..4bb7629 --- /dev/null +++ b/data/templates/macsec/wpa_supplicant.conf.j2 @@ -0,0 +1,97 @@ +### Autogenerated by interfaces_macsec.py ### + +# see full documentation: +# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf + +# For UNIX domain sockets (default on Linux and BSD): This is a directory that +# will be created for UNIX domain sockets for listening to requests from +# external programs (CLI/GUI, etc.) for status information and configuration. +# The socket file will be named based on the interface name, so multiple +# wpa_supplicant processes can be run at the same time if more than one +# interface is used. +# /var/run/wpa_supplicant is the recommended directory for sockets and by +# default, wpa_cli will use it when trying to connect with wpa_supplicant. +ctrl_interface=/run/wpa_supplicant + +# Note: When using MACsec, eapol_version shall be set to 3, which is +# defined in IEEE Std 802.1X-2010. +eapol_version=3 + +# No need to scan for access points in MACsec mode +ap_scan=0 + +# EAP fast re-authentication +fast_reauth=1 + +network={ + key_mgmt=NONE + + # Note: When using wired authentication (including MACsec drivers), + # eapol_flags must be set to 0 for the authentication to be completed + # successfully. + eapol_flags=0 + + # macsec_policy: IEEE 802.1X/MACsec options + # This determines how sessions are secured with MACsec (only for MACsec + # drivers). + # 0: MACsec not in use (default) + # 1: MACsec enabled - Should secure, accept key server's advice to + # determine whether to use a secure session or not. + macsec_policy=1 + + # macsec_integ_only: IEEE 802.1X/MACsec transmit mode + # This setting applies only when MACsec is in use, i.e., + # - macsec_policy is enabled + # - the key server has decided to enable MACsec + # 0: Encrypt traffic (default) + # 1: Integrity only + macsec_integ_only={{ '0' if security.encrypt is vyos_defined else '1' }} + + # macsec_csindex: IEEE 802.1X/MACsec cipher suite + # 0 = GCM-AES-128 + # 1 = GCM-AES-256 +{# security.cipher is a mandatory key #} + macsec_csindex={{ '1' if security.cipher is vyos_defined('gcm-aes-256') else '0' }} + +{% if security.encrypt is vyos_defined %} + # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode + # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. + # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer + # with lower priority will become the key server and start distributing SAKs. + # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) + # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) + # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string + # (2..64 hex-digits) + mka_cak={{ security.mka.cak }} + mka_ckn={{ security.mka.ckn }} + + # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being + # default priority + mka_priority={{ security.mka.priority }} +{% endif %} + +{% if security.replay_window is vyos_defined %} + # macsec_replay_protect: IEEE 802.1X/MACsec replay protection + # This setting applies only when MACsec is in use, i.e., + # - macsec_policy is enabled + # - the key server has decided to enable MACsec + # 0: Replay protection disabled (default) + # 1: Replay protection enabled + macsec_replay_protect=1 + + # macsec_replay_window: IEEE 802.1X/MACsec replay protection window + # This determines a window in which replay is tolerated, to allow receipt + # of frames that have been misordered by the network. + # This setting applies only when MACsec replay protection active, i.e., + # - macsec_replay_protect is enabled + # - the key server has decided to enable MACsec + # 0: No replay window, strict check (default) + # 1..2^32-1: number of packets that could be misordered + macsec_replay_window={{ security.replay_window }} +{% endif %} + + # macsec_port: IEEE 802.1X/MACsec port - Port component of the SCI + # Range: 1-65534 (default: 1) + macsec_port=1 +} + diff --git a/data/templates/mdns-repeater/avahi-daemon.conf.j2 b/data/templates/mdns-repeater/avahi-daemon.conf.j2 new file mode 100644 index 0000000..cc64958 --- /dev/null +++ b/data/templates/mdns-repeater/avahi-daemon.conf.j2 @@ -0,0 +1,27 @@ +### Autogenerated by service_mdns_repeater.py ### +[server] +use-ipv4={{ 'yes' if ip_version in ['ipv4', 'both'] else 'no' }} +use-ipv6={{ 'yes' if ip_version in ['ipv6', 'both'] else 'no' }} +allow-interfaces={{ interface | join(', ') }} +{% if browse_domain is vyos_defined and browse_domain | length %} +browse-domains={{ browse_domain | join(', ') }} +{% endif %} +disallow-other-stacks=no + +[wide-area] +enable-wide-area=yes + +[publish] +disable-publishing=yes +disable-user-service-publishing=yes +publish-addresses=no +publish-hinfo=no +publish-workstation=no +publish-aaaa-on-ipv4=no +publish-a-on-ipv6=no + +[reflector] +enable-reflector=yes +{% if allow_service is vyos_defined and allow_service | length %} +reflect-filters={{ allow_service | join(', ') }} +{% endif %} diff --git a/data/templates/mdns-repeater/override.conf.j2 b/data/templates/mdns-repeater/override.conf.j2 new file mode 100644 index 0000000..8c81874 --- /dev/null +++ b/data/templates/mdns-repeater/override.conf.j2 @@ -0,0 +1,7 @@ +[Unit] +After=vyos-router.service +ConditionPathExists={{ config_file }} + +[Service] +ExecStart= +ExecStart=/usr/sbin/avahi-daemon --syslog --file {{ config_file }} diff --git a/data/templates/ndppd/ndppd.conf.j2 b/data/templates/ndppd/ndppd.conf.j2 new file mode 100644 index 0000000..6369dbd --- /dev/null +++ b/data/templates/ndppd/ndppd.conf.j2 @@ -0,0 +1,35 @@ +# autogenerated by service_ndp-proxy.py + +# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route +route-ttl {{ route_refresh }} + +{% if interface is vyos_defined %} +# This sets up a listener, that will listen for any Neighbor Solicitation +# messages, and respond to them according to a set of rules +{% for iface, iface_config in interface.items() if iface_config.disable is not vyos_defined %} +proxy {{ iface }} { + # Turn on or off the router flag for Neighbor Advertisements + router {{ 'yes' if iface_config.enable_router_bit is vyos_defined else 'no' }} + # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) + timeout {{ iface_config.timeout }} + # Control how long a valid or invalid entry remains in the cache (milliseconds) + ttl {{ iface_config.ttl }} + +{% if iface_config.prefix is vyos_defined %} + # This is a rule that the target address is to match against. If no netmask + # is provided, /128 is assumed. You may have several rule sections, and the + # addresses may or may not overlap. +{% for prefix, prefix_config in iface_config.prefix.items() if prefix_config.disable is not vyos_defined %} + rule {{ prefix }} { +{% if prefix_config.mode is vyos_defined('interface') %} + iface {{ prefix_config.interface }} +{% else %} + {{ prefix_config.mode }} +{% endif %} + } +{% endfor %} +{% endif %} +} + +{% endfor %} +{% endif %} diff --git a/data/templates/nhrp/nftables.conf.j2 b/data/templates/nhrp/nftables.conf.j2 new file mode 100644 index 0000000..a0d1f6d --- /dev/null +++ b/data/templates/nhrp/nftables.conf.j2 @@ -0,0 +1,17 @@ +#!/usr/sbin/nft -f + +{% if first_install is not vyos_defined %} +delete table ip vyos_nhrp_filter +{% endif %} +table ip vyos_nhrp_filter { + chain VYOS_NHRP_OUTPUT { + type filter hook output priority 10; policy accept; +{% if tunnel is vyos_defined %} +{% for tun, tunnel_conf in tunnel.items() %} +{% if if_tunnel[tun].source_address is vyos_defined %} + ip protocol gre ip saddr {{ if_tunnel[tun].source_address }} ip daddr 224.0.0.0/4 counter drop comment "VYOS_NHRP_{{ tun }}" +{% endif %} +{% endfor %} +{% endif %} + } +} diff --git a/data/templates/nhrp/opennhrp.conf.j2 b/data/templates/nhrp/opennhrp.conf.j2 new file mode 100644 index 0000000..c040a8f --- /dev/null +++ b/data/templates/nhrp/opennhrp.conf.j2 @@ -0,0 +1,42 @@ +{# j2lint: disable=jinja-variable-format #} +# Created by VyOS - manual changes will be overwritten + +{% if tunnel is vyos_defined %} +{% for name, tunnel_conf in tunnel.items() %} +{% set type = 'spoke' if tunnel_conf.map is vyos_defined or tunnel_conf.dynamic_map is vyos_defined else 'hub' %} +{% set profile_name = profile_map[name] if profile_map is vyos_defined and name in profile_map else '' %} +interface {{ name }} #{{ type }} {{ profile_name }} +{% if tunnel_conf.map is vyos_defined %} +{% for map, map_conf in tunnel_conf.map.items() %} +{% set cisco = ' cisco' if map_conf.cisco is vyos_defined else '' %} +{% set register = ' register' if map_conf.register is vyos_defined else '' %} + map {{ map }} {{ map_conf.nbma_address }}{{ register }}{{ cisco }} +{% endfor %} +{% endif %} +{% if tunnel_conf.dynamic_map is vyos_defined %} +{% for map, map_conf in tunnel_conf.dynamic_map.items() %} + dynamic-map {{ map }} {{ map_conf.nbma_domain_name }} +{% endfor %} +{% endif %} +{% if tunnel_conf.cisco_authentication is vyos_defined %} + cisco-authentication {{ tunnel_conf.cisco_authentication }} +{% endif %} +{% if tunnel_conf.holding_time is vyos_defined %} + holding-time {{ tunnel_conf.holding_time }} +{% endif %} +{% if tunnel_conf.multicast is vyos_defined %} + multicast {{ tunnel_conf.multicast }} +{% endif %} +{% for key in ['non_caching', 'redirect', 'shortcut', 'shortcut_destination'] %} +{% if key in tunnel_conf %} + {{ key | replace("_", "-") }} +{% endif %} +{% endfor %} +{% if tunnel_conf.shortcut_target is vyos_defined %} +{% for target, shortcut_conf in tunnel_conf.shortcut_target.items() %} + shortcut-target {{ target }}{{ ' holding-time ' + shortcut_conf.holding_time if shortcut_conf.holding_time is vyos_defined }} +{% endfor %} +{% endif %} + +{% endfor %} +{% endif %} diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 new file mode 100644 index 0000000..81f7770 --- /dev/null +++ b/data/templates/ocserv/ocserv_config.j2 @@ -0,0 +1,147 @@ +### generated by vpn_openconnect.py ### + +{% if listen_address is vyos_defined %} +listen-host = {{ listen_address }} +{% endif %} + +tcp-port = {{ listen_ports.tcp }} +udp-port = {{ listen_ports.udp }} + +run-as-user = nobody +run-as-group = daemon + +{% if accounting.mode.radius is vyos_defined %} +acct = "radius [config=/run/ocserv/radiusclient.conf]" +{% endif %} + +{% if "radius" in authentication.mode %} +auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" +{% if authentication.identity_based_config.disabled is not vyos_defined %} +{% if "group" in authentication.identity_based_config.mode %} +config-per-group = {{ authentication.identity_based_config.directory }} +default-group-config = {{ authentication.identity_based_config.default_config }} +{% endif %} +{% endif %} +{% elif "local" in authentication.mode %} +{% if authentication.mode.local == "password-otp" %} +auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" +{% elif authentication.mode.local == "otp" %} +auth = "plain[otp=/run/ocserv/users.oath]" +{% else %} +auth = "plain[/run/ocserv/ocpasswd]" +{% endif %} +{% else %} +auth = "plain[/run/ocserv/ocpasswd]" +{% endif %} + +{% if "identity_based_config" in authentication %} +{% if "user" in authentication.identity_based_config.mode %} +config-per-user = {{ authentication.identity_based_config.directory }} +default-user-config = {{ authentication.identity_based_config.default_config }} +{% endif %} +{% endif %} + +{% if ssl.certificate is vyos_defined %} +server-cert = /run/ocserv/cert.pem +server-key = /run/ocserv/cert.key +{% if ssl.passphrase is vyos_defined %} +key-pin = {{ ssl.passphrase }} +{% endif %} +{% endif %} + +{% if ssl.ca_certificate is vyos_defined %} +ca-cert = /run/ocserv/ca.pem +{% endif %} + +socket-file = /run/ocserv/ocserv.socket +occtl-socket-file = /run/ocserv/occtl.socket +use-occtl = true +isolate-workers = true +keepalive = 300 +dpd = 60 +mobile-dpd = 300 +switch-to-tcp-timeout = 30 +{% if tls_version_min == '1.0' %} +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" +{% elif tls_version_min == '1.1' %} +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0" +{% elif tls_version_min == '1.2' %} +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1" +{% elif tls_version_min == '1.3' %} +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2" +{% endif %} +auth-timeout = 240 +idle-timeout = 1200 +mobile-idle-timeout = 1800 +min-reauth-time = 3 +cookie-timeout = 300 +rekey-method = ssl +try-mtu-discovery = true +cisco-client-compat = true +dtls-legacy = true +max-ban-score = 80 +ban-reset-time = 300 + +# The name to use for the tun device +device = sslvpn + +# DNS settings +{% if network_settings.name_server is vyos_defined %} +{% for dns in network_settings.name_server %} +dns = {{ dns }} +{% endfor %} +{% endif %} +{% if network_settings.tunnel_all_dns is vyos_defined %} +{% if "yes" in network_settings.tunnel_all_dns %} +tunnel-all-dns = true +{% else %} +tunnel-all-dns = false +{% endif %} +{% endif %} + +# IPv4 network pool +{% if network_settings.client_ip_settings.subnet is vyos_defined %} +ipv4-network = {{ network_settings.client_ip_settings.subnet }} +{% endif %} + +# IPv6 network pool +{% if network_settings.client_ipv6_pool.prefix is vyos_defined %} +ipv6-network = {{ network_settings.client_ipv6_pool.prefix }} +ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }} +{% endif %} + +{% if network_settings.push_route is vyos_defined %} +{% for route in network_settings.push_route %} +route = {{ route }} +{% endfor %} +{% endif %} + +{% if network_settings.split_dns is vyos_defined %} +{% for tmp in network_settings.split_dns %} +split-dns = {{ tmp }} +{% endfor %} +{% endif %} + +{% if authentication.group is vyos_defined %} +# Group settings +{% for grp in authentication.group %} +select-group = {{ grp }} +{% endfor %} +{% endif %} + +{% if http_security_headers is vyos_defined %} +# HTTP security headers +included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains +included-http-headers = X-Frame-Options: deny +included-http-headers = X-Content-Type-Options: nosniff +included-http-headers = Content-Security-Policy: default-src "none" +included-http-headers = X-Permitted-Cross-Domain-Policies: none +included-http-headers = Referrer-Policy: no-referrer +included-http-headers = Clear-Site-Data: "cache","cookies","storage" +included-http-headers = Cross-Origin-Embedder-Policy: require-corp +included-http-headers = Cross-Origin-Opener-Policy: same-origin +included-http-headers = Cross-Origin-Resource-Policy: same-origin +included-http-headers = X-XSS-Protection: 0 +included-http-headers = Pragma: no-cache +included-http-headers = Cache-control: no-store, no-cache +{% endif %} diff --git a/data/templates/ocserv/ocserv_otp_usr.j2 b/data/templates/ocserv/ocserv_otp_usr.j2 new file mode 100644 index 0000000..b2511ed --- /dev/null +++ b/data/templates/ocserv/ocserv_otp_usr.j2 @@ -0,0 +1,8 @@ +#<token_type> <username> <pin> <secret_hex_key> <counter> <lastpass> <time> +{% if username is vyos_defined %} +{% for user, user_config in username.items() %} +{% if user_config.disable is not vyos_defined and user_config.otp is vyos_defined %} +{{ user_config.otp.token_tmpl }} {{ user }} {{ user_config.otp.pin | default("-", true) }} {{ user_config.otp.key }} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/ocserv/ocserv_passwd.j2 b/data/templates/ocserv/ocserv_passwd.j2 new file mode 100644 index 0000000..30c79d6 --- /dev/null +++ b/data/templates/ocserv/ocserv_passwd.j2 @@ -0,0 +1,8 @@ +#<username>:<group>:<hash> +{% if username is vyos_defined %} +{% for user, user_config in username.items() %} +{% if user_config.disable is not vyos_defined %} +{{ user }}:*:{{ user_config.hash }} +{% endif %} +{% endfor %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/ocserv/radius_conf.j2 b/data/templates/ocserv/radius_conf.j2 new file mode 100644 index 0000000..1ab322f --- /dev/null +++ b/data/templates/ocserv/radius_conf.j2 @@ -0,0 +1,36 @@ +### generated by vpn_openconnect.py ### +nas-identifier VyOS + +#### Accounting +{% if accounting.mode.radius is vyos_defined %} +{% for acctsrv, srv_conf in accounting.radius.server.items() if 'disable' not in srv_conf %} +{% if srv_conf.port is vyos_defined %} +acctserver {{ acctsrv }}:{{ srv_conf.port }} +{% else %} +acctserver {{ acctsrv }} +{% endif %} +{% endfor %} +{% endif %} + +#### Authentication +{% if authentication.mode.radius is vyos_defined %} +{% for authsrv, srv_conf in authentication.radius.server.items() if 'disable' not in srv_conf %} +{% if srv_conf.port is vyos_defined %} +authserver {{ authsrv }}:{{ srv_conf.port }} +{% else %} +authserver {{ authsrv }} +{% endif %} +{% endfor %} +radius_timeout {{ authentication['radius']['timeout'] }} +{% if source_address %} +bindaddr {{ authentication['radius']['source_address'] }} +{% else %} +bindaddr * +{% endif %} +{% endif %} + +servers /run/ocserv/radius_servers +dictionary /etc/radcli/dictionary +default_realm +radius_retries 3 +#
