13 files changed, 537 insertions, 199 deletions
diff --git a/docs/configuration/system/acceleration.disable b/docs/configuration/system/acceleration.disable
deleted file mode 100644
index b09da38b..00000000
--- a/docs/configuration/system/acceleration.disable
+++ /dev/null
@@ -1,7 +0,0 @@
-.. _acceleration:
-
-############
-Acceleration
-############
-
-
diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst
new file mode 100644
index 00000000..62b85c71
--- /dev/null
+++ b/docs/configuration/system/acceleration.rst
@@ -0,0 +1,146 @@
+.. _acceleration:
+
+############
+Acceleration
+############
+
+In this command tree, all hardware acceleration options will be handled.
+At the moment only `Intel® QAT`_ is supported
+
+**********
+Intel® QAT
+**********
+
+.. opcmd:: show system acceleration qat
+
+    use this command to check if there is an Intel® QAT supported Processor in
+    your system.
+
+    .. code-block::
+
+        vyos@vyos:~$ show system acceleration qat
+        01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11)
+
+    if there is non device the command will show ```No QAT device found```
+
+.. cfgcmd:: set system acceleration qat
+
+    if there is a supported device, enable Intel® QAT
+
+.. opcmd:: show system acceleration qat status
+
+    Check if the Intel® QAT device is up and ready to do the job.
+
+    .. code-block::
+
+        vyos@vyos:~$ show system acceleration qat status
+        Checking status of all devices.
+        There is 1 QAT acceleration device(s) in the system:
+        qat_dev0 - type: c3xxx,  inst_id: 0,  node_id: 0,  bsf: 0000:01:00.0,  #accel: 3 #engines: 6 state: up
+    
+Operation Mode
+==============
+
+.. opcmd:: show system acceleration qat device <device> config
+
+    Show the full config uploaded to the QAT device.
+
+.. opcmd:: show system acceleration qat device <device> flows
+
+    Get an overview over the encryption counters.
+
+.. opcmd:: show system acceleration qat interrupts
+
+    Show binded qat device interrupts to certain core.
+
+
+Example
+=======
+
+Let's build a simple VPN between 2 Intel® QAT ready devices.
+
+Side A:
+
+.. code-block::
+
+    set interfaces vti vti1 address '192.168.1.2/24'
+    set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
+    set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
+    set vpn ipsec interface 'eth0'
+    set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret'
+    set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123'
+    set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate'
+    set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup'
+    set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup'
+    set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2'
+    set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1'
+
+Side B:
+
+.. code-block::
+
+    set interfaces vti vti1 address '192.168.1.1/24'
+    set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
+    set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
+    set vpn ipsec interface 'eth0'
+    set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret'
+    set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123'
+    set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate'
+    set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup'
+    set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup'
+    set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1'
+    set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1'
+
+a bandwidth test over the VPN got these results:
+
+.. code-block::
+
+    Connecting to host 192.168.1.2, port 5201
+    [  9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201
+    [ ID] Interval           Transfer     Bitrate         Retr  Cwnd
+    [  9]   0.00-1.01   sec  32.3 MBytes   268 Mbits/sec    0    196 KBytes
+    [  9]   1.01-2.03   sec  32.5 MBytes   268 Mbits/sec    0    208 KBytes
+    [  9]   2.03-3.03   sec  32.5 MBytes   271 Mbits/sec    0    208 KBytes
+    [  9]   3.03-4.04   sec  32.5 MBytes   272 Mbits/sec    0    208 KBytes
+    [  9]   4.04-5.00   sec  31.2 MBytes   272 Mbits/sec    0    208 KBytes
+    [  9]   5.00-6.01   sec  32.5 MBytes   272 Mbits/sec    0    234 KBytes
+    [  9]   6.01-7.04   sec  32.5 MBytes   265 Mbits/sec    0    234 KBytes
+    [  9]   7.04-8.04   sec  32.5 MBytes   272 Mbits/sec    0    234 KBytes
+    [  9]   8.04-9.04   sec  32.5 MBytes   273 Mbits/sec    0    336 KBytes
+    [  9]   9.04-10.00  sec  31.2 MBytes   272 Mbits/sec    0    336 KBytes
+    - - - - - - - - - - - - - - - - - - - - - - - - -
+    [ ID] Interval           Transfer     Bitrate         Retr
+    [  9]   0.00-10.00  sec   322 MBytes   270 Mbits/sec    0           sender
+    [  9]   0.00-10.00  sec   322 MBytes   270 Mbits/sec                receiver
+
+with :cfgcmd:`set system acceleration qat` on both systems the bandwidth
+increases.
+
+.. code-block::
+
+    Connecting to host 192.168.1.2, port 5201
+    [  9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201
+    [ ID] Interval           Transfer     Bitrate         Retr  Cwnd
+    [  9]   0.00-1.00   sec  97.3 MBytes   817 Mbits/sec    0   1000 KBytes
+    [  9]   1.00-2.00   sec  92.5 MBytes   776 Mbits/sec    0   1.07 MBytes
+    [  9]   2.00-3.00   sec  92.5 MBytes   776 Mbits/sec    0    820 KBytes
+    [  9]   3.00-4.00   sec  92.5 MBytes   776 Mbits/sec    0    899 KBytes
+    [  9]   4.00-5.00   sec  91.2 MBytes   765 Mbits/sec    0    972 KBytes
+    [  9]   5.00-6.00   sec  92.5 MBytes   776 Mbits/sec    0   1.02 MBytes
+    [  9]   6.00-7.00   sec  92.5 MBytes   776 Mbits/sec    0   1.08 MBytes
+    [  9]   7.00-8.00   sec  92.5 MBytes   776 Mbits/sec    0   1.14 MBytes
+    [  9]   8.00-9.00   sec  91.2 MBytes   765 Mbits/sec    0    915 KBytes
+    [  9]   9.00-10.00  sec  92.5 MBytes   776 Mbits/sec    0   1000 KBytes
+    - - - - - - - - - - - - - - - - - - - - - - - - -
+    [ ID] Interval           Transfer     Bitrate         Retr
+    [  9]   0.00-10.00  sec   927 MBytes   778 Mbits/sec    0             sender
+    [  9]   0.00-10.01  sec   925 MBytes   775 Mbits/sec                  receiver
+
+
+.. _`Intel® QAT`: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html
diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst
index 7f7e4b77..68a4f2b8 100644
--- a/docs/configuration/system/conntrack.rst
+++ b/docs/configuration/system/conntrack.rst
@@ -1,33 +1,187 @@
-###################
-Connection tracking
-###################
 
