summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/configuration/firewall/general.rst75
-rw-r--r--docs/configuration/interfaces/dummy.rst2
-rw-r--r--docs/configuration/interfaces/index.rst1
-rw-r--r--docs/configuration/interfaces/virtual-ethernet.rst95
4 files changed, 165 insertions, 8 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index 0cf8bcec..a8d5c9c2 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -148,11 +148,11 @@ Some firewall settings are global and have an affect on the whole system.
Groups
******
-Firewall groups represent collections of IP addresses, networks, or
-ports. Once created, a group can be referenced by firewall rules as
-either a source or destination. Members can be added or removed from a
-group without changes to, or the need to reload, individual firewall
-rules.
+Firewall groups represent collections of IP addresses, networks, ports,
+mac addresses or domains. Once created, a group can be referenced by
+firewall, nat and policy route rules as either a source or destination
+matcher. Members can be added or removed from a group without changes to,
+or the need to reload, individual firewall rules.
Groups need to have unique names. Even though some contain IPv4
addresses and others contain IPv6 addresses, they still need to have
@@ -183,7 +183,6 @@ defined.
Provide a IPv4 or IPv6 address group description
-
Network Groups
==============
@@ -208,7 +207,6 @@ recommended.
Provide a IPv4 or IPv6 network group description.
-
Port Groups
===========
@@ -234,6 +232,34 @@ filtering unnecessary ports. Ranges of ports can be specified by using
Provide a port group description.
+MAC Groups
+==========
+
+A **mac group** represents a collection of mac addresses.
+
+.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
+
+ Define a mac group.
+
+.. code-block:: none
+
+ set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
+ set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
+
+
+Domain Groups
+=============
+
+A **domain group** represents a collection of domains.
+
+.. cfgcmd:: set firewall group domain-group <name> address <domain>
+
+ Define a domain group.
+
+.. code-block:: none
+
+ set firewall group domain-group DOM address example.com
+
*********
Rule-Sets
@@ -323,6 +349,37 @@ There are a lot of matching criteria against which the package can be tested.
set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
+.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask
+ [address]
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask
+ [address]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask
+ [address]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination
+ address-mask [address]
+
+ An arbitrary netmask can be applied to mask addresses to only match against
+ a specific portion. This is particularly useful with IPv6 and a zone-based
+ firewall as rules will remain valid if the IPv6 prefix changes and the host
+ portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses
+ <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
+
+ This functions for both individual addresses and address groups.
+
+ .. code-block:: none
+
+ # Match any IPv6 address with the suffix ::0000:0000:0000:beef
+ set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef
+ set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff
+ # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
+ set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13
+ set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255
+ # Address groups
+ set firewall group ipv6-address-group WEBSERVERS address ::1000
+ set firewall group ipv6-address-group WEBSERVERS address ::2000
+ set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS
+ set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff
+
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
<country>
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
@@ -603,11 +660,15 @@ A Rule-Set can be applied to every interface:
set firewall interface eth1.100 out name LANv4-OUT
set firewall interface bond0 in name LANv4-IN
set firewall interface vtun1 in name LANv4-IN
+ set firewall interface eth2* in name LANv4-IN
.. note::
As you can see in the example here, you can assign the same rule-set to
several interfaces. An interface can only have one rule-set per chain.
+ .. note::
+ You can use wildcard ``*`` to match a group of interfaces.
+
***********************
Operation-mode Firewall
***********************
diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst
index 8440feca..ba09d9a7 100644
--- a/docs/configuration/interfaces/dummy.rst
+++ b/docs/configuration/interfaces/dummy.rst
@@ -68,7 +68,7 @@ Operation
.. code-block:: none
- vyos@vyos:~$ show interfaces ethernet eth0
+ vyos@vyos:~$ show interfaces dummy dum0
dum0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 26:7c:8e:bc:fc:f5 brd ff:ff:ff:ff:ff:ff
inet 172.18.254.201/32 scope global dum0
diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst
index 23792203..97ad709e 100644
--- a/docs/configuration/interfaces/index.rst
+++ b/docs/configuration/interfaces/index.rst
@@ -20,6 +20,7 @@ Interfaces
pppoe
pseudo-ethernet
tunnel
+ virtual-ethernet
vti
vxlan
wireless
diff --git a/docs/configuration/interfaces/virtual-ethernet.rst b/docs/configuration/interfaces/virtual-ethernet.rst
new file mode 100644
index 00000000..a6988318
--- /dev/null
+++ b/docs/configuration/interfaces/virtual-ethernet.rst
@@ -0,0 +1,95 @@
+:lastproofread: 2022-11-25
+
+.. _virtual-ethernet:
+
+################
+Virtual Ethernet
+################
+
+The veth devices are virtual Ethernet devices. They can act as tunnels between
+network namespaces to create a bridge to a physical network device in another
+namespace or VRF, but can also be used as standalone network devices.
+
+.. note:: veth interfaces need to be created in pairs - it's called the peer name
+
+*************
+Configuration
+*************
+
+Common interface configuration
+==============================
+
+.. cmdinclude:: /_include/interface-address-with-dhcp.txt
+ :var0: virtual-ethernet
+ :var1: veth0
+
+.. cmdinclude:: /_include/interface-description.txt
+ :var0: virtual-ethernet
+ :var1: veth0
+
+.. cmdinclude:: /_include/interface-disable.txt
+ :var0: virtual-ethernet
+ :var1: veth0
+
+.. cmdinclude:: /_include/interface-vrf.txt
+ :var0: virtual-ethernet
+ :var1: veth0
+
+*********
+Operation
+*********
+
+.. opcmd:: show interfaces virtual-ethernet
+
+ Show brief interface information.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show interfaces virtual-ethernet
+ Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+ Interface IP Address S/L Description
+ --------- ---------- --- -----------
+ veth10 100.64.0.0/31 u/u
+ veth11 100.64.0.1/31 u/u
+
+.. opcmd:: show interfaces virtual-ethernet <interface>
+
+ Show detailed information on given `<interface>`
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show interfaces virtual-ethernet veth11
+ 10: veth11@veth10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master red state UP group default qlen 1000
+ link/ether b2:7b:df:47:e9:11 brd ff:ff:ff:ff:ff:ff
+ inet 100.64.0.1/31 scope global veth11
+ valid_lft forever preferred_lft forever
+ inet6 fe80::b07b:dfff:fe47:e911/64 scope link
+ valid_lft forever preferred_lft forever
+
+
+ RX: bytes packets errors dropped overrun mcast
+ 0 0 0 0 0 0
+ TX: bytes packets errors dropped carrier collisions
+ 1369707 4267 0 0 0 0
+
+*******
+Example
+*******
+
+Interconnect the global VRF with vrf "red" using the veth10 <-> veth 11 pair
+
+.. code-block:: none
+
+ set interfaces virtual-ethernet veth10 address '100.64.0.0/31'
+ set interfaces virtual-ethernet veth10 peer-name 'veth11'
+ set interfaces virtual-ethernet veth11 address '100.64.0.1/31'
+ set interfaces virtual-ethernet veth11 peer-name 'veth10'
+ set interfaces virtual-ethernet veth11 vrf 'red'
+ set vrf name red table '1000'
+
+ vyos@vyos:~$ ping 100.64.0.1
+ PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data.
+ 64 bytes from 100.64.0.1: icmp_seq=1 ttl=64 time=0.080 ms
+ 64 bytes from 100.64.0.1: icmp_seq=2 ttl=64 time=0.119 ms
+
+