Merge pull request #2 from vyos/master

import 2024-03

8 files changed, 197 insertions, 60 deletions

diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst
index 68a4f2b8..6ed5fef7 100644
--- a/docs/configuration/system/conntrack.rst
+++ b/docs/configuration/system/conntrack.rst
@@ -46,9 +46,23 @@ Configure
     | Use `delete system conntrack modules` to deactive all modules.
     | Or, for example ftp, `delete system conntrack modules ftp`.
 
+.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836>
+    :defaultvalue:
 
-Define Conection Timeouts
-=========================
+    Set the maximum number of TCP half-open connections.
+
+.. cfgcmd:: set system conntrack tcp loose <enable | disable>
+    :defaultvalue:
+
+    Policy to track previously established connections.
+
+.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647>
+    :defaultvalue:
+
+    Set the number of TCP maximum retransmit attempts.
+
+Contrack Timeouts
+=================
 
 VyOS supports setting timeouts for connections according to the
 connection type. You can set timeout values for generic connections, for ICMP
@@ -82,34 +96,48 @@ states.
 
     Set the timeout in secounds for a protocol or state.
 
-
 You can also define custom timeout values to apply to a specific subset of
 connections, based on a packet and flow selector. To do this, you need to
 create a rule defining the packet and flow selector.
 
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description <test>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   description <test>
 
     Set a rule description.
 
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   destination address <ip-address>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   source address <ip-address>
 
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address <ip-address>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address <ip-address>
-
-    set a destination and/or source address. Accepted input:
+    Set a destination and/or source address. Accepted input for ipv4:
 
     .. code-block:: none
 
-        <x.x.x.x>    IP address to match
-        <x.x.x.x/x>  Subnet to match
-        <x.x.x.x>-<x.x.x.x>
-                        IP range to match
-        !<x.x.x.x>   Match everything except the specified address
-        !<x.x.x.x/x> Match everything except the specified subnet
-        !<x.x.x.x>-<x.x.x.x>
-                        Match everything except the specified range
-
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port <value>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port <value>
+        set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address
+        Possible completions:
+           <x.x.x.x>            IPv4 address to match
+           <x.x.x.x/x>          IPv4 prefix to match
+           <x.x.x.x>-<x.x.x.x>  IPv4 address range to match
+           !<x.x.x.x>           Match everything except the specified address
+           !<x.x.x.x/x>         Match everything except the specified prefix
+           !<x.x.x.x>-<x.x.x.x> Match everything except the specified range
+
+        set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address
+        Possible completions:
+           <h:h:h:h:h:h:h:h>    IP address to match
+           <h:h:h:h:h:h:h:h/x>  Subnet to match
+           <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
+                                IP range to match
+           !<h:h:h:h:h:h:h:h>   Match everything except the specified address
+           !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix
+           !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
+                                Match everything except the specified range
+
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   destination port <value>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   source port <value>
 
     Set a destination and/or source port. Accepted input:
 
@@ -123,49 +151,58 @@ create a rule defining the packet and flow selector.
     The whole list can also be "negated" using '!'. For example:
     `!22,telnet,http,123,1001-1005``
 
-            
-
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol tcp close <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol tcp close-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol tcp established <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol tcp fin-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol tcp last-ack <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol tcp syn-recv <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol tcp syn-sent <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol tcp time-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol udp replied <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+   protocol udp unreplied <1-21474836>
 
     Set the timeout in secounds for a protocol or state in a custom rule.
 
-
-.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836>
-    :defaultvalue:
-
-    Set the maximum number of TCP half-open connections.
-
-.. cfgcmd:: set system conntrack tcp loose <enable | disable>
-    :defaultvalue:
-
-    Policy to track previously established connections.
-
-.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647>
-    :defaultvalue:
-
-    Set the number of TCP maximum retransmit attempts.
-
-.. cfgcmd:: set system conntrack ignore rule <1-9999> description <text>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address <ip-address>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port <port>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface <interface>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol <protocol>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> source address <ip-address>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> source port <port>
+Conntrack ignore rules
+======================
 
     Customized ignore rules, based on a packet and flow selector.
 
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+   description <text>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+   destination address <ip-address>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+   destination port <port>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+   inbound-interface <interface>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+   protocol <protocol>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+   source address <ip-address>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+   source port <port>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+   tcp flags [not] <text>
+
+   Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
+   ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
+   inverted selection use ``not``, as shown in the example.
+
+Conntrack log
+=============
+
 .. cfgcmd:: set system conntrack log icmp destroy
 .. cfgcmd:: set system conntrack log icmp new
 .. cfgcmd:: set system conntrack log icmp update
diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst
index bfda7747..dbb63d09 100644
--- a/docs/configuration/system/index.rst
+++ b/docs/configuration/system/index.rst
@@ -25,6 +25,7 @@ System
    sysctl
    task-scheduler
    time-zone
+   updates
 
 
 .. toctree::
diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst
index 0f45b7ca..279630e2 100644
--- a/docs/configuration/system/ip.rst
+++ b/docs/configuration/system/ip.rst
@@ -43,6 +43,19 @@ can be used to filter which routes zebra will install in the kernel.
    .. note:: If you choose any as the option that will cause all protocols that
       are sending routes to zebra.
 