\ No newline at end of file diff --git a/data/templates/ocserv/radius_servers.j2 b/data/templates/ocserv/radius_servers.j2 new file mode 100644 index 0000000..302e916 --- /dev/null +++ b/data/templates/ocserv/radius_servers.j2 @@ -0,0 +1,7 @@ +### generated by vpn_openconnect.py ### +# server key +{% for srv in server %} +{% if not "disable" in server[srv] %} +{{ srv }} {{ server[srv].key }} +{% endif %} +{% endfor %} diff --git a/data/templates/openvpn/auth.pw.j2 b/data/templates/openvpn/auth.pw.j2 new file mode 100644 index 0000000..9f9b31e --- /dev/null +++ b/data/templates/openvpn/auth.pw.j2 @@ -0,0 +1,5 @@ +{# Autogenerated by interfaces_openvpn.py #} +{% if authentication is vyos_defined %} +{{ authentication.username }} +{{ authentication.password }} +{% endif %} diff --git a/data/templates/openvpn/client.conf.j2 b/data/templates/openvpn/client.conf.j2 new file mode 100644 index 0000000..9edcdc8 --- /dev/null +++ b/data/templates/openvpn/client.conf.j2 @@ -0,0 +1,31 @@ +### Autogenerated by interfaces_openvpn.py ### + +{% if ip is vyos_defined %} +ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }} +{% endif %} +{% if push_route is vyos_defined %} +{% for route in push_route %} +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" +{% endfor %} +{% endif %} +{% if subnet is vyos_defined %} +{% for network in subnet %} +iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }} +{% endfor %} +{% endif %} +{# ipv6_remote is only set when IPv6 server is enabled #} +{% if ipv6_remote is vyos_defined %} +# IPv6 +{% if ipv6_ip is vyos_defined %} +ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }} +{% endif %} +{% for route6 in ipv6_push_route %} +push "route-ipv6 {{ route6 }}" +{% endfor %} +{% for net6 in ipv6_subnet %} +iroute-ipv6 {{ net6 }} +{% endfor %} +{% endif %} +{% if disable is vyos_defined %} +disable +{% endif %} diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 new file mode 100644 index 0000000..6ac5254 --- /dev/null +++ b/data/templates/openvpn/server.conf.j2 @@ -0,0 +1,222 @@ +### Autogenerated by interfaces_openvpn.py ### +# +# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +# for individual keyword definition +# +# {{ description if description is vyos_defined }} +# + +verb 3 +dev-type {{ device_type }} +dev {{ ifname }} +persist-key +{% if protocol is vyos_defined('tcp-active') %} +proto tcp-client +{% elif protocol is vyos_defined('tcp-passive') %} +proto tcp-server +{% else %} +proto udp +{% endif %} +{% if local_host is vyos_defined %} +local {{ local_host }} +{% endif %} +{% if mode is vyos_defined('server') and protocol is vyos_defined('udp') and local_host is not vyos_defined %} +multihome +{% endif %} +{% if local_port is vyos_defined %} +lport {{ local_port }} +{% endif %} +{% if remote_port is vyos_defined %} +rport {{ remote_port }} +{% endif %} +{% if remote_host is vyos_defined %} +{% for remote in remote_host %} +remote {{ remote }} +{% endfor %} +{% endif %} +{% if shared_secret_key is vyos_defined %} +secret /run/openvpn/{{ ifname }}_shared.key +{% endif %} +{% if persistent_tunnel is vyos_defined %} +persist-tun +{% endif %} +{% if replace_default_route.local is vyos_defined %} +push "redirect-gateway local def1" +{% elif replace_default_route is vyos_defined %} +push "redirect-gateway def1" +{% endif %} +{% if use_lzo_compression is vyos_defined %} +compress lzo +{% endif %} +{% if offload.dco is not vyos_defined %} +disable-dco +{% endif %} + +{% if mode is vyos_defined('client') %} +# +# OpenVPN Client mode +# +client +nobind + +{% elif mode is vyos_defined('server') %} +# +# OpenVPN Server mode +# +mode server +tls-server +{% if server is vyos_defined %} +{% if server.subnet is vyos_defined %} +{% if server.topology is vyos_defined('point-to-point') %} +topology p2p +{% elif server.topology is vyos_defined %} +topology {{ server.topology }} +{% endif %} +{% for subnet in server.subnet %} +{% if subnet | is_ipv4 %} +server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nopool' if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined else '' }} +{# First ip address is used as gateway. It's allows to use metrics #} +{% if server.push_route is vyos_defined %} +{% for route, route_config in server.push_route.items() %} +{% if route | is_ipv4 %} +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ 'vpn_gateway' ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}" +{% elif route | is_ipv6 %} +push "route-ipv6 {{ route }}" +{% endif %} +{% endfor %} +{% endif %} +{% elif subnet | is_ipv6 %} +server-ipv6 {{ subnet }} +{% endif %} +{% endfor %} +{% endif %} + +{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} +ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }} {{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }} +{% endif %} +{% if server.max_connections is vyos_defined %} +max-clients {{ server.max_connections }} +{% endif %} +{% if server.client is vyos_defined %} +client-config-dir /run/openvpn/ccd/{{ ifname }} +{% endif %} +{% endif %} +keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }} +management /run/openvpn/openvpn-mgmt-intf unix +{% if server is vyos_defined %} +{% if server.reject_unconfigured_clients is vyos_defined %} +ccd-exclusive +{% endif %} + +{% if server.name_server is vyos_defined %} +{% for nameserver in server.name_server %} +{% if nameserver | is_ipv4 %} +push "dhcp-option DNS {{ nameserver }}" +{% elif nameserver | is_ipv6 %} +push "dhcp-option DNS6 {{ nameserver }}" +{% endif %} +{% endfor %} +{% endif %} +{% if server.domain_name is vyos_defined %} +push "dhcp-option DOMAIN {{ server.domain_name }}" +{% endif %} +{% if server.mfa.totp is vyos_defined %} +{% set totp_config = server.mfa.totp %} +plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" +{% endif %} +{% endif %} +{% else %} +# +# OpenVPN site-2-site mode +# +ping {{ keep_alive.interval }} +ping-restart {{ keep_alive.failure_count }} + +{% if device_type == 'tap' %} +{% if local_address is vyos_defined %} +{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} +{% if laddr_conf.subnet_mask is vyos_defined %} +ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} +{% endif %} +{% endfor %} +{% endif %} +{% else %} +{% for laddr in local_address if laddr | is_ipv4 %} +{% for raddr in remote_address if raddr | is_ipv4 %} +ifconfig {{ laddr }} {{ raddr }} +{% endfor %} +{% endfor %} +{% for laddr in local_address if laddr | is_ipv6 %} +{% for raddr in remote_address if raddr | is_ipv6 %} +ifconfig-ipv6 {{ laddr }} {{ raddr }} +{% endfor %} +{% endfor %} +{% endif %} +{% endif %} + +{% if tls is vyos_defined %} +# TLS options +{% if tls.ca_certificate is vyos_defined %} +ca /run/openvpn/{{ ifname }}_ca.pem +{% endif %} +{% if tls.certificate is vyos_defined %} +cert /run/openvpn/{{ ifname }}_cert.pem +{% endif %} +{% if tls.private_key is vyos_defined %} +key /run/openvpn/{{ ifname }}_cert.key +{% endif %} +{% if tls.crypt_key is vyos_defined %} +tls-crypt /run/openvpn/{{ ifname }}_crypt.key +{% endif %} +{% if tls.crl is vyos_defined %} +crl-verify /run/openvpn/{{ ifname }}_crl.pem +{% endif %} +{% if tls.tls_version_min is vyos_defined %} +tls-version-min {{ tls.tls_version_min }} +{% endif %} +{% if tls.dh_params is vyos_defined %} +dh /run/openvpn/{{ ifname }}_dh.pem +{% else %} +dh none +{% endif %} +{% if tls.auth_key is vyos_defined %} +{% if mode == 'client' %} +tls-auth /run/openvpn/{{ ifname }}_auth.key 1 +{% elif mode == 'server' %} +tls-auth /run/openvpn/{{ ifname }}_auth.key 0 +{% endif %} +{% endif %} +{% if tls.role is vyos_defined('active') %} +tls-client +{% elif tls.role is vyos_defined('passive') %} +tls-server +{% endif %} + +{% if tls.peer_fingerprint is vyos_defined %} +<peer-fingerprint> +{% for fp in tls.peer_fingerprint %} +{{ fp }} +{% endfor %} +</peer-fingerprint> +{% endif %} +{% endif %} + +# Encryption options +{% if encryption is vyos_defined %} +{% if encryption.cipher is vyos_defined %} +cipher {{ encryption.cipher | openvpn_cipher }} +{% endif %} +{% if encryption.ncp_ciphers is vyos_defined %} +data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} +{% endif %} +{% endif %} +providers default + +{% if hash is vyos_defined %} +auth {{ hash }} +{% endif %} + +{% if authentication is vyos_defined %} +auth-user-pass {{ auth_user_pass_file }} +auth-retry nointeract +{% endif %} diff --git a/data/templates/openvpn/service-override.conf.j2 b/data/templates/openvpn/service-override.conf.j2 new file mode 100644 index 0000000..616ba3b --- /dev/null +++ b/data/templates/openvpn/service-override.conf.j2 @@ -0,0 +1,21 @@ +{% set options = namespace(value='') %} +{% if openvpn_option is vyos_defined %} +{% for option in openvpn_option %} +{# Remove the '--' prefix from variable if it is presented #} +{% if option.startswith('--') %} +{% set option = option.split('--', maxsplit=1)[1] %} +{% endif %} +{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #} +{# But now it stopped doing this, so we need to add them for compatibility #} +{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #} +{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #} +{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %} +{% set option = 'push \"%s\"' | format(option.split('push ', maxsplit=1)[1]) %} +{% endif %} +{% set options.value = options.value ~ ' --' ~ option %} +{% endfor %} +{% endif %} +[Service] +ExecStart= +ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid {{ options.value }} + diff --git a/data/templates/pmacct/override.conf.j2 b/data/templates/pmacct/override.conf.j2 new file mode 100644 index 0000000..44a100b --- /dev/null +++ b/data/templates/pmacct/override.conf.j2 @@ -0,0 +1,17 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/pmacct/uacctd.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf +ExecStop=/usr/libexec/vyos/system/uacctd_stop.py $MAINPID 60 +WorkingDirectory= +WorkingDirectory=/run/pmacct +Restart=always +RestartSec=10 +KillMode=mixed diff --git a/data/templates/pmacct/uacctd.conf.j2 b/data/templates/pmacct/uacctd.conf.j2 new file mode 100644 index 0000000..aae0a06 --- /dev/null +++ b/data/templates/pmacct/uacctd.conf.j2 @@ -0,0 +1,80 @@ +# Genereated from VyOS configuration +daemonize: true +promisc: false +syslog: daemon +uacctd_group: 2 +uacctd_nl_size: 2097152 +snaplen: {{ packet_length }} +aggregate: in_iface{{ ',out_iface' if enable_egress is vyos_defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows +{% set pipe_size = buffer_size | int *1024 *1024 %} +plugin_pipe_size: {{ pipe_size }} +{# We need an integer division (//) without any remainder or fraction #} +plugin_buffer_size: {{ pipe_size // 1000 }} +{% if syslog_facility is vyos_defined %} +syslog: {{ syslog_facility }} +{% endif %} +{% if disable_imt is not defined %} +imt_path: /tmp/uacctd.pipe +imt_mem_pools_number: 169 +{% endif %} + +{% set plugin = [] %} +{% if netflow.server is vyos_defined %} +{% for server in netflow.server %} +{% set nf_server_key = 'nf_' ~ server | dot_colon_to_dash %} +{% set _ = plugin.append('nfprobe['~ nf_server_key ~ ']') %} +{% endfor %} +{% endif %} +{% if sflow.server is vyos_defined %} +{% for server in sflow.server %} +{% set sf_server_key = 'sf_' ~ server | dot_colon_to_dash %} +{% set _ = plugin.append('sfprobe[' ~ sf_server_key ~ ']') %} +{% endfor %} +{% endif %} +{% if disable_imt is not defined %} +{% set _ = plugin.append('memory') %} +{% endif %} +plugins: {{ plugin | join(',') }} + +{% if netflow.server is vyos_defined %} +# NetFlow servers +{% for server, server_config in netflow.server.items() %} +{# # prevent pmacct syntax error when using IPv6 flow collectors #} +{% set nf_server_key = 'nf_' ~ server | dot_colon_to_dash %} +nfprobe_receiver[{{ nf_server_key }}]: {{ server | bracketize_ipv6 }}:{{ server_config.port }} +nfprobe_version[{{ nf_server_key }}]: {{ netflow.version }} +{% if netflow.engine_id is vyos_defined %} +nfprobe_engine[{{ nf_server_key }}]: {{ netflow.engine_id }} +{% endif %} +{% if netflow.max_flows is vyos_defined %} +nfprobe_maxflows[{{ nf_server_key }}]: {{ netflow.max_flows }} +{% endif %} +{% if netflow.sampling_rate is vyos_defined %} +sampling_rate[{{ nf_server_key }}]: {{ netflow.sampling_rate }} +{% endif %} +{% if netflow.source_address is vyos_defined %} +nfprobe_source_ip[{{ nf_server_key }}]: {{ netflow.source_address | bracketize_ipv6 }} +{% endif %} +{% if netflow.timeout is vyos_defined %} +nfprobe_timeouts[{{ nf_server_key }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }} +{% endif %} + +{% endfor %} +{% endif %} + +{% if sflow.server is vyos_defined %} +# sFlow servers +{% for server, server_config in sflow.server.items() %} +{# # prevent pmacct syntax error when using IPv6 flow collectors #} +{% set sf_server_key = 'sf_' ~ server | dot_colon_to_dash %} +sfprobe_receiver[{{ sf_server_key }}]: {{ server | bracketize_ipv6 }}:{{ server_config.port }} +sfprobe_agentip[{{ sf_server_key }}]: {{ sflow.agent_address }} +{% if sflow.sampling_rate is vyos_defined %} +sampling_rate[{{ sf_server_key }}]: {{ sflow.sampling_rate }} +{% endif %} +{% if sflow.source_address is vyos_defined %} +sfprobe_source_ip[{{ sf_server_key }}]: {{ sflow.source_address | bracketize_ipv6 }} +{% endif %} + +{% endfor %} +{% endif %} diff --git a/data/templates/pppoe/peer.j2 b/data/templates/pppoe/peer.j2 new file mode 100644 index 0000000..efe47f3 --- /dev/null +++ b/data/templates/pppoe/peer.j2 @@ -0,0 +1,89 @@ +### Autogenerated by interfaces_pppoe.py ### +{{ '# ' ~ description if description is vyos_defined else '' }} + +# Require peer to provide the local IP address if it is not +# specified explicitly in the config file. +noipdefault + +# Don't show the password in logfiles: +hide-password + +# Standard Link Control Protocol (LCP) parameters: +lcp-echo-interval 20 +lcp-echo-failure 3 + +# RFC 2516, paragraph 7 mandates that the following options MUST NOT be +# requested and MUST be rejected if requested by the peer: +# Address-and-Control-Field-Compression (ACFC) +noaccomp + +# Asynchronous-Control-Character-Map (ACCM) +default-asyncmap + +# Override any connect script that may have been set in /etc/ppp/options. +connect /bin/true + +# Don't try to authenticate the remote node +noauth + +# Don't try to proxy ARP for the remote endpoint. User can set proxy +# arp entries up manually if they wish. More importantly, having +# the "proxyarp" parameter set disables the "defaultroute" option. +noproxyarp + +# Unlimited connection attempts +maxfail 0 + +plugin rp-pppoe.so {{ source_interface }} +{% if