-Modules
--------
+#########
+Conntrack
+#########
 
-.. code-block:: none
+VyOS can be configured to track connections using the connection
+tracking subsystem. Connection tracking becomes operational once either
+stateful firewall or NAT is configured.
 
-    conntrack {
-        modules {
-            ftp
-            h323
-            nfs
-            pptp
-            sip
-            sqlnet
-            tftp
-        }
-    }
+*********
+Configure
+*********
 
-Enables ``conntrack`` modules. All modules are now disabled by default, while they
-used to be enabled in previous versions. Enabling the modules ensures backwards
-compatibility — keeping the previous behavior.
+.. cfgcmd:: set system conntrack table-size <1-50000000>
+    :defaultvalue:
 
-In most cases they can be disabled by removing the block of configuration.
+    The connection tracking table contains one entry for each connection being
+    tracked by the system.
 
-.. code-block:: none
+.. cfgcmd:: set system conntrack expect-table-size <1-50000000>
+    :defaultvalue:
 
-    delete system conntrack modules
+    The connection tracking expect table contains one entry for each expected
+    connection related to an existing connection. These are generally used by
+    “connection tracking helper” modules such as FTP.
+    The default size of the expect table is 2048 entries.
 
-For some scenarios it is in fact recommended, like in this example:
-:ref:`example-high-availability`.
+.. cfgcmd:: set system conntrack hash-size <1-50000000>
+    :defaultvalue:
+
+    Set the size of the hash table. The connection tracking hash table makes
+    searching the connection tracking table faster. The hash table uses
+    “buckets” to record entries in the connection tracking table.
+
+.. cfgcmd:: set system conntrack modules ftp
+.. cfgcmd:: set system conntrack modules h323
+.. cfgcmd:: set system conntrack modules nfs
+.. cfgcmd:: set system conntrack modules pptp
+.. cfgcmd:: set system conntrack modules sip
+.. cfgcmd:: set system conntrack modules sqlnet
+.. cfgcmd:: set system conntrack modules tftp
+
+    Configure the connection tracking protocol helper modules.
+    All modules are enable by default.
+
+    | Use `delete system conntrack modules` to deactive all modules.
+    | Or, for example ftp, `delete system conntrack modules ftp`.
+
+
+Define Conection Timeouts
+=========================
+
+VyOS supports setting timeouts for connections according to the
+connection type. You can set timeout values for generic connections, for ICMP
+connections, UDP connections, or for TCP connections in a number of different
+states.
+
+.. cfgcmd:: set system conntrack timeout icmp <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout other <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp close <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp established <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout udp other <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set system conntrack timeout udp stream <1-21474836>
+    :defaultvalue:
+
+    Set the timeout in secounds for a protocol or state.
+
+
+You can also define custom timeout values to apply to a specific subset of
+connections, based on a packet and flow selector. To do this, you need to
+create a rule defining the packet and flow selector.
+
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description <test>
+
+    Set a rule description.
+
+
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address <ip-address>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address <ip-address>
+
+    set a destination and/or source address. Accepted input:
+
+    .. code-block:: none
+
+        <x.x.x.x>    IP address to match
+        <x.x.x.x/x>  Subnet to match
+        <x.x.x.x>-<x.x.x.x>
+                        IP range to match
+        !<x.x.x.x>   Match everything except the specified address
+        !<x.x.x.x/x> Match everything except the specified subnet