+Nexthop Tracking
+^^^^^^^^^^^^^^^^
+
+Nexthop tracking resolve nexthops via the default route by default. This is enabled
+by default for a traditional profile of FRR which we use. It and can be disabled if
+you do not wan't to e.g. allow BGP to peer across the default route.
+
+.. cfgcmd:: set system ip nht no-resolve-via-default
+
+   Do not allow IPv4 nexthop tracking to resolve via the default route. This
+   parameter is configured per-VRF, so the command is also available in the VRF
+   subnode.
+
 Operational commands
 --------------------
 
diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst
index c7308f9d..d8d3c4c9 100644
--- a/docs/configuration/system/ipv6.rst
+++ b/docs/configuration/system/ipv6.rst
@@ -39,6 +39,19 @@ can be used to filter which routes zebra will install in the kernel.
    .. note:: If you choose any as the option that will cause all protocols that
       are sending routes to zebra.
 
+Nexthop Tracking
+^^^^^^^^^^^^^^^^
+
+Nexthop tracking resolve nexthops via the default route by default. This is enabled
+by default for a traditional profile of FRR which we use. It and can be disabled if
+you do not wan't to e.g. allow BGP to peer across the default route.
+
+.. cfgcmd:: set system ipv6 nht no-resolve-via-default
+
+   Do not allow IPv6 nexthop tracking to resolve via the default route. This
+   parameter is configured per-VRF, so the command is also available in the VRF
+   subnode.
+
 Operational commands
 --------------------
 
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index 98e05cdd..09e27c53 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -34,6 +34,10 @@ Local
    Setup encrypted password for given username. This is useful for
    transferring a hashed password from system to system.
 
+.. cfgcmd:: set system login user <name> disable
+
+   Disable (lock) account. User will not be able to log in.
+
 .. _ssh_key_based_authentication:
 
 Key Based Authentication
diff --git a/docs/configuration/system/name-server.rst b/docs/configuration/system/name-server.rst
index f18cb5a3..5d08dbc5 100644
--- a/docs/configuration/system/name-server.rst
+++ b/docs/configuration/system/name-server.rst
@@ -48,7 +48,7 @@ In order for the system to use and complete unqualified host names, a
 list can be defined which will be used for domain searches.
 
 
-.. cfgcmd:: set system domain-search domain <domain>
+.. cfgcmd:: set system domain-search <domain>
 
    Use this command to define domains, one at a time, so that the system
    uses them to complete unqualified host names. Maximum: 6 entries.
@@ -68,7 +68,7 @@ order: vyos.io (first), vyos.net (second) and vyos.network (last):
 
 .. code-block:: none
 
-   set system domain-search domain vyos.io
-   set system domain-search domain vyos.net
-   set system domain-search domain vyos.network
+   set system domain-search vyos.io
+   set system domain-search vyos.net
+   set system domain-search vyos.network
 
diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst
index c9c9bfb1..02c889dd 100644
--- a/docs/configuration/system/option.rst
+++ b/docs/configuration/system/option.rst
@@ -22,6 +22,36 @@ General
 
     Play an audible beep to the system speaker when system is ready.
 
+.. cfgcmd:: set system option root-partition-auto-resize
+
+    Enables the root partition auto-extension and resizes to the maximum
+    available space on system boot.
+
+Kernel
+======
+
+.. cfgcmd:: set system option kernel disable-mitigations
+
+    Disable all optional CPU mitigations. This improves system performance,
+    but it may also expose users to several CPU vulnerabilities.
+
+    This will add the following option to the Kernel commandline:
+
+    * ``mitigations=off``
+
+    .. note:: Setting will only become active with the next reboot!
+
+.. cfgcmd:: set system option kernel disable-power-saving
+
+    Disable CPU power saving mechanisms also known as C states.
+
+    This will add the following two options to the Kernel commandline:
+
+    * ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle
+    * ``processor.max_cstate=1`` Limit processor to maximum C-state 1
+
+    .. note:: Setting will only become active with the next reboot!
+
 ***********
 HTTP client
 ***********
diff --git a/docs/configuration/system/updates.rst b/docs/configuration/system/updates.rst
new file mode 100644
index 00000000..505d9318
--- /dev/null
+++ b/docs/configuration/system/updates.rst
@@ -0,0 +1,39 @@
+#######
+Updates
+#######
+
+VyOS supports online checking for updates
+
+Configuration
+=============
+
+.. cfgcmd:: set system update-check auto-check
+
+   Configure auto-checking for new images
+
+
+.. cfgcmd:: set system update-check url <url>
+
+   Configure a URL that contains information about images.
+
+
+Example
+=======
+
+.. code-block:: none
+
+  set system update-check auto-check
+  set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json'
+
+Check:
+
+.. code-block:: none
+
+  vyos@r4:~$ show system updates 
+  Current version: 1.5-rolling-202312220023
+
+  Update available: 1.5-rolling-202312250024
+  Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso
+  vyos@r4:~$
+
+  vyos@r4:~$ add system image latest