access_concentrator is vyos_defined %} +pppoe-ac "{{ access_concentrator }}" +{% endif %} +{% if service_name is vyos_defined %} +pppoe-service "{{ service_name }}" +{% endif %} +{% if host_uniq is vyos_defined %} +pppoe-host-uniq "{{ host_uniq }}" +{% endif %} + +persist +ifname {{ ifname }} +ipparam {{ ifname }} +debug +mtu {{ mtu }} +mru {{ mru }} + +{% if authentication is vyos_defined %} +{{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }} +{{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }} +{% endif %} + +{{ "usepeerdns" if no_peer_dns is not vyos_defined }} + +{% if ipv6 is vyos_defined %} ++ipv6 {{ 'ipv6cp-use-ipaddr' if ipv6.address.autoconf is vyos_defined }} +{% else %} +noipv6 +{% endif %} + +{% if holdoff is vyos_defined %} +holdoff {{ holdoff }} +{% endif %} + +{% if connect_on_demand is vyos_defined %} +demand +# See T2249. PPP default route options should only be set when in on-demand +# mode. As soon as we are not in on-demand mode the default-route handling is +# passed to the ip-up.d/ip-down.s scripts which is required for VRF support. +{% if 'auto' in default_route %} +defaultroute +{{ 'defaultroute6' if ipv6 is vyos_defined }} +{% elif 'force' in default_route %} +defaultroute +replacedefaultroute +{{ 'defaultroute6' if ipv6 is vyos_defined }} +{% endif %} +{% else %} +nodefaultroute +noreplacedefaultroute +{{ 'nodefaultroute6' if ipv6 is vyos_defined }} +{% endif %} diff --git a/data/templates/protocols/systemd_vyos_failover_service.j2 b/data/templates/protocols/systemd_vyos_failover_service.j2 new file mode 100644 index 0000000..e6501e0 --- /dev/null +++ b/data/templates/protocols/systemd_vyos_failover_service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=Failover route service +After=vyos-router.service + +[Service] +Type=simple +Restart=always +ExecStart=/usr/bin/python3 /usr/libexec/vyos/vyos-failover.py --config /run/vyos-failover.conf + +[Install] +WantedBy=multi-user.target diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2 new file mode 100644 index 0000000..97180d1 --- /dev/null +++ b/data/templates/router-advert/radvd.conf.j2 @@ -0,0 +1,85 @@ +### Autogenerated by service_router-advert.py ### + +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} { + IgnoreIfMissing on; +{% if iface_config.default_preference is vyos_defined %} + AdvDefaultPreference {{ iface_config.default_preference }}; +{% endif %} +{% if iface_config.managed_flag is vyos_defined %} + AdvManagedFlag {{ 'on' if iface_config.managed_flag is vyos_defined else 'off' }}; +{% endif %} +{% if iface_config.interval.max is vyos_defined %} + MaxRtrAdvInterval {{ iface_config.interval.max }}; +{% endif %} +{% if iface_config.interval.min is vyos_defined %} + MinRtrAdvInterval {{ iface_config.interval.min }}; +{% endif %} +{% if iface_config.reachable_time is vyos_defined %} + AdvReachableTime {{ iface_config.reachable_time }}; +{% endif %} + AdvIntervalOpt {{ 'off' if iface_config.no_send_advert is vyos_defined else 'on' }}; + AdvSendAdvert {{ 'off' if iface_config.no_send_advert is vyos_defined else 'on' }}; +{% if iface_config.default_lifetime is vyos_defined %} + AdvDefaultLifetime {{ iface_config.default_lifetime }}; +{% endif %} +{% if iface_config.link_mtu is vyos_defined %} + AdvLinkMTU {{ iface_config.link_mtu }}; +{% endif %} + AdvOtherConfigFlag {{ 'on' if iface_config.other_config_flag is vyos_defined else 'off' }}; + AdvRetransTimer {{ iface_config.retrans_timer }}; + AdvCurHopLimit {{ iface_config.hop_limit }}; +{% if iface_config.route is vyos_defined %} +{% for route, route_options in iface_config.route.items() %} + route {{ route }} { +{% if route_options.valid_lifetime is vyos_defined %} + AdvRouteLifetime {{ route_options.valid_lifetime }}; +{% endif %} +{% if route_options.route_preference is vyos_defined %} + AdvRoutePreference {{ route_options.route_preference }}; +{% endif %} + RemoveRoute {{ 'off' if route_options.no_remove_route is vyos_defined else 'on' }}; + }; +{% endfor %} +{% endif %} +{% if iface_config.source_address is vyos_defined %} + AdvRASrcAddress { +{% for source_address in iface_config.source_address %} + {{ source_address }}; +{% endfor %} + }; +{% endif %} +{% if iface_config.nat64prefix is vyos_defined %} +{% for nat64prefix, nat64prefix_options in iface_config.nat64prefix.items() %} + nat64prefix {{ nat64prefix }} { + AdvValidLifetime {{ nat64prefix_options.valid_lifetime }}; + }; +{% endfor %} +{% endif %} +{% if iface_config.prefix is vyos_defined %} +{% for prefix, prefix_options in iface_config.prefix.items() %} + prefix {{ prefix }} { + AdvAutonomous {{ 'off' if prefix_options.no_autonomous_flag is vyos_defined else 'on' }}; + AdvValidLifetime {{ prefix_options.valid_lifetime }}; + AdvOnLink {{ 'off' if prefix_options.no_on_link_flag is vyos_defined else 'on' }}; + AdvPreferredLifetime {{ prefix_options.preferred_lifetime }}; + DeprecatePrefix {{ 'on' if prefix_options.deprecate_prefix is vyos_defined else 'off' }}; + DecrementLifetimes {{ 'on' if prefix_options.decrement_lifetime is vyos_defined else 'off' }}; + }; +{% endfor %} +{% endif %} +{% if iface_config.name_server is vyos_defined %} + RDNSS {{ iface_config.name_server | join(" ") }} { +{% if iface_config.name_server_lifetime is vyos_defined %} + AdvRDNSSLifetime {{ iface_config.name_server_lifetime }}; +{% endif %} + }; +{% endif %} +{% if iface_config.dnssl is vyos_defined %} + DNSSL {{ iface_config.dnssl | join(" ") }} { + }; +{% endif %} +}; +{% endfor %} +{% endif %} diff --git a/data/templates/rsyslog/logrotate.j2 b/data/templates/rsyslog/logrotate.j2 new file mode 100644 index 0000000..ea33fea --- /dev/null +++ b/data/templates/rsyslog/logrotate.j2 @@ -0,0 +1,27 @@ +### Autogenerated by system_syslog.py ### +/var/log/messages { + missingok + notifempty + create + rotate 5 + size=256k + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} + +{% if file is vyos_defined %} +{% for file_name, file_options in file.items() %} +/var/log/user/{{ file_name }} { + missingok + notifempty + create + rotate {{ file_options.archive.file }} + size={{ file_options.archive.size | int // 1024 }}k + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} + +{% endfor %} +{% endif %} diff --git a/data/templates/rsyslog/override.conf.j2 b/data/templates/rsyslog/override.conf.j2 new file mode 100644 index 0000000..5f6a87e --- /dev/null +++ b/data/templates/rsyslog/override.conf.j2 @@ -0,0 +1,11 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/rsyslogd -n -iNONE +Restart=always +RestartPreventExitStatus= +RestartSec=10 +RuntimeDirectoryPreserve=yes diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2 new file mode 100644 index 0000000..97e0ee0 --- /dev/null +++ b/data/templates/rsyslog/rsyslog.conf.j2 @@ -0,0 +1,78 @@ +### Autogenerated by system_syslog.py ### + +{% if global.marker is vyos_defined %} +$ModLoad immark +{% if global.marker.interval is vyos_defined %} +$MarkMessagePeriod {{ global.marker.interval }} +{% endif %} +{% endif %} +{% if global.preserve_fqdn is vyos_defined %} +$PreserveFQDN on +{% endif %} + +# We always log to /var/log/messages +$outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }} +{% if global.facility is vyos_defined %} +{% set tmp = [] %} +{% for facility, facility_options in global.facility.items() %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} +{% endfor %} +{{ tmp | join(';') }} :omfile:$global +{% endif %} + +{% if file is vyos_defined %} +# File based configuration section +{% for file_name, file_options in file.items() %} +{% set tmp = [] %} +$outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archive.size }},/usr/sbin/logrotate {{ logrotate }} +{% if file_options.facility is vyos_defined %} +{% for facility, facility_options in file_options.facility.items() %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} +{% endfor %} +{% endif %} +{{ tmp | join(';') }} :omfile:${{ file }} +{% endfor %} +{% endif %} + +{% if console.facility is vyos_defined %} +# Console logging +{% set tmp = [] %} +{% for facility, facility_options in console.facility.items() %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} +{% endfor %} +{{ tmp | join(';') }} /dev/console +{% endif %} + +{% if host is vyos_defined %} +# Remote logging +{% for host_name, host_options in host.items() %} +{% set tmp = [] %} +{% if host_options.facility is vyos_defined %} +{% for facility, facility_options in host_options.facility.items() %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} +{% endfor %} +{% endif %} +{% if host_options.protocol is vyos_defined('tcp') %} +{% if host_options.format.octet_counted is vyos_defined %} +{{ tmp | join(';') }} @@(o){{ host_name | bracketize_ipv6 }}:{{ host_options.port }};RSYSLOG_SyslogProtocol23Format +{% else %} +{{ tmp | join(';') }} @@{{ host_name | bracketize_ipv6 }}:{{ host_options.port }} +{% endif %} +{% else %} +{{ tmp | join(';') }} @{{ host_name | bracketize_ipv6 }}:{{ host_options.port }}{{ ';RSYSLOG_SyslogProtocol23Format' if host_options.format.octet_counted is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} + +{% if user is defined and user is not none %} +# Log to user terminal +{% for username, user_options in user.items() %} +{% set tmp = [] %} +{% if user_options.facility is vyos_defined %} +{% for facility, facility_options in user_options.facility.items() %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} +{% endfor %} +{% endif %} +{{ tmp | join(';') }} :omusrmsg:{{ username }} +{% endfor %} +{% endif %} diff --git a/data/templates/salt-minion/minion.j2 b/data/templates/salt-minion/minion.j2 new file mode 100644 index 0000000..a69438f --- /dev/null +++ b/data/templates/salt-minion/minion.j2 @@ -0,0 +1,67 @@ +### Autogenerated by service_salt-minion.py ### + +##### Primary configuration settings ##### +########################################## + +# The hash_type is the hash to use when discovering the hash of a file on +# the master server. The default is sha256, but md5, sha1, sha224, sha384 and +# sha512 are also supported. +# +# WARNING: While md5 and sha1 are also supported, do not use them due to the +# high chance of possible collisions and thus security breach. +# +# Prior to changing this value, the master should be stopped and all Salt +# caches should be cleared. +hash_type: {{ hash }} + +##### Logging settings ##### +########################################## +# The location of the minion log file +# The minion log can be sent to a regular file, local path name, or network +# location. Remote logging works best when configured to use rsyslogd(8) (e.g.: +# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI +# format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility> +# log_file: file:///dev/log +# +log_file: /var/log/salt/minion + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# +# Default: 'warning' +log_level: warning + +# Set the location of the salt master server, if the master server cannot be +# resolved, then the minion will fail to start. +master: +{% for host in master %} + - {{ host | bracketize_ipv6 }} +{% endfor %} + +# The user to run salt +user: minion + +# The directory to store the pki information in +pki_dir: /config/salt/pki/minion + +# Explicitly declare the id for this minion to use, if left commented the id +# will be the hostname as returned by the python call: socket.getfqdn() +# Since salt uses detached ids it is possible to run multiple minions on the +# same machine but with different ids, this can be useful for salt compute +# clusters. +id: {{ id }} + +# The number of minutes between mine updates. +mine_interval: {{ interval }} + +{% if source_interface is vyos_defined %} +# The name of the interface to use when establishing the connection to the Master. +source_interface_name: {{ source_interface }} +{% endif %} + +# Enables verification of the master-public-signature returned by the master +# in auth-replies. +verify_master_pubkey_sign: {{ 'True' if master_key is vyos_defined else 'False' }} diff --git a/data/templates/sflow/hsflowd.conf.j2 b/data/templates/sflow/hsflowd.conf.j2 new file mode 100644 index 0000000..5000956 --- /dev/null +++ b/data/templates/sflow/hsflowd.conf.j2 @@ -0,0 +1,32 @@ +# Genereated by /usr/libexec/vyos/conf_mode/system_sflow.py +# Parameters http://sflow.net/host-sflow-linux-config.php + +sflow { +{% if polling is vyos_defined %} + polling={{ polling }} +{% endif %} +{% if sampling_rate is vyos_defined %} + sampling={{ sampling_rate }} + sampling.bps_ratio=0 +{% endif %} +{% if agent_address is vyos_defined %} + agentIP={{ agent_address }} +{% endif %} +{% if agent_interface is vyos_defined %} + agent={{ agent_interface }} +{% endif %} +{% if server is vyos_defined %} +{% for server, server_config in server.items() %} + collector { ip = {{ server }} udpport = {{ server_config.port }} } +{% endfor %} +{% endif %} +{% if interface is vyos_defined %} +{% for iface in interface %} + pcap { dev={{ iface }} } +{% endfor %} +{% endif %} +{% if drop_monitor_limit is vyos_defined %} + dropmon { limit={{ drop_monitor_limit }} start=on sw=on hw=off } +{% endif %} + dbus { } +} diff --git a/data/templates/sflow/override.conf.j2 b/data/templates/sflow/override.conf.j2 new file mode 100644 index 0000000..73588fd --- /dev/null +++ b/data/templates/sflow/override.conf.j2 @@ -0,0 +1,17 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/sflow/hsflowd.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/hsflowd -m %m -d -f /run/sflow/hsflowd.conf +WorkingDirectory= +WorkingDirectory=/run/sflow +PIDFile= +PIDFile=/run/sflow/hsflowd.pid +Restart=always +RestartSec=10 diff --git a/data/templates/sla/owamp-override.conf.j2 b/data/templates/sla/owamp-override.conf.j2 new file mode 100644 index 0000000..b5ec161 --- /dev/null +++ b/data/templates/sla/owamp-override.conf.j2 @@ -0,0 +1,16 @@ +[Unit] +Description==OWAMP server +After=vyos-router.service +# Only start if there is a configuration file +ConditionFileNotEmpty=/etc/owamp-server/owamp-server.conf + +[Service] +KillMode=process +Type=simple +ExecStart=/usr/sbin/owampd -c /etc/owamp-server -R /var/run +ExecReload=/bin/kill -HUP $MAINPID +PIDFile=/run/owamp-server.pid +LimitNOFILE=4096 + +[Install] +WantedBy=multi-user.target diff --git a/data/templates/sla/owamp-server.conf.j2 b/data/templates/sla/owamp-server.conf.j2 new file mode 100644 index 0000000..6af963e --- /dev/null +++ b/data/templates/sla/owamp-server.conf.j2 @@ -0,0 +1,20 @@ +### Autogenerated by service_twamp-server.py ### + +user owamp +group owamp + +verbose +vardir /var/run + +# location for "recv" session files. +# The "catalog" subdirectory is completely cleaned and recreated each time +datadir /var/lib/owamp + +srcnode :{{ port }} + +# This is used to limit testing to a specific port range. The valid values are: +# 0 (twampd will let the system to pick the port number (ephemeral) +# low-high (A range. high must be larger than low.) +testports 8760-9960 + +diskfudge 3.0 diff --git a/data/templates/sla/twamp-override.conf.j2 b/data/templates/sla/twamp-override.conf.j2 new file mode 100644 index 0000000..34bbd22 --- /dev/null +++ b/data/templates/sla/twamp-override.conf.j2 @@ -0,0 +1,16 @@ +[Unit] +Description==TWAMP server +After=vyos-router.service +# Only start if there is a configuration file +ConditionFileNotEmpty=/etc/twamp-server/twamp-server.conf + +[Service] +KillMode=process +Type=simple +ExecStart=/usr/sbin/twampd -c /etc/twamp-server -R /var/run +ExecReload=/bin/kill -HUP $MAINPID +PIDFile=/run/twamp-server.pid +LimitNOFILE=4096 + +[Install] +WantedBy=multi-user.target diff --git a/data/templates/sla/twamp-server.conf.j2 b/data/templates/sla/twamp-server.conf.j2 new file mode 100644 index 0000000..ea5bbb5 --- /dev/null +++ b/data/templates/sla/twamp-server.conf.j2 @@ -0,0 +1,18 @@ +### Autogenerated by service_twamp-server.py ### + +user twamp +group twamp + +verbose +vardir /var/run + +# location for "recv" session files. +# The "catalog" subdirectory is completely cleaned and recreated each time +datadir /var/lib/twamp + +srcnode :{{ port }} + +# This is used to limit testing to a specific port range. The valid values are: +# 0 (twampd will let the system to pick the port number (ephemeral) +# low-high (A range. high must be larger than low.) +testports 18760-19960 diff --git a/data/templates/snmp/etc.snmp.conf.j2 b/data/templates/snmp/etc.snmp.conf.j2 new file mode 100644 index 0000000..c214b22 --- /dev/null +++ b/data/templates/snmp/etc.snmp.conf.j2 @@ -0,0 +1,4 @@ +### Autogenerated by service_snmp.py ### +{% if trap_source is vyos_defined %} +clientaddr {{ trap_source }} +{% endif %} diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2 new file mode 100644 index 0000000..9d91192 --- /dev/null +++ b/data/templates/snmp/etc.snmpd.conf.j2 @@ -0,0 +1,216 @@ +### Autogenerated by service_snmp.py ### + +# non configurable defaults +sysObjectID 1.3.6.1.4.1.44641 +sysServices 14 +master agentx +agentXPerms 0777 0777 +pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias +smuxpeer .1.3.6.1.2.1.83 +smuxpeer .1.3.6.1.2.1.157 +smuxsocket localhost + +# linkUp/Down configure the Event MIB tables to monitor +# the ifTable for network interfaces being taken up or down +# for making internal queries to retrieve any necessary information +iquerySecName {{ vyos_user }} + +# Modified from the default linkUpDownNotification +# to include more OIDs and poll more frequently +notificationEvent linkUpTrap linkUp ifIndex ifDescr ifType ifAdminStatus ifOperStatus +notificationEvent linkDownTrap linkDown ifIndex ifDescr ifType ifAdminStatus ifOperStatus +monitor -r 10 -e linkUpTrap "Generate linkUp" ifOperStatus != 2 +monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2 + +# Remove all old ifTable entries with the same ifName as newly appeared +# interface (with different ifIndex) - this is the case on e.g. ppp interfaces +interface_replace_old yes + +# T4902: exclude container storage from monitoring +ignoreDisk /usr/lib/live/mount/persistence/container + +######################## +# configurable section # +######################## + +# Default system description is VyOS version +sysDescr VyOS {{ version }} + +{% if description is vyos_defined %} +# Description +SysDescr {{ description }} +{% endif %} + +# Listen +{% set options = [] %} +{% if listen_address is vyos_defined %} +{% for address, address_options in listen_address.items() %} +{% if address | is_ipv6 %} +{% set protocol = protocol ~ '6' %} +{% endif %} +{% set _ = options.append(protocol ~ ':' ~ address | bracketize_ipv6 ~ ':' ~ address_options.port) %} +{% endfor %} +{% else %} +{% set _ = options.append(protocol ~ ':161') %} +{% set _ = options.append(protocol ~ '6:161') %} +{% endif %} +agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vyos_defined }} + +{% if mib is vyos_defined %} +# Interface MIB limits +{% if mib.interface_max is vyos_defined %} +ifmib_max_num_ifaces {{ mib.interface_max }} +{% endif %} +{% if mib.interface is vyos_defined %} +include_ifmib_iface_prefix {{ mib.interface | join(' ') }} +{% endif %} +{% endif %} + +# SNMP communities +{% if community is vyos_defined %} +{% for comm, comm_config in community.items() %} +{% if comm_config.client is vyos_defined %} +{% for client in comm_config.client %} +{% if client | is_ipv4 %} +{{ comm_config.authorization }}community {{ comm }} {{ client }} -V RESTRICTED +{% elif client | is_ipv6 %} +{{ comm_config.authorization }}community6 {{ comm }} {{ client }} -V RESTRICTED +{% endif %} +{% endfor %} +{% endif %} +{% if comm_config.network is vyos_defined %} +{% for network in comm_config.network %} +{% if network | is_ipv4 %} +{{ comm_config.authorization }}community {{ comm }} {{ network }} -V RESTRICTED +{% elif network | is_ipv6 %} +{{ comm_config.authorization }}community6 {{ comm }} {{ network }} -V RESTRICTED +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} + +# Default RESTRICTED view +view RESTRICTED included .1 80 +{% if 'ip-route-table' not in oid_enable %} +# ipRouteTable oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.21 +{% endif %} +{% if 'ip-net-to-media-table' not in oid_enable %} +# ipNetToMediaTable oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.22 +{% endif %} +{% if 'ip-net-to-physical-phys-address' not in oid_enable %} +# ipNetToPhysicalPhysAddress oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.35 +{% endif %} +{% if 'ip-forward' not in oid_enable %} +# ipForward oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.24 +{% endif %} + +{% if contact is vyos_defined %} +# system contact information +SysContact {{ contact }} +{% endif %} + +{% if location is vyos_defined %} +# system location information +SysLocation {{ location }} +{% endif %} + +{% if smux_peer is vyos_defined %} +# additional smux peers +{% for peer in smux_peer %} +smuxpeer {{ peer }} +{% endfor %} +{% endif %} + +{% if trap_target is vyos_defined %} +# if there is a problem - tell someone! +{% for trap, trap_config in trap_target.items() %} +trap2sink {{ trap }}:{{ trap_config.port }} {{ trap_config.community }} +{% endfor %} +{% endif %} + +{% if v3 is vyos_defined %} +# +# SNMPv3 stuff goes here +# +{% if v3.view is vyos_defined %} +# views +{% for view, view_config in v3.view.items() %} +{% if view_config.oid is vyos_defined %} +{% for oid, oid_config in view_config.oid.items() %} +view {{ view }} included .{{ oid }} +{% if oid_config.exclude is vyos_defined %} +{% for excluded in oid_config.exclude %} +view {{ view }} excluded .{{ excluded }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} + +# access +{% if v3.group is vyos_defined %} +# context sec.model sec.level match read write notif +{% for group, group_config in v3.group.items() %} +access {{ group }} "" usm {{ group_config.seclevel }} exact {{ group_config.view }} {{ 'none' if group_config.mode == 'ro' else group_config.view }} none +{% endfor %} +{% endif %} + +# trap-target +{% if v3.trap_target is vyos_defined %} +{% for trap, trap_config in v3.trap_target.items() %} +{% set options = '' %} +{% if trap_config.type == 'inform' %} +{% set options = options ~ ' -Ci' %} +{% endif %} +{% if v3.engineid is vyos_defined %} +{% set options = options ~ ' -e "' ~ v3.engineid ~ '"' %} +{% endif %} +{% if trap_config.user is vyos_defined %} +{% set options = options ~ ' -u ' ~ trap_config.user %} +{% endif %} +{% if trap_config.auth.plaintext_password is vyos_defined or trap_config.auth.encrypted_password is vyos_defined %} +{% set options = options ~ ' -a ' ~ trap_config.auth.type %} +{% if trap_config.auth.plaintext_password is vyos_defined %} +{% set options = options ~ ' -A ' ~ trap_config.auth.plaintext_password %} +{% elif trap_config.auth.encrypted_password is vyos_defined %} +{% set options = options ~ ' -3m ' ~ trap_config.auth.encrypted_password %} +{% endif %} +{% if trap_config.privacy.plaintext_password is vyos_defined or trap_config.privacy.encrypted_password is vyos_defined %} +{% set options = options ~ ' -x ' ~ trap_config.privacy.type %} +{% if trap_config.privacy.plaintext_password is vyos_defined %} +{% set options = options ~ ' -X ' ~ trap_config.privacy.plaintext_password %} +{% elif trap_config.privacy.encrypted_password is vyos_defined %} +{% set options = options ~ ' -3M ' ~ trap_config.privacy.encrypted_password %} +{% endif %} +{% set options = options ~ ' -l authPriv' %} +{% else %} +{% set options = options ~ ' -l authNoPriv' %} +{% endif %} +{% else %} +{% set options = options ~ ' -l noAuthNoPriv' %} +{% endif %} +trapsess -v 3 {{ options }} {{ trap }}:{{ trap_config.protocol }}:{{ trap_config.port }} +{% endfor %} +{% endif %} + +# group +{% if v3.user is vyos_defined %} +{% for user, user_config in v3.user.items() %} +group {{ user_config.group }} usm {{ user }} +{% endfor %} +{% endif %} +{# SNMPv3 end #} +{% endif %} + +{% if script_extensions.extension_name is vyos_defined %} +# extension scripts +{% for script, script_config in script_extensions.extension_name.items() | sort(attribute=script) %} +extend {{ script }} {{ script_config.script }} +{% endfor %} +{% endif %} diff --git a/data/templates/snmp/override.conf.j2 b/data/templates/snmp/override.conf.j2 new file mode 100644 index 0000000..42dc7a9 --- /dev/null +++ b/data/templates/snmp/override.conf.j2 @@ -0,0 +1,12 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + +[Service] +Environment= +Environment="MIBDIRS=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/vyos/mibs" +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -f -p /run/snmpd.pid +Restart=always +RestartSec=10 diff --git a/data/templates/snmp/usr.snmpd.conf.j2 b/data/templates/snmp/usr.snmpd.conf.j2 new file mode 100644 index 0000000..189032b --- /dev/null +++ b/data/templates/snmp/usr.snmpd.conf.j2 @@ -0,0 +1,8 @@ +### Autogenerated by service_snmp.py ### +{% if v3.user is vyos_defined %} +{% for user, user_config in v3.user.items() %} +{{ user_config.mode }}user {{ user }} +{% endfor %} +{% endif %} + +rwuser {{ vyos_user }} diff --git a/data/templates/snmp/var.snmpd.conf.j2 b/data/templates/snmp/var.snmpd.conf.j2 new file mode 100644 index 0000000..afab88a --- /dev/null +++ b/data/templates/snmp/var.snmpd.conf.j2 @@ -0,0 +1,16 @@ +### Autogenerated by service_snmp.py ### +# user +{% if v3 is vyos_defined %} +{% if v3.user is vyos_defined %} +{% for user, user_config in v3.user.items() %} +usmUser 1 3 0x{{ v3.engineid }} "{{ user }}" "{{ user }}" NULL {{ user_config.auth.type | snmp_auth_oid }} 0x{{ user_config.auth.encrypted_password }} {{ user_config.privacy.type | snmp_auth_oid }} 0x{{ user_config.privacy.encrypted_password }} 0x +{% endfor %} +{% endif %} + +# VyOS default user +createUser {{ vyos_user }} MD5 "{{ vyos_user_pass }}" DES + +{% if v3.engineid is vyos_defined %} +oldEngineID 0x{{ v3.engineid }} +{% endif %} +{% endif %} diff --git a/data/templates/squid/sg_acl.conf.j2 b/data/templates/squid/sg_acl.conf.j2 new file mode 100644 index 0000000..78297a2 --- /dev/null +++ b/data/templates/squid/sg_acl.conf.j2 @@ -0,0 +1,17 @@ +### generated by service_webproxy.py ### +dbhome {{ squidguard_db_dir }} +dest {{ category }}-{{ rule }} { +{% if list_type == 'domains' %} + domainlist {{ category }}/domains +{% elif list_type == 'urls' %} + urllist {{ category }}/urls +{% elif list_type == 'expressions' %} + expressionlist {{ category }}/expressions +{% endif %} +} + +acl { + default { + pass all + } +} diff --git a/data/templates/squid/squid.conf.j2 b/data/templates/squid/squid.conf.j2 new file mode 100644 index 0000000..b953c8b --- /dev/null +++ b/data/templates/squid/squid.conf.j2 @@ -0,0 +1,126 @@ +### generated by service_webproxy.py ### + +acl net src all +acl SSL_ports port 443 +{% if ssl_safe_ports is vyos_defined %} +{% for port in ssl_safe_ports %} +acl SSL_ports port {{ port }} +{% endfor %} +{% endif %} +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 873 # rsync +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +{% if safe_ports is vyos_defined %} +{% for port in safe_ports %} +acl Safe_ports port {{ port }} +{% endfor %} +{% endif %} +acl CONNECT method CONNECT +{% if domain_block is vyos_defined %} +{% for domain in domain_block %} +acl BLOCKDOMAIN dstdomain {{ domain }} +{% endfor %} +http_access deny BLOCKDOMAIN +{% endif %} +{% if authentication is vyos_defined %} +{% if authentication.children is vyos_defined %} +auth_param basic children {{ authentication.children }} +{% endif %} +{% if authentication.credentials_ttl is vyos_defined %} +auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute +{% endif %} +{% if authentication.realm is vyos_defined %} +auth_param basic realm "{{ authentication.realm }}" +{% endif %} +{# LDAP based Authentication #} +{% if authentication.method is vyos_defined %} +{% if authentication.ldap is vyos_defined and authentication.method is vyos_defined('ldap') %} +auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' ~ authentication.ldap.bind_dn ~ '"' if authentication.ldap.bind_dn is vyos_defined }} {{ '-w "' ~ authentication.ldap.password ~ '"' if authentication.ldap.password is vyos_defined }} {{ '-f "' ~ authentication.ldap.filter_expression ~ '"' if authentication.ldap.filter_expression is vyos_defined }} {{ '-u "' ~ authentication.ldap.username_attribute ~ '"' if authentication.ldap.username_attribute is vyos_defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is vyos_defined }} -R -h "{{ authentication.ldap.server }}" +{% endif %} +acl auth proxy_auth REQUIRED +http_access allow auth +{% endif %} +{% endif %} + +http_access allow manager localhost +http_access deny manager +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow localhost +http_access allow net +http_access deny all + +{% if reply_block_mime is vyos_defined %} +{% for mime_type in reply_block_mime %} +acl BLOCK_MIME rep_mime_type {{ mime_type }} +{% endfor %} +http_reply_access deny BLOCK_MIME +{% endif %} + +{% if cache_size is vyos_defined %} +{% if cache_size | int > 0 %} +cache_dir ufs /var/spool/squid {{ cache_size }} 16 256 +{% else %} +# disabling disk cache +{% endif %} +{% endif %} +{% if mem_cache_size is vyos_defined %} +cache_mem {{ mem_cache_size }} MB +{% endif %} +{% if disable_access_log is vyos_defined %} +access_log none +{% else %} +access_log /var/log/squid/access.log squid +{% endif %} + +{# by default we'll disable the store log #} +cache_store_log none + +{% if append_domain is vyos_defined %} +append_domain {{ append_domain }} +{% endif %} +{% if maximum_object_size is vyos_defined %} +maximum_object_size {{ maximum_object_size }} KB +{% endif %} +{% if minimum_object_size is vyos_defined %} +minimum_object_size {{ minimum_object_size }} KB +{% endif %} +{% if reply_body_max_size is vyos_defined %} +reply_body_max_size {{ reply_body_max_size }} KB +{% endif %} +{% if outgoing_address is vyos_defined %} +tcp_outgoing_address {{ outgoing_address }} +{% endif %} + + +{% if listen_address is vyos_defined %} +{% for address, config in listen_address.items() %} +http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is vyos_defined else default_port }} {{ 'intercept' if config.disable_transparent is not vyos_defined }} +{% endfor %} +{% endif %} +http_port 127.0.0.1:{{ default_port }} + +{# NOT insert the client address in X-Forwarded-For header #} +forwarded_for off + +{# SquidGuard #} +{% if url_filtering.disable is not vyos_defined and url_filtering.squidguard is vyos_defined %} +url_rewrite_program /usr/bin/squidGuard -c {{ squidguard_conf }} +url_rewrite_children 8 +url_rewrite_bypass on +{% endif %} + +{% if cache_peer is vyos_defined %} +{% for peer, config in cache_peer.items() %} +cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }} +{% endfor %} +never_direct allow all +{% endif %} diff --git a/data/templates/squid/squidGuard.conf.j2 b/data/templates/squid/squidGuard.conf.j2 new file mode 100644 index 0000000..a93f878 --- /dev/null +++ b/data/templates/squid/squidGuard.conf.j2 @@ -0,0 +1,206 @@ +### generated by service_webproxy.py ### + +{% macro sg_rule(category, rule, log, db_dir) %} +{% set domains = db_dir + '/' + category + '/domains' %} +{% set urls = db_dir + '/' + category + '/urls' %} +{% set expressions = db_dir + '/' + category + '/expressions' %} +dest {{ category }}-{{ rule }}{ +{% if domains | is_file %} + domainlist {{ category }}/domains +{% endif %} +{% if urls | is_file %} + urllist {{ category }}/urls +{% endif %} +{% if expressions | is_file %} + expressionlist {{ category }}/expressions +{% endif %} +{% if log is vyos_defined %} + log blacklist.log +{% endif %} +} +{% endmacro %} + +{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %} +{% if url_filtering.squidguard is vyos_defined %} +{% set sg_config = url_filtering.squidguard %} +{% set acl = namespace(value='') %} +{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %} +{% set ruleacls = {} %} +dbhome {{ squidguard_db_dir }} +logdir /var/log/squid + +rewrite safesearch { + s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i + s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i + s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i + s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i + s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i + s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i + log rewrite.log +} + +{% if sg_config.local_ok is vyos_defined %} +{% set acl.value = acl.value + ' local-ok-default' %} +dest local-ok-default { + domainlist local-ok-default/domains +} +{% endif %} + +{% if sg_config.local_ok_url is vyos_defined %} +{% set acl.value = acl.value + ' local-ok-url-default' %} +dest local-ok-url-default { + urllist local-ok-url-default/urls +} +{% endif %} + +{% if sg_config.local_block is vyos_defined %} +{% set acl.value = acl.value + ' !local-block-default' %} +dest local-block-default { + domainlist local-block-default/domains +} +{% endif %} + +{% if sg_config.local_block_url is vyos_defined %} +{% set acl.value = acl.value + ' !local-block-url-default' %} +dest local-block-url-default { + urllist local-block-url-default/urls +} +{% endif %} + +{% if sg_config.local_block_keyword is vyos_defined %} +{% set acl.value = acl.value + ' !local-block-keyword-default' %} +dest local-block-keyword-default { + expressionlist local-block-keyword-default/expressions +} +{% endif %} + +{% if sg_config.block_category is vyos_defined %} +{% for category in sg_config.block_category %} +{{ sg_rule(category, 'default', sg_config.log, squidguard_db_dir) }} +{% set acl.value = acl.value + ' !' + category + '-default' %} +{% endfor %} +{% endif %} +{% if sg_config.allow_category is vyos_defined %} +{% for category in sg_config.allow_category %} +{{ sg_rule(category, 'default', False, squidguard_db_dir) }} +{% set acl.value = acl.value + ' ' + category + '-default' %} +{% endfor %} +{% endif %} + + +{% if sg_config.rule is vyos_defined %} +{% for rule, rule_config in sg_config.rule.items() %} +{% if rule_config.local_ok is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'local-ok-' + rule}) %} +{% endif %} +dest local-ok-{{ rule }} { + domainlist local-ok-{{ rule }}/domains +} +{% endif %} + +{% if rule_config.local_ok_url is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-url-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'local-ok-url-' + rule}) %} +{% endif %} +dest local-ok-url-{{ rule }} { + urllist local-ok-url-{{ rule }}/urls +} +{% endif %} + +{% if rule_config.local_block is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!local-block-' + rule}) %} +{% endif %} +dest local-block-{{ rule }} { + domainlist local-block-{{ rule }}/domains +} +{% endif %} + +{% if rule_config.local_block_url is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-url-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!ocal-block-url-' + rule}) %} +{% endif %} +dest local-block-url-{{ rule }} { + urllist local-block-url-{{ rule }}/urls +} +{% endif %} + +{% if rule_config.local_block_keyword is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-keyword-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!local-block-keyword-' + rule}) %} +{% endif %} +dest local-block-keyword-{{ rule }} { + expressionlist local-block-keyword-{{ rule }}/expressions +} +{% endif %} + +{% if rule_config.block_category is vyos_defined %} +{% for b_category in rule_config.block_category %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !' + b_category + '-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!' + b_category + '-' + rule}) %} +{% endif %} +{{ sg_rule(b_category, rule, sg_config.log, squidguard_db_dir) }} +{% endfor %} +{% endif %} + +{% if rule_config.allow_category is vyos_defined %} +{% for a_category in rule_config.allow_category %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' ' + a_category + '-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:a_category + '-' + rule}) %} +{% endif %} +{{ sg_rule(a_category, rule, sg_config.log, squidguard_db_dir) }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} + + +{% if sg_config.source_group is vyos_defined %} +{% for sgroup, sg_config in sg_config.source_group.items() %} +{% if sg_config.address is vyos_defined %} +src {{ sgroup }} { +{% for address in sg_config.address %} + ip {{ address }} +{% endfor %} +} +{% endif %} +{% endfor %} +{% endif %} + +acl { +{% if sg_config.rule is vyos_defined %} +{% for rule, rule_config in sg_config.rule.items() %} + {{ rule_config.source_group }} { + pass {{ ruleacls[rule] }} {{ 'none' if rule_config.default_action is vyos_defined('block') else 'any' }} + } +{% endfor %} +{% endif %} + + default { +{% if sg_config.enable_safe_search is vyos_defined %} + rewrite safesearch +{% endif %} + pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'any' }} + redirect 302:http://{{ sg_config.redirect_url }} +{% if sg_config.log is vyos_defined %} + log blacklist.log +{% endif %} + } +} +{% endif %} +{% endif %} diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 new file mode 100644 index 0000000..650fd25 --- /dev/null +++ b/data/templates/ssh/sshd_config.j2 @@ -0,0 +1,107 @@ +### Autogenerated by service_ssh.py ### + +# https://linux.die.net/man/5/sshd_config + +# +# Non-configurable defaults +# +Protocol 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +SyslogFacility AUTH +LoginGraceTime 120 +StrictModes yes +PubkeyAuthentication yes +IgnoreRhosts yes +HostbasedAuthentication no +PermitEmptyPasswords no +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +Banner /etc/issue.net +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +PermitRootLogin no +PidFile /run/sshd/sshd.pid +AddressFamily any +DebianBanner no +KbdInteractiveAuthentication no + +# +# User configurable section +# + +# Look up remote host name and check that the resolved host name for the remote IP +# address maps back to the very same IP address. +UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }} + +# Specifies the port number that sshd(8) listens on +{% for value in port %} +Port {{ value }} +{% endfor %} + +# Gives the verbosity level that is used when logging messages from sshd +LogLevel {{ loglevel | upper }} + +# Specifies whether password authentication is allowed +PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} + +{% if listen_address is vyos_defined %} +# Specifies the local addresses sshd should listen on +{% for address in listen_address %} +ListenAddress {{ address }} +{% endfor %} +{% endif %} + +{% if ciphers is vyos_defined %} +# Specifies the ciphers allowed for protocol version 2 +Ciphers {{ ciphers | join(',') }} +{% endif %} + +{% if hostkey_algorithm is vyos_defined %} +# Specifies the available Host Key signature algorithms +HostKeyAlgorithms {{ hostkey_algorithm | join(',') }} +{% endif %} + +{% if mac is vyos_defined %} +# Specifies the available MAC (message authentication code) algorithms +MACs {{ mac | join(',') }} +{% endif %} + +{% if key_exchange is vyos_defined %} +# Specifies the available Key Exchange algorithms +KexAlgorithms {{ key_exchange | join(',') }} +{% endif %} + +{% if access_control is vyos_defined %} +{% if access_control.allow.user is vyos_defined %} +# If specified, login is allowed only for user names that match +AllowUsers {{ access_control.allow.user | join(' ') }} +{% endif %} +{% if access_control.allow.group is vyos_defined %} +# If specified, login is allowed only for users whose primary group or supplementary group list matches +AllowGroups {{ access_control.allow.group | join(' ') }} +{% endif %} +{% if access_control.deny.user is vyos_defined %} +# Login is disallowed for user names that match +DenyUsers {{ access_control.deny.user | join(' ') }} +{% endif %} +{% if access_control.deny.group is vyos_defined %} +# Login is disallowed for users whose primary group or supplementary group list matches +DenyGroups {{ access_control.deny.group | join(' ') }} +{% endif %} +{% endif %} + +{% if client_keepalive_interval is vyos_defined %} +# Sets a timeout interval in seconds after which if no data has been received from the client, +# sshd(8) will send a message through the encrypted channel to request a response from the client +ClientAliveInterval {{ client_keepalive_interval }} +{% endif %} + +{% if rekey.data is vyos_defined %} +RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }} +{% endif %} diff --git a/data/templates/ssh/sshguard_config.j2 b/data/templates/ssh/sshguard_config.j2 new file mode 100644 index 0000000..2e75074 --- /dev/null +++ b/data/templates/ssh/sshguard_config.j2 @@ -0,0 +1,27 @@ +### Autogenerated by service_ssh.py ### + +{% if dynamic_protection is vyos_defined %} +# Full path to backend executable (required, no default) +BACKEND="/usr/libexec/sshguard/sshg-fw-nft-sets" + +# Shell command that provides logs on standard output. (optional, no default) +# Example 1: ssh and sendmail from systemd journal: +LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -o cat" + +#### OPTIONS #### +# Block attackers when their cumulative attack score exceeds THRESHOLD. +# Most attacks have a score of 10. (optional, default 30) +THRESHOLD={{ dynamic_protection.threshold }} + +# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. +# Subsequent blocks increase by a factor of 1.5. (optional, default 120) +BLOCK_TIME={{ dynamic_protection.block_time }} + +# Remember potential attackers for up to DETECTION_TIME seconds before +# resetting their score. (optional, default 1800) +DETECTION_TIME={{ dynamic_protection.detect_time }} + +# IP addresses listed in the WHITELIST_FILE are considered to be +# friendlies and will never be blocked. +WHITELIST_FILE=/etc/sshguard/whitelist +{% endif %} diff --git a/data/templates/ssh/sshguard_whitelist.j2 b/data/templates/ssh/sshguard_whitelist.j2 new file mode 100644 index 0000000..194fa29 --- /dev/null +++ b/data/templates/ssh/sshguard_whitelist.j2 @@ -0,0 +1,7 @@ +### Autogenerated by service_ssh.py ### + +{% if dynamic_protection.allow_from is vyos_defined %} +{% for address in dynamic_protection.allow_from %} +{{ address }} +{% endfor %} +{% endif %} diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2 new file mode 100644 index 0000000..d38e53f --- /dev/null +++ b/data/templates/sstp-client/peer.j2 @@ -0,0 +1,53 @@ +### Autogenerated by interfaces_sstpc.py ### +{{ '# ' ~ description if description is vyos_defined else '' }} + +# Require peer to provide the local IP address if it is not +# specified explicitly in the config file. +noipdefault + +# Don't show the password in logfiles: +hide-password + +remotename {{ ifname }} +linkname {{ ifname }} +ipparam {{ ifname }} +ifname {{ ifname }} +pty "sstpc --ipparam {{ ifname }} --nolaunchpppd {{ server }}:{{ port }} --ca-cert {{ ca_file_path }}" + +# Override any connect script that may have been set in /etc/ppp/options. +connect /bin/true + +# We don't need the server to auth itself +noauth + +# We won't want EAP +refuse-eap + +# Don't try to proxy ARP for the remote endpoint. User can set proxy +# arp entries up manually if they wish. More importantly, having +# the "proxyarp" parameter set disables the "defaultroute" option. +noproxyarp + +# Unlimited connection attempts +maxfail 0 + +plugin sstp-pppd-plugin.so +sstp-sock /var/run/sstpc/sstpc-{{ ifname }} + +persist +debug + +# pppd should create a UUCP-style lock file for the serial device to ensure +# exclusive access to the device. By default, pppd will not create a lock file. +lock + +# Disables Deflate compression +nodeflate + +{% if authentication is vyos_defined %} +{{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }} +{{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }} +{% endif %} + +{{ "usepeerdns" if no_peer_dns is not vyos_defined }} + diff --git a/data/templates/system/cloud_init_networking.j2 b/data/templates/system/cloud_init_networking.j2 new file mode 100644 index 0000000..52cce72 --- /dev/null +++ b/data/templates/system/cloud_init_networking.j2 @@ -0,0 +1,9 @@ +network: + version: 2 + ethernets: +{% for iface in ifaces_list %} + {{ iface['name'] }}: + dhcp4: true + match: + macaddress: "{{ iface['mac'] }}" +{% endfor %} diff --git a/data/templates/system/curlrc.j2 b/data/templates/system/curlrc.j2 new file mode 100644 index 0000000..be4efe8 --- /dev/null +++ b/data/templates/system/curlrc.j2 @@ -0,0 +1,6 @@ +{% if http_client.source_interface is vyos_defined %} +--interface "{{ http_client.source_interface }}" +{% endif %} +{% if http_client.source_address is vyos_defined %} +--interface "{{ http_client.source_address }}" +{% endif %} diff --git a/data/templates/system/proxy.j2 b/data/templates/system/proxy.j2 new file mode 100644 index 0000000..0737cd3 --- /dev/null +++ b/data/templates/system/proxy.j2 @@ -0,0 +1,7 @@ +### autogenerated by system_proxy.py ### +{% if url is vyos_defined and port is vyos_defined %} +{# remove http:// prefix so we can inject a username/password if present #} +export http_proxy=http://{{ username ~ ':' ~ password ~ '@' if username is vyos_defined and password is vyos_defined }}{{ url | replace('http://', '') }}:{{ port }} +export https_proxy=$http_proxy +export ftp_proxy=$http_proxy +{% endif %} diff --git a/data/templates/system/ssh_config.j2 b/data/templates/system/ssh_config.j2 new file mode 100644 index 0000000..d3ede09 --- /dev/null +++ b/data/templates/system/ssh_config.j2 @@ -0,0 +1,6 @@ +{% if ssh_client.source_address is vyos_defined %} +BindAddress {{ ssh_client.source_address }} +{% endif %} +{% if ssh_client.source_interface is vyos_defined %} +BindInterface {{ ssh_client.source_interface }} +{% endif %} diff --git a/data/templates/system/sysctl.conf.j2 b/data/templates/system/sysctl.conf.j2 new file mode 100644 index 0000000..db699c3 --- /dev/null +++ b/data/templates/system/sysctl.conf.j2 @@ -0,0 +1,7 @@ +# autogenerated by system_sysctl.py + +{% if parameter is vyos_defined %} +{% for k, v in parameter.items() %} +{{ k }} = {{ v.value }} +{% endfor %} +{% endif %} diff --git a/data/templates/telegraf/override.conf.j2 b/data/templates/telegraf/override.conf.j2 new file mode 100644 index 0000000..7e3e4aa --- /dev/null +++ b/data/templates/telegraf/override.conf.j2 @@ -0,0 +1,16 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +After= +After=vyos-router.service +ConditionPathExists=/run/telegraf/telegraf.conf + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/bin/telegraf --config /run/telegraf/telegraf.conf --config-directory /etc/telegraf/telegraf.d --pidfile /run/telegraf/telegraf.pid +PIDFile=/run/telegraf/telegraf.pid +EnvironmentFile= +Environment=INFLUX_TOKEN={{ influxdb.authentication.token }} +CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_BPF CAP_DAC_OVERRIDE +AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN +Restart=always +RestartSec=10 diff --git a/data/templates/telegraf/syslog_telegraf.j2 b/data/templates/telegraf/syslog_telegraf.j2 new file mode 100644 index 0000000..cdcbd92 --- /dev/null +++ b/data/templates/telegraf/syslog_telegraf.j2 @@ -0,0 +1,5 @@ +# Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py + +$ModLoad omuxsock +$OMUxSockSocket /run/telegraf/telegraf_syslog.sock +*.notice :omuxsock: diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2 new file mode 100644 index 0000000..9623bde --- /dev/null +++ b/data/templates/telegraf/telegraf.j2 @@ -0,0 +1,124 @@ +# Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py + +[agent] + interval = "15s" + round_interval = true + metric_batch_size = 1000 + metric_buffer_limit = 10000 + collection_jitter = "5s" + flush_interval = "15s" + flush_jitter = "0s" + precision = "" + debug = false + quiet = false + logfile = "" + hostname = "{{ hostname }}" + omit_hostname = false +{% if azure_data_explorer is vyos_defined %} +### Azure Data Explorer ### +[[outputs.azure_data_explorer]] + ## The URI property of the Azure Data Explorer resource on Azure + endpoint_url = "{{ azure_data_explorer.url }}" + + ## The Azure Data Explorer database that the metrics will be ingested into. + ## The plugin will NOT generate this database automatically, it's expected that this database already exists before ingestion. + database = "{{ azure_data_explorer.database }}" + metrics_grouping_type = "{{ azure_data_explorer.group_metrics }}" + + ## Name of the single table to store all the metrics (Only needed if metrics_grouping_type is "SingleTable"). +{% if azure_data_explorer.table is vyos_defined and azure_data_explorer.group_metrics == 'SingleTable' %} + table_name = "{{ azure_data_explorer.table }}" +{% endif %} +### End Azure Data Explorer ### +{% endif %} +{% if influxdb is vyos_defined %} +### InfluxDB2 ### +[[outputs.influxdb_v2]] + urls = ["{{ influxdb.url }}:{{ influxdb.port }}"] + insecure_skip_verify = true + token = "$INFLUX_TOKEN" + organization = "{{ influxdb.authentication.organization }}" + bucket = "{{ influxdb.bucket }}" +### End InfluxDB2 ### +{% endif %} +{% if prometheus_client is vyos_defined %} +### Prometheus ### +[[outputs.prometheus_client]] + ## Address to listen on + listen = "{{ prometheus_client.listen_address | bracketize_ipv6 if prometheus_client.listen_address is vyos_defined else '' }}:{{ prometheus_client.port }}" + metric_version = {{ prometheus_client.metric_version }} +{% if prometheus_client.authentication.username is vyos_defined and prometheus_client.authentication.password is vyos_defined %} + ## Use HTTP Basic Authentication + basic_username = "{{ prometheus_client.authentication.username }}" + basic_password = "{{ prometheus_client.authentication.password }}" +{% endif %} +{% if prometheus_client.allow_from is vyos_defined %} + ip_range = {{ prometheus_client.allow_from }} +{% endif %} +### End Prometheus ### +{% endif %} +{% if splunk is vyos_defined %} +### Splunk ### +[[outputs.http]] + ## URL is the address to send metrics to + url = "{{ splunk.url }}" + ## Timeout for HTTP message + # timeout = "5s" + ## Use TLS but skip chain & host verification +{% if splunk.authentication.insecure is vyos_defined %} + insecure_skip_verify = true +{% endif %} + ## Data format to output + data_format = "splunkmetric" + ## Provides time, index, source overrides for the HEC + splunkmetric_hec_routing = true + ## Additional HTTP headers + [outputs.http.headers] + # Should be set manually to "application/json" for json data_format + Content-Type = "application/json" + Authorization = "Splunk {{ splunk.authentication.token }}" + X-Splunk-Request-Channel = "{{ splunk.authentication.token }}" +### End Splunk ### +{% endif %} +[[inputs.cpu]] + percpu = true + totalcpu = true + collect_cpu_time = false + report_active = false +[[inputs.disk]] + ignore_fs = ["devtmpfs", "devfs"] +[[inputs.diskio]] +[[inputs.mem]] +[[inputs.net]] + ignore_protocol_stats = true +[[inputs.nstat]] +[[inputs.system]] +[[inputs.netstat]] +[[inputs.processes]] +[[inputs.kernel]] +[[inputs.interrupts]] +[[inputs.linux_sysctl_fs]] +[[inputs.systemd_units]] +[[inputs.conntrack]] + files = ["ip_conntrack_count","ip_conntrack_max","nf_conntrack_count","nf_conntrack_max"] + dirs = ["/proc/sys/net/ipv4/netfilter","/proc/sys/net/netfilter"] +[[inputs.ethtool]] + interface_include = {{ interfaces_ethernet }} +[[inputs.chrony]] + dns_lookup = true +[[inputs.internal]] +[[inputs.nstat]] +[[inputs.syslog]] + server = "unixgram:///run/telegraf/telegraf_syslog.sock" + best_effort = true + syslog_standard = "RFC3164" +{% if influxdb is vyos_defined %} +[[inputs.exec]] + commands = [ + "{{ custom_scripts_dir }}/show_firewall_input_filter.py", + "{{ custom_scripts_dir }}/show_interfaces_input_filter.py", + "{{ custom_scripts_dir }}/vyos_services_input_filter.py" + ] + timeout = "10s" + data_format = "influx" +{% endif %} diff --git a/data/templates/tftp-server/default.j2 b/data/templates/tftp-server/default.j2 new file mode 100644 index 0000000..d9ce847 --- /dev/null +++ b/data/templates/tftp-server/default.j2 @@ -0,0 +1,8 @@ +{# j2lint: disable=jinja-variable-format #} +### Autogenerated by service_tftp-server.py ### +DAEMON_ARGS="--listen --user tftp --address {{ listen_address }} {{ "--create --umask 000" if allow_upload is vyos_defined }} --secure {{ directory }}" +{% if vrf is vyos_defined %} +VRF_ARGS="ip vrf exec {{ vrf }}" +{% else %} +VRF_ARGS="" +{% endif %} diff --git a/data/templates/vyos-hostsd/hosts.j2 b/data/templates/vyos-hostsd/hosts.j2 new file mode 100644 index 0000000..62ecf3a --- /dev/null +++ b/data/templates/vyos-hostsd/hosts.j2 @@ -0,0 +1,26 @@ +{# j2lint: disable=single-statement-per-line #} +### Autogenerated by VyOS ### +### Do not edit, your changes will get overwritten ### + +# Local host +127.0.0.1 localhost +127.0.1.1 {{ host_name }} + +# The following lines are desirable for IPv6 capable hosts +::1 localhost ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + +{% if hosts is vyos_defined %} +# From 'system static-host-mapping' and DHCP server +{% for tag, taghosts in hosts.items() %} +# {{ tag }} +{% for host, hostprops in taghosts.items() if hostprops.address is vyos_defined %} +{% for addr in hostprops.address %} +{{ "%-15s" | format(addr) }} {{ host }} {{ hostprops.aliases | join(' ') if hostprops.aliases is vyos_defined }} +{% endfor %} +{% endfor %} +{% endfor %} +{% endif %} diff --git a/data/templates/vyos-hostsd/resolv.conf.j2 b/data/templates/vyos-hostsd/resolv.conf.j2 new file mode 100644 index 0000000..5f651f1 --- /dev/null +++ b/data/templates/vyos-hostsd/resolv.conf.j2 @@ -0,0 +1,25 @@ +### Autogenerated by VyOS ### +### Do not edit, your changes will get overwritten ### + +{# the code below ensures the order of nameservers is determined first by #} +{# the order of tags, then by the order of nameservers within that tag #} + +{% for tag in name_server_tags_system %} +{% if tag in name_servers %} +# {{ tag }} +{% for ns in name_servers[tag] %} +nameserver {{ ns }} +{% endfor %} +{% endif %} +{% endfor %} + +{% if domain_name %} +domain {{ domain_name }} +{% endif %} + +{% for tag in name_server_tags_system %} +{% if tag in search_domains %} +# {{ tag }} +search {{ search_domains[tag] | join(' ') }} +{% endif %} +{% endfor %} diff --git a/data/templates/wifi/hostapd.conf.j2 b/data/templates/wifi/hostapd.conf.j2 new file mode 100644 index 0000000..769325b --- /dev/null +++ b/data/templates/wifi/hostapd.conf.j2 @@ -0,0 +1,747 @@ +{# j2lint: disable=operator-enclosed-by-spaces #} +### Autogenerated by interfaces_wireless.py ### +{% if description is vyos_defined %} +# Description: {{ description }} +# User-friendly description of device; up to 32 octets encoded in UTF-8 +device_name={{ description | truncate(32, True) }} +{% endif %} + +# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for +# management frames with the Host AP driver); wlan0 with many nl80211 drivers +# Note: This attribute can be overridden by the values supplied with the '-i' +# command line parameter. +interface={{ ifname }} + +{% if is_bridge_member is vyos_defined %} +# In case of atheros and nl80211 driver interfaces, an additional +# configuration parameter, bridge, may be used to notify hostapd if the +# interface is included in a bridge. This parameter is not used with Host AP +# driver. If the bridge parameter is not set, the drivers will automatically +# figure out the bridge interface (assuming sysfs is enabled and mounted to +# /sys) and this parameter may not be needed. +# +# For nl80211, this parameter can be used to request the AP interface to be +# added to the bridge automatically (brctl may refuse to do this before hostapd +# has been started to change the interface mode). If needed, the bridge +# interface is also created. +{# as there can only be one bridge interface it is save to loop #} +{% for bridge in is_bridge_member %} +bridge={{ bridge }} +{% endfor %} + +# WDS (4-address frame) mode with per-station virtual interfaces +# (only supported with driver=nl80211) +# This mode allows associated stations to use 4-address frames to allow layer 2 +# bridging to be used. +wds_sta=1 +{% endif %} + +# Driver interface type (hostap/wired/none/nl80211/bsd); +# default: hostap). nl80211 is used with all Linux mac80211 drivers. +# Use driver=none if building hostapd as a standalone RADIUS server that does +# not control any wireless/wired driver. +driver=nl80211 + +# Levels (minimum value for logged events): +# 0 = verbose debugging +# 1 = debugging +# 2 = informational messages +# 3 = notification +# 4 = warning +logger_syslog=-1 +logger_syslog_level=0 +logger_stdout=-1 +logger_stdout_level=0 + +{% if country_code %} +# Country code (ISO/IEC 3166-1). Used to set regulatory domain. +# Set as needed to indicate country in which device is operating. +# This can limit available channels and transmit power. +country_code={{ country_code | upper }} + +# Enable IEEE 802.11d. This advertises the country_code and the set of allowed +# channels and transmit power levels based on the regulatory limits. The +# country_code setting must be configured with the correct country for +# IEEE 802.11d functions. +ieee80211d=1 +{% endif %} + +{% if ssid %} +# SSID to be used in IEEE 802.11 management frames +ssid={{ ssid }} +{% endif %} + +{% if channel %} +# Channel number (IEEE 802.11) +# (default: 0, i.e., not set) +# Please note that some drivers do not use this value from hostapd and the +# channel will need to be configured separately with iwconfig. +channel={{ channel }} +{% endif %} + +{% if mode is vyos_defined %} +# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), +# g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used +# with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this +# needs to be set to hw_mode a. For IEEE 802.11ax (HE) on 6 GHz this needs +# to be set to hw_mode a. When using ACS (see channel parameter), a +# special value "any" can be used to indicate that any support band can be used. +# This special case is currently supported only with drivers with which +# offloaded ACS is used. +{% if mode is vyos_defined('n') %} +hw_mode=g +{% elif mode is vyos_defined('ac') %} +hw_mode=a +ieee80211h=1 +ieee80211ac=1 +{% else %} +hw_mode={{ mode }} +{% endif %} +{% endif %} + +# ieee80211w: Whether management frame protection (MFP) is enabled +# 0 = disabled (default) +# 1 = optional +# 2 = required +{% if 'disabled' in mgmt_frame_protection %} +ieee80211w=0 +{% elif 'optional' in mgmt_frame_protection %} +ieee80211w=1 +{% elif 'required' in mgmt_frame_protection %} +ieee80211w=2 +{% endif %} + +{% if capabilities is vyos_defined %} +# ht_capab: HT capabilities (list of flags) +# LDPC coding capability: [LDPC] = supported +# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary +# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz +# with secondary channel above the primary channel +# (20 MHz only if neither is set) +# Note: There are limits on which channels can be used with HT40- and +# HT40+. Following table shows the channels that may be available for +# HT40- and HT40+ use per IEEE 802.11n Annex J: +# freq HT40- HT40+ +# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) +# 5 GHz 40,48,56,64 36,44,52,60 +# (depending on the location, not all of these channels may be available +# for use) +# Please note that 40 MHz channels may switch their primary and secondary +# channels if needed or creation of 40 MHz channel maybe rejected based +# on overlapping BSSes. These changes are done automatically when hostapd +# is setting up the 40 MHz channel. +# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC] +# (SMPS disabled if neither is set) +# HT-greenfield: [GF] (disabled if not set) +# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set) +# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set) +# Tx STBC: [TX-STBC] (disabled if not set) +# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial +# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC +# disabled if none of these set +# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set) +# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not +# set) +# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set) +# 40 MHz intolerant [40-INTOLERANT] (not advertised if not set) +# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) +{% set output = namespace(value='') %} + +{% if capabilities.ht.fourtymhz_incapable is vyos_defined %} +{% set output.value = output.value ~ '[40-INTOLERANT]' %} +{% endif %} +{% if capabilities.ht.delayed_block_ack is vyos_defined %} +{% set output.value = output.value ~ '[DELAYED-BA]' %} +{% endif %} +{% if capabilities.ht.dsss_cck_40 is vyos_defined %} +{% set output.value = output.value ~ '[DSSS_CCK-40]' %} +{% endif %} +{% if capabilities.ht.greenfield is vyos_defined %} +{% set output.value = output.value ~ '[GF]' %} +{% endif %} +{% if capabilities.ht.ldpc is vyos_defined %} +{% set output.value = output.value ~ '[LDPC]' %} +{% endif %} +{% if capabilities.ht.lsig_protection is vyos_defined %} +{% set output.value = output.value ~ '[LSIG-TXOP-PROT]' %} +{% endif %} +{% if capabilities.ht.stbc.tx is vyos_defined %} +{% set output.value = output.value ~ '[TX-STBC]' %} +{% endif %} +{% if capabilities.ht.stbc.rx is vyos_defined %} +{% set output.value = output.value ~ '[RX-STBC-' ~ capabilities.ht.stbc.rx | upper ~ ']' %} +{% endif %} +{% if capabilities.ht.max_amsdu is vyos_defined %} +{% set output.value = output.value ~ '[MAX-AMSDU-' ~ capabilities.ht.max_amsdu ~ ']' %} +{% endif %} +{% if capabilities.ht.smps is vyos_defined %} +{% set output.value = output.value ~ '[SMPS-' ~ capabilities.ht.smps | upper ~ ']' %} +{% endif %} + +{% if capabilities.ht.channel_set_width is vyos_defined %} +{% for csw in capabilities.ht.channel_set_width %} +{% set output.value = output.value ~ '[' ~ csw | upper ~ ']' %} +{% endfor %} +{% endif %} + +{% if capabilities.ht.short_gi is vyos_defined %} +{% for short_gi in capabilities.ht.short_gi %} +{% set output.value = output.value ~ '[SHORT-GI-' ~ short_gi | upper ~ ']' %} +{% endfor %} +{% endif %} + +ht_capab={{ output.value }} + +{% if capabilities.ht.auto_powersave is vyos_defined %} +# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] +# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver) +uapsd_advertisement_enabled=1 +{% endif %} +{% endif %} + +# Required for full HT and VHT functionality +wme_enabled=1 + + +{% if capabilities.require_ht is vyos_defined %} +# Require stations to support HT PHY (reject association if they do not) +require_ht=1 +{% endif %} + +{% if capabilities.vht is vyos_defined %} +# vht_capab: VHT capabilities (list of flags) +# +# vht_max_mpdu_len: [MAX-MPDU-7991] [MAX-MPDU-11454] +# Indicates maximum MPDU length +# 0 = 3895 octets (default) +# 1 = 7991 octets +# 2 = 11454 octets +# 3 = reserved +# +# supported_chan_width: [VHT160] [VHT160-80PLUS80] +# Indicates supported Channel widths +# 0 = 160 MHz & 80+80 channel widths are not supported (default) +# 1 = 160 MHz channel width is supported +# 2 = 160 MHz & 80+80 channel widths are supported +# 3 = reserved +# +# Rx LDPC coding capability: [RXLDPC] +# Indicates support for receiving LDPC coded pkts +# 0 = Not supported (default) +# 1 = Supported +# +# Short GI for 80 MHz: [SHORT-GI-80] +# Indicates short GI support for reception of packets transmitted with TXVECTOR +# params format equal to VHT and CBW = 80Mhz +# 0 = Not supported (default) +# 1 = Supported +# +# Short GI for 160 MHz: [SHORT-GI-160] +# Indicates short GI support for reception of packets transmitted with TXVECTOR +# params format equal to VHT and CBW = 160Mhz +# 0 = Not supported (default) +# 1 = Supported +# +# Tx STBC: [TX-STBC-2BY1] +# Indicates support for the transmission of at least 2x1 STBC +# 0 = Not supported (default) +# 1 = Supported +# +# Rx STBC: [RX-STBC-1] [RX-STBC-12] [RX-STBC-123] [RX-STBC-1234] +# Indicates support for the reception of PPDUs using STBC +# 0 = Not supported (default) +# 1 = support of one spatial stream +# 2 = support of one and two spatial streams +# 3 = support of one, two and three spatial streams +# 4 = support of one, two, three and four spatial streams +# 5,6,7 = reserved +# +# SU Beamformer Capable: [SU-BEAMFORMER] +# Indicates support for operation as a single user beamformer +# 0 = Not supported (default) +# 1 = Supported +# +# SU Beamformee Capable: [SU-BEAMFORMEE] +# Indicates support for operation as a single user beamformee +# 0 = Not supported (default) +# 1 = Supported +# +# Compressed Steering Number of Beamformer Antennas Supported: +# [BF-ANTENNA-2] [BF-ANTENNA-3] [BF-ANTENNA-4] +# Beamformee's capability indicating the maximum number of beamformer +# antennas the beamformee can support when sending compressed beamforming +# feedback +# If SU beamformer capable, set to maximum value minus 1 +# else reserved (default) +# +# Number of Sounding Dimensions: +# [SOUNDING-DIMENSION-2] [SOUNDING-DIMENSION-3] [SOUNDING-DIMENSION-4] +# Beamformer's capability indicating the maximum value of the NUM_STS parameter +# in the TXVECTOR of a VHT NDP +# If SU beamformer capable, set to maximum value minus 1 +# else reserved (default) +# +# MU Beamformer Capable: [MU-BEAMFORMER] +# Indicates support for operation as an MU beamformer +# 0 = Not supported or sent by Non-AP STA (default) +# 1 = Supported +# +# VHT TXOP PS: [VHT-TXOP-PS] +# Indicates whether or not the AP supports VHT TXOP Power Save Mode +# or whether or not the STA is in VHT TXOP Power Save mode +# 0 = VHT AP doesn't support VHT TXOP PS mode (OR) VHT STA not in VHT TXOP PS +# mode +# 1 = VHT AP supports VHT TXOP PS mode (OR) VHT STA is in VHT TXOP power save +# mode +# +# +HTC-VHT Capable: [HTC-VHT] +# Indicates whether or not the STA supports receiving a VHT variant HT Control +# field. +# 0 = Not supported (default) +# 1 = supported +# +# Maximum A-MPDU Length Exponent: [MAX-A-MPDU-LEN-EXP0]..[MAX-A-MPDU-LEN-EXP7] +# Indicates the maximum length of A-MPDU pre-EOF padding that the STA can recv +# This field is an integer in the range of 0 to 7. +# The length defined by this field is equal to +# 2 pow(13 ~ Maximum A-MPDU Length Exponent) -1 octets +# +# VHT Link Adaptation Capable: [VHT-LINK-ADAPT2] [VHT-LINK-ADAPT3] +# Indicates whether or not the STA supports link adaptation using VHT variant +# HT Control field +# If +HTC-VHTcapable is 1 +# 0 = (no feedback) if the STA does not provide VHT MFB (default) +# 1 = reserved +# 2 = (Unsolicited) if the STA provides only unsolicited VHT MFB +# 3 = (Both) if the STA can provide VHT MFB in response to VHT MRQ and if the +# STA provides unsolicited VHT MFB +# Reserved if +HTC-VHTcapable is 0 +# +# Rx Antenna Pattern Consistency: [RX-ANTENNA-PATTERN] +# Indicates the possibility of Rx antenna pattern change +# 0 = Rx antenna pattern might change during the lifetime of an association +# 1 = Rx antenna pattern does not change during the lifetime of an association +# +# Tx Antenna Pattern Consistency: [TX-ANTENNA-PATTERN] +# Indicates the possibility of Tx antenna pattern change +# 0 = Tx antenna pattern might change during the lifetime of an association +# 1 = Tx antenna pattern does not change during the lifetime of an + +{% if capabilities.vht.center_channel_freq.freq_1 is vyos_defined %} +# center freq = 5 GHz ~ (5 * index) +# So index 42 gives center freq 5.210 GHz +# which is channel 42 in 5G band +vht_oper_centr_freq_seg0_idx={{ capabilities.vht.center_channel_freq.freq_1 }} +{% endif %} + +{% if capabilities.vht.center_channel_freq.freq_2 is vyos_defined %} +# center freq = 5 GHz ~ (5 * index) +# So index 159 gives center freq 5.795 GHz +# which is channel 159 in 5G band +vht_oper_centr_freq_seg1_idx={{ capabilities.vht.center_channel_freq.freq_2 }} +{% endif %} + +{% if capabilities.vht.channel_set_width is vyos_defined %} +vht_oper_chwidth={{ capabilities.vht.channel_set_width }} +{% endif %} + +{% set output = namespace(value='') %} +{% if capabilities.vht.channel_set_width is vyos_defined('2') %} +{% set output.value = output.value ~ '[VHT160]' %} +{% elif capabilities.vht.channel_set_width is vyos_defined('3') %} +{% set output.value = output.value ~ '[VHT160-80PLUS80]' %} +{% endif %} +{% if capabilities.vht.stbc.tx is vyos_defined %} +{% set output.value = output.value ~ '[TX-STBC-2BY1]' %} +{% endif %} +{% if capabilities.vht.stbc.rx is vyos_defined %} +{% set output.value = output.value ~ '[RX-STBC-' ~ capabilities.vht.stbc.rx ~ ']' %} +{% endif %} +{% if capabilities.vht.ldpc is vyos_defined %} +{% set output.value = output.value ~ '[RXLDPC]' %} +{% endif %} +{% if capabilities.vht.tx_powersave is vyos_defined %} +{% set output.value = output.value ~ '[VHT-TXOP-PS]' %} +{% endif %} +{% if capabilities.vht.vht_cf is vyos_defined %} +{% set output.value = output.value ~ '[HTC-VHT]' %} +{% endif %} +{% if capabilities.vht.antenna_pattern_fixed is vyos_defined %} +{% set output.value = output.value ~ '[RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]' %} +{% endif %} +{% if capabilities.vht.max_mpdu is vyos_defined %} +{% set output.value = output.value ~ '[MAX-MPDU-' ~ capabilities.vht.max_mpdu ~ ']' %} +{% endif %} +{% if capabilities.vht.max_mpdu_exp is vyos_defined %} +{% set output.value = output.value ~ '[MAX-A-MPDU-LEN-EXP-' ~ capabilities.vht.max_mpdu_exp ~ ']' %} +{% endif %} +{% if capabilities.vht.link_adaptation is vyos_defined('unsolicited') %} +{% set output.value = output.value ~ '[VHT-LINK-ADAPT2]' %} +{% elif capabilities.vht.link_adaptation is vyos_defined('both') %} +{% set output.value = output.value ~ '[VHT-LINK-ADAPT3]' %} +{% endif %} +{% for short_gi in capabilities.vht.short_gi if capabilities.vht.short_gi is vyos_defined %} +{% set output.value = output.value ~ '[SHORT-GI-' ~ short_gi | upper ~ ']' %} +{% endfor %} +{% for beamform in capabilities.vht.beamform if capabilities.vht.beamform is vyos_defined %} +{% set output.value = output.value ~ '[SU-BEAMFORMER]' if beamform is vyos_defined('single-user-beamformer') else '' %} +{% set output.value = output.value ~ '[SU-BEAMFORMEE]' if beamform is vyos_defined('single-user-beamformee') else '' %} +{% set output.value = output.value ~ '[MU-BEAMFORMER]' if beamform is vyos_defined('multi-user-beamformer') else '' %} +{% set output.value = output.value ~ '[MU-BEAMFORMEE]' if beamform is vyos_defined('multi-user-beamformee') else '' %} +{% endfor %} +{% if capabilities.vht.antenna_count is vyos_defined and capabilities.vht.antenna_count | int > 1 %} +{% if capabilities.vht.beamform is vyos_defined %} +{% if capabilities.vht.beamform == 'single-user-beamformer' %} +{% if capabilities.vht.antenna_count is vyos_defined and capabilities.vht.antenna_count | int > 1 and capabilities.vht.antenna_count | int < 6 %} +{% set output.value = output.value ~ '[BF-ANTENNA-' ~ capabilities.vht.antenna_count | int -1 ~ ']' %} +{% set output.value = output.value ~ '[SOUNDING-DIMENSION-' ~ capabilities.vht.antenna_count | int -1 ~ ']' %} +{% endif %} +{% endif %} +{% if capabilities.vht.antenna_count is vyos_defined and capabilities.vht.antenna_count | int > 1 and capabilities.vht.antenna_count | int < 5 %} +{% set output.value = output.value ~ '[BF-ANTENNA-' ~ capabilities.vht.antenna_count ~ ']' %} +{% set output.value = output.value ~ '[SOUNDING-DIMENSION-' ~ capabilities.vht.antenna_count ~ ']' %} +{% endif %} +{% endif %} +{% endif %} + +vht_capab={{ output.value }} +{% endif %} + +# ieee80211n: Whether IEEE 802.11n (HT) is enabled +# 0 = disabled (default) +# 1 = enabled +# Note: You will also need to enable WMM for full HT functionality. +# Note: hw_mode=g (2.4 GHz) and hw_mode=a (5 GHz) is used to specify the band. +{% if capabilities.require_vht is vyos_defined %} +ieee80211n=0 +# Require stations to support VHT PHY (reject association if they do not) +require_vht=1 +{% else %} +ieee80211n={{ '1' if 'n' in mode or 'ac' in mode else '0' }} +{% endif %} + +{% if disable_broadcast_ssid is vyos_defined %} +# Send empty SSID in beacons and ignore probe request frames that do not +# specify full SSID, i.e., require stations to know SSID. +# default: disabled (0) +# 1 = send empty (length=0) SSID in beacon and ignore probe request for +# broadcast SSID +# 2 = clear SSID (ASCII 0), but keep the original length (this may be required +# with some clients that do not support empty SSID) and ignore probe +# requests for broadcast SSID +ignore_broadcast_ssid=1 +{% endif %} + +{% if type is vyos_defined('access-point') %} +# Station MAC address-based authentication +# Please note that this kind of access control requires a driver that uses +# hostapd to take care of management frame processing and as such, this can be +# used with driver=hostap or driver=nl80211, but not with driver=atheros. +# 0 = accept unless in deny list +# 1 = deny unless in accept list +# 2 = use external RADIUS server (accept/deny lists are searched first) +macaddr_acl={{ '0' if security.station_address.mode is vyos_defined('accept') else '1' }} + +# Accept/deny lists are read from separate files (containing list of +# MAC addresses, one per line). Use absolute path name to make sure that the +# files can be read on SIGHUP configuration reloads. +accept_mac_file={{ hostapd_accept_station_conf }} +deny_mac_file={{ hostapd_deny_station_conf }} +{% endif %} + +{% if max_stations is vyos_defined %} +# Maximum number of stations allowed in station table. New stations will be +# rejected after the station table is full. IEEE 802.11 has a limit of 2007 +# different association IDs, so this number should not be larger than that. +# (default: 2007) +max_num_sta={{ max_stations }} +{% endif %} + +{% if isolate_stations is vyos_defined %} +# Client isolation can be used to prevent low-level bridging of frames between +# associated stations in the BSS. By default, this bridging is allowed. +ap_isolate=1 +{% endif %} + +{% if reduce_transmit_power is vyos_defined %} +# Add Power Constraint element to Beacon and Probe Response frames +# This config option adds Power Constraint element when applicable and Country +# element is added. Power Constraint element is required by Transmit Power +# Control. This can be used only with ieee80211d=1. +# Valid values are 0..255. +local_pwr_constraint={{ reduce_transmit_power }} +{% endif %} + +{% if expunge_failing_stations is vyos_defined %} +# Disassociate stations based on excessive transmission failures or other +# indications of connection loss. This depends on the driver capabilities and +# may not be available with all drivers. +disassoc_low_ack=1 +{% endif %} + + +{% if security.wep is vyos_defined %} +# IEEE 802.11 specifies two authentication algorithms. hostapd can be +# configured to allow both of these or only one. Open system authentication +# should be used with IEEE 802.1X. +# Bit fields of allowed authentication algorithms: +# bit 0 = Open System Authentication +# bit 1 = Shared Key Authentication (requires WEP) +auth_algs=2 + +# WEP rekeying (disabled if key lengths are not set or are set to 0) +# Key lengths for default/broadcast and individual/unicast keys: +# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) +# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) +wep_key_len_broadcast=5 +wep_key_len_unicast=5 + +# Static WEP key configuration +# +# The key number to use when transmitting. +# It must be between 0 and 3, and the corresponding key must be set. +# default: not set +wep_default_key=0 + +# The WEP keys to use. +# A key may be a quoted string or unquoted hexadecimal digits. +# The key length should be 5, 13, or 16 characters, or 10, 26, or 32 +# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or +# 128-bit (152-bit) WEP is used. +# Only the default key must be supplied; the others are optional. +{% if security.wep.key is vyos_defined %} +{% for key in sec_wep_key %} +wep_key{{ loop.index -1 }}={{ security.wep.key }} +{% endfor %} +{% endif %} + + +{% elif security.wpa is vyos_defined %} +##### WPA/IEEE 802.11i configuration ########################################## + +# Enable WPA. Setting this variable configures the AP to require WPA (either +# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either +# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. +# Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice. +# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), +# RADIUS authentication server must be configured, and WPA-EAP must be included +# in wpa_key_mgmt. +# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) +# and/or WPA2 (full IEEE 802.11i/RSN): +# bit0 = WPA +# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) +# Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2. +# In other words, for WPA3, wpa 2 is used the configuration (and +# wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK). +{% if security.wpa.mode is vyos_defined('wpa+wpa2') %} +wpa=3 +{% elif security.wpa.mode is vyos_defined('wpa2') or security.wpa.mode is vyos_defined('wpa3') %} +wpa=2 +{% elif security.wpa.mode is vyos_defined('wpa') %} +wpa=1 +{% endif %} + +{% if security.wpa.cipher is vyos_defined %} +# Set of accepted cipher suites (encryption algorithms) for pairwise keys +# (unicast packets). This is a space separated list of algorithms: +# CCMP = AES in Counter mode with CBC-MAC (CCMP-128) +# TKIP = Temporal Key Integrity Protocol +# CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key +# GCMP = Galois/counter mode protocol (GCMP-128) +# GCMP-256 = Galois/counter mode protocol with 256-bit key +# Group cipher suite (encryption algorithm for broadcast and multicast frames) +# is automatically selected based on this configuration. If only CCMP is +# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, +# TKIP will be used as the group cipher. The optional group_cipher parameter can +# be used to override this automatic selection. + +{% if security.wpa.mode is vyos_defined('wpa2') %} +# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) +rsn_pairwise={{ security.wpa.cipher | join(" ") }} +{% else %} +# Pairwise cipher for WPA (v1) (default: TKIP) +wpa_pairwise={{ security.wpa.cipher | join(" ") }} +{% endif %} +{% endif %} + +{% if security.wpa.group_cipher is vyos_defined %} +# Optional override for automatic group cipher selection +# This can be used to select a specific group cipher regardless of which +# pairwise ciphers were enabled for WPA and RSN. It should be noted that +# overriding the group cipher with an unexpected value can result in +# interoperability issues and in general, this parameter is mainly used for +# testing purposes. +group_cipher={{ security.wpa.group_cipher | join(" ") }} +{% endif %} + +{% if security.wpa.passphrase is vyos_defined %} +# IEEE 802.11 specifies two authentication algorithms. hostapd can be +# configured to allow both of these or only one. Open system authentication +# should be used with IEEE 802.1X. +# Bit fields of allowed authentication algorithms: +# bit 0 = Open System Authentication +# bit 1 = Shared Key Authentication (requires WEP) +auth_algs=1 + +# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit +# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase +# (8..63 characters) that will be converted to PSK. This conversion uses SSID +# so the PSK changes when ASCII passphrase is used and the SSID is changed. +wpa_passphrase={{ security.wpa.passphrase }} + +# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The +# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be +# added to enable SHA256-based stronger algorithms. +# WPA-PSK = WPA-Personal / WPA2-Personal +# WPA-PSK-SHA256 = WPA2-Personal using SHA256 +# WPA-EAP = WPA-Enterprise / WPA2-Enterprise +# WPA-EAP-SHA256 = WPA2-Enterprise using SHA256 +# SAE = SAE (WPA3-Personal) +# WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite +{% if security.wpa.mode is vyos_defined('wpa3') %} +wpa_key_mgmt=SAE +{% else %} +wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 +{% endif %} + +{% elif security.wpa.radius is vyos_defined %} +##### IEEE 802.1X-2004 related configuration ################################## +# Require IEEE 802.1X authorization +ieee8021x=1 + +# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The +# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be +# added to enable SHA256-based stronger algorithms. +# WPA-PSK = WPA-Personal / WPA2-Personal +# WPA-PSK-SHA256 = WPA2-Personal using SHA256 +# WPA-EAP = WPA-Enterprise / WPA2-Enterprise +# WPA-EAP-SHA256 = WPA2-Enterprise using SHA256 +# SAE = SAE (WPA3-Personal) +# WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite +{% if security.wpa.mode is vyos_defined('wpa3') %} +wpa_key_mgmt=WPA-EAP-SUITE-B-192 +{% else %} +wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256 +{% endif %} + +{% if security.wpa.radius.server is vyos_defined %} +# RADIUS client forced local IP address for the access point +# Normally the local IP address is determined automatically based on configured +# IP addresses, but this field can be used to force a specific address to be +# used, e.g., when the device has multiple IP addresses. +# The own IP address of the access point (used as NAS-IP-Address) +{% if security.wpa.radius.source_address is vyos_defined %} +radius_client_addr={{ security.wpa.radius.source_address }} +own_ip_addr={{ security.wpa.radius.source_address }} +{% else %} +own_ip_addr=127.0.0.1 +{% endif %} + +{% for radius in security.wpa.radius.server if not radius.disabled %} +# RADIUS authentication server +auth_server_addr={{ radius.server }} +auth_server_port={{ radius.port }} +auth_server_shared_secret={{ radius.key }} + +{% if radius.acc_port %} +# RADIUS accounting server +acct_server_addr={{ radius.server }} +acct_server_port={{ radius.acc_port }} +acct_server_shared_secret={{ radius.key }} +{% endif %} +{% endfor %} +{% else %} +# Open system +auth_algs=1 +{% endif %} +{% endif %} +{% endif %} + +# TX queue parameters (EDCF / bursting) +# tx_queue_<queue name>_<param> +# queues: data0, data1, data2, data3 +# (data0 is the highest priority queue) +# parameters: +# aifs: AIFS (default 2) +# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, 2047, 4095, 8191, +# 16383, 32767) +# cwmax: cwMax (same values as cwMin, cwMax >= cwMin) +# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for +# bursting +# +# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): +# These parameters are used by the access point when transmitting frames +# to the clients. +# +# Low priority / AC_BK = background +tx_queue_data3_aifs=7 +tx_queue_data3_cwmin=15 +tx_queue_data3_cwmax=1023 +tx_queue_data3_burst=0 +# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0 +# +# Normal priority / AC_BE = best effort +tx_queue_data2_aifs=3 +tx_queue_data2_cwmin=15 +tx_queue_data2_cwmax=63 +tx_queue_data2_burst=0 +# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0 +# +# High priority / AC_VI = video +tx_queue_data1_aifs=1 +tx_queue_data1_cwmin=7 +tx_queue_data1_cwmax=15 +tx_queue_data1_burst=3.0 +# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0 +# +# Highest priority / AC_VO = voice +tx_queue_data0_aifs=1 +tx_queue_data0_cwmin=3 +tx_queue_data0_cwmax=7 +tx_queue_data0_burst=1.5 + +# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): +# for 802.11a or 802.11g networks +# These parameters are sent to WMM clients when they associate. +# The parameters will be used by WMM clients for frames transmitted to the +# access point. +# +# note - txop_limit is in units of 32microseconds +# note - acm is admission control mandatory flag. 0 = admission control not +# required, 1 = mandatory +# note - Here cwMin and cmMax are in exponent form. The actual cw value used +# will be (2^n)-1 where n is the value given here. The allowed range for these +# wmm_ac_??_{cwmin,cwmax} is 0..15 with cwmax >= cwmin. +# +wmm_enabled=1 + +# Low priority / AC_BK = background +wmm_ac_bk_cwmin=4 +wmm_ac_bk_cwmax=10 +wmm_ac_bk_aifs=7 +wmm_ac_bk_txop_limit=0 +wmm_ac_bk_acm=0 +# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10 +# +# Normal priority / AC_BE = best effort +wmm_ac_be_aifs=3 +wmm_ac_be_cwmin=4 +wmm_ac_be_cwmax=10 +wmm_ac_be_txop_limit=0 +wmm_ac_be_acm=0 +# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7 +# +# High priority / AC_VI = video +wmm_ac_vi_aifs=2 +wmm_ac_vi_cwmin=3 +wmm_ac_vi_cwmax=4 +wmm_ac_vi_txop_limit=94 +wmm_ac_vi_acm=0 +# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188 +# +# Highest priority / AC_VO = voice +wmm_ac_vo_aifs=2 +wmm_ac_vo_cwmin=2 +wmm_ac_vo_cwmax=3 +wmm_ac_vo_txop_limit=47 +wmm_ac_vo_acm=0 diff --git a/data/templates/wifi/hostapd_accept_station.conf.j2 b/data/templates/wifi/hostapd_accept_station.conf.j2 new file mode 100644 index 0000000..a381c94 --- /dev/null +++ b/data/templates/wifi/hostapd_accept_station.conf.j2 @@ -0,0 +1,7 @@ +# List of MAC addresses that are allowed to authenticate (IEEE 802.11) +# with the AP +{% if security.station_address.accept.mac is vyos_defined %} +{% for mac in security.station_address.accept.mac %} +{{ mac | lower }} +{% endfor %} +{% endif %} diff --git a/data/templates/wifi/hostapd_deny_station.conf.j2 b/data/templates/wifi/hostapd_deny_station.conf.j2 new file mode 100644 index 0000000..fb2950d --- /dev/null +++ b/data/templates/wifi/hostapd_deny_station.conf.j2 @@ -0,0 +1,7 @@ +# List of MAC addresses that are not allowed to authenticate +# (IEEE 802.11) with the access point +{% if security.station_address.deny.mac is vyos_defined %} +{% for mac in security.station_address.deny.mac %} +{{ mac | lower }} +{% endfor %} +{% endif %} diff --git a/data/templates/wifi/wpa_supplicant.conf.j2 b/data/templates/wifi/wpa_supplicant.conf.j2 new file mode 100644 index 0000000..ac857a0 --- /dev/null +++ b/data/templates/wifi/wpa_supplicant.conf.j2 @@ -0,0 +1,83 @@ +### Autogenerated by interfaces_wireless.py ### + +# see full documentation: +# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf + +network={ + # ssid: SSID (mandatory); network name in one of the optional formats: + # - an ASCII string with double quotation + # - a hex string (two characters per octet of SSID) + # - a printf-escaped ASCII string P"<escaped string>" + # + ssid="{{ ssid }}" + + # scan_ssid: + # 0 = do not scan this SSID with specific Probe Request frames (default) + # 1 = scan with SSID-specific Probe Request frames (this can be used to + # find APs that do not accept broadcast SSID or use multiple SSIDs; + # this will add latency to scanning, so enable this only when needed) + scan_ssid=1 + +{% if security.wpa.passphrase is vyos_defined %} + # ieee80211w: whether management frame protection is enabled + # 0 = disabled (default unless changed with the global pmf parameter) + # 1 = optional + # 2 = required + # The most common configuration options for this based on the PMF (protected + # management frames) certification program are: + # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 + # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 + # (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used) + # WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE + ieee80211w=1 + + # key_mgmt: list of accepted authenticated key management protocols + # WPA-PSK = WPA pre-shared key (this requires 'psk' field) + # WPA-EAP = WPA using EAP authentication + # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically + # generated WEP keys + # NONE = WPA is not used; plaintext or static WEP could be used + # WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK + # instead) + # FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key + # FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication + # FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication + # and using SHA384 + # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms + # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms + # SAE = Simultaneous authentication of equals; pre-shared key/password -based + # authentication with stronger security than WPA-PSK especially when using + # not that strong password; a.k.a. WPA3-Personal + # FT-SAE = SAE with FT + # WPA-EAP-SUITE-B = Suite B 128-bit level + # WPA-EAP-SUITE-B-192 = Suite B 192-bit level + # OSEN = Hotspot 2.0 Rel 2 online signup connection + # FILS-SHA256 = Fast Initial Link Setup with SHA256 + # FILS-SHA384 = Fast Initial Link Setup with SHA384 + # FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256 + # FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384 + # OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open) + # DPP = Device Provisioning Protocol + # If not set, this defaults to: WPA-PSK WPA-EAP +{% if security.wpa.mode is vyos_defined('wpa3') %} + key_mgmt=SAE +{% else %} + key_mgmt=WPA-PSK WPA-PSK-SHA256 +{% endif %} + + # psk: WPA preshared key; 256-bit pre-shared key + # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., + # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be + # generated using the passphrase and SSID). ASCII passphrase must be between + # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can + # be used to indicate that the PSK/passphrase is stored in external storage. + # This field is not needed, if WPA-EAP is used. + # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys + # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant + # startup and reconfiguration time can be optimized by generating the PSK only + # only when the passphrase or SSID has actually changed. + psk="{{ security.wpa.passphrase }}" +{% else %} + key_mgmt=NONE +{% endif %} +} diff --git a/data/templates/zabbix-agent/10-override.conf.j2 b/data/templates/zabbix-agent/10-override.conf.j2 new file mode 100644 index 0000000..7c296e8 --- /dev/null +++ b/data/templates/zabbix-agent/10-override.conf.j2 @@ -0,0 +1,14 @@ +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/zabbix/zabbix-agent2.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart=/usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground +WorkingDirectory= +WorkingDirectory=/run/zabbix +Restart=always +RestartSec=10 diff --git a/data/templates/zabbix-agent/zabbix-agent.conf.j2 b/data/templates/zabbix-agent/zabbix-agent.conf.j2 new file mode 100644 index 0000000..e6dcef8 --- /dev/null +++ b/data/templates/zabbix-agent/zabbix-agent.conf.j2 @@ -0,0 +1,77 @@ +# Generated by ${vyos_conf_scripts_dir}/service_monitoring_zabbix-agent.py + +PidFile=/run/zabbix/zabbix_agent2.pid +LogFile=/var/log/zabbix/zabbix_agent2.log +ControlSocket=/run/zabbix/agent.sock + +{% if log is vyos_defined %} +{% if log.size is vyos_defined %} +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Range: 0-1024 +LogFileSize={{ log.size }} +{% endif %} +{% if log.remote_commands is vyos_defined %} +LogRemoteCommands=1 +{% endif %} +{% if log.debug_level is vyos_defined %} +{% set mapping = { + 'basic': 0, + 'critical': 1, + 'error': 2, + 'warning': 3, + 'debug': 4, + 'extended-debug': 5 + } %} +DebugLevel={{ mapping[log.debug_level] }} +{% endif %} +{% endif %} + +{% if server is vyos_defined %} +Server={{ server | bracketize_ipv6 | join(',') }} +{% endif %} +{% if server_active is vyos_defined %} +{% set servers = [] %} +{% for key, value in server_active.items() %} +{% if value.port %} +{% set serv_item = key | bracketize_ipv6 + ':' + value.port %} +{% set _ = servers.append(serv_item) %} +{% else %} +{% set _ = servers.append(key | bracketize_ipv6) %} +{% endif %} +{% endfor %} +ServerActive={{ servers | join(',') }} +{% endif %} + +{% if host_name is vyos_defined %} +Hostname={{ host_name }} +{% endif %} + +{% if port is vyos_defined %} +ListenPort={{ port }} +{% endif %} +{% if listen_address is vyos_defined %} +ListenIP={{ listen_address | join(',') }} +{% endif %} + +{% if limits is vyos_defined %} +{% if limits.buffer_flush_interval is vyos_defined %} +BufferSend={{ limits.buffer_flush_interval }} +{% endif %} +{% if limits.buffer_size is vyos_defined %} +BufferSize={{ limits.buffer_size }} +{% endif %} +{% endif %} + +{% if directory is vyos_defined %} +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +Include={{ directory }}/*.conf +{% endif %} + +{% if timeout is vyos_defined %} +Timeout={{ timeout }} +{% endif %} + diff --git a/data/vyos-configd-env-set b/data/vyos-configd-env-set new file mode 100644 index 0000000..d6d421e --- /dev/null +++ b/data/vyos-configd-env-set @@ -0,0 +1,2 @@ +# +export vyshim=/usr/sbin/vyshim diff --git a/data/vyos-configd-env-unset b/data/vyos-configd-env-unset new file mode 100644 index 0000000..9616f98 --- /dev/null +++ b/data/vyos-configd-env-unset @@ -0,0 +1,2 @@ +# +unset vyshim diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf new file mode 100644 index 0000000..3929edf --- /dev/null +++ b/data/vyos-firewall-init.conf @@ -0,0 +1,73 @@ +#!/usr/sbin/nft -f + +# Required by wanloadbalance +table ip nat { + chain VYOS_PRE_SNAT_HOOK { + type nat hook postrouting priority 99; policy accept; + return + } +} + +table inet mangle { + # Used by system flow-accounting + chain FORWARD { + type filter hook forward priority -150; policy accept; + } +} + +table raw { + chain VYOS_TCP_MSS { + type filter hook forward priority -300; policy accept; + } + + chain vyos_global_rpfilter { + return + } + + chain vyos_rpfilter { + type filter hook prerouting priority -300; policy accept; + counter jump vyos_global_rpfilter + } + + # Used by system flow-accounting + chain VYOS_PREROUTING_HOOK { + type filter hook prerouting priority -300; policy accept; + } +} + +table ip6 raw { + chain VYOS_TCP_MSS { + type filter hook forward priority -300; policy accept; + } + + chain vyos_global_rpfilter { + return + } + + chain vyos_rpfilter { + type filter hook prerouting priority -300; policy accept; + counter jump vyos_global_rpfilter + } + + # Used by system flow-accounting + chain VYOS_PREROUTING_HOOK { + type filter hook prerouting priority -300; policy accept; + } +} + +# Required by VRF +table inet vrf_zones { + # Map of interfaces and connections tracking zones + map ct_iface_map { + typeof iifname : ct zone + } + # Assign unique zones for each VRF + # Chain for inbound traffic + chain vrf_zones_ct_in { + type filter hook prerouting priority raw; policy accept; + } + # Chain for locally-generated traffic + chain vrf_zones_ct_out { + type filter hook output priority raw; policy accept; + } +} |