+        !<x.x.x.x>-<x.x.x.x>
+                        Match everything except the specified range
+
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port <value>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port <value>
+
+    Set a destination and/or source port. Accepted input:
+
+    .. code-block:: none
+
+        <port name>    Named port (any name in /etc/services, e.g., http)
+        <1-65535>      Numbered port
+        <start>-<end>  Numbered port range (e.g., 1001-1005)
+    
+    Multiple destination ports can be specified as a comma-separated list.
+    The whole list can also be "negated" using '!'. For example:
+    `!22,telnet,http,123,1001-1005``
+
+            
+
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836>
+
+    Set the timeout in secounds for a protocol or state in a custom rule.
+
+
+.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836>
+    :defaultvalue:
+
+    Set the maximum number of TCP half-open connections.
+
+.. cfgcmd:: set system conntrack tcp loose <enable | disable>
+    :defaultvalue:
+
+    Policy to track previously established connections.
+
+.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647>
+    :defaultvalue:
+
+    Set the number of TCP maximum retransmit attempts.
+
+.. cfgcmd:: set system conntrack ignore rule <1-9999> description <text>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address <ip-address>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port <port>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface <interface>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol <protocol>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> source address <ip-address>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> source port <port>
+
+    Customized ignore rules, based on a packet and flow selector.
+
+.. cfgcmd:: set system conntrack log icmp destroy
+.. cfgcmd:: set system conntrack log icmp new
+.. cfgcmd:: set system conntrack log icmp update
+.. cfgcmd:: set system conntrack log other destroy
+.. cfgcmd:: set system conntrack log other new
+.. cfgcmd:: set system conntrack log other update
+.. cfgcmd:: set system conntrack log tcp destroy
+.. cfgcmd:: set system conntrack log tcp new
+.. cfgcmd:: set system conntrack log tcp update close-wait
+.. cfgcmd:: set system conntrack log tcp update established
+.. cfgcmd:: set system conntrack log tcp update fin-wait
+.. cfgcmd:: set system conntrack log tcp update last-ack
+.. cfgcmd:: set system conntrack log tcp update syn-received
+.. cfgcmd:: set system conntrack log tcp update time-wait
+.. cfgcmd:: set system conntrack log udp destroy
+.. cfgcmd:: set system conntrack log udp new
+.. cfgcmd:: set system conntrack log udp update
+
+    Log the connection tracking events per protocol.
+\ No newline at end of file
diff --git a/docs/configuration/system/eventhandler.rst b/docs/configuration/system/eventhandler.rst
deleted file mode 100644
index 3eab4e2c..00000000
--- a/docs/configuration/system/eventhandler.rst
+++ /dev/null
@@ -1,51 +0,0 @@
-.. _event-handler:
-
-Event Handler
--------------
-
-Event handler allows you to execute scripts when a string that matches a regex
-appears in a text stream (e.g. log file).
-
-It uses "feeds" (output of commands, or a named pipes) and "policies" that
-define what to execute if a regex is matched.
-
-.. code-block:: none
-
-  system
-  event-handler
-      feed <name>
-      description <feed description>
-      policy <policy name>
-      source
-          preset
-          syslog # Use the syslog logs for feed
-          custom
-          command <command to execute> # E.g. "tail -f /var/log/somelogfile"
-          named-pipe <path to a names pipe>
-      policy <policy name>
-      description <policy description>
-      event <event name>
-          description <event description>
-          pattern <regex>
-          run <command to run>
-
-In this small example a script runs every time a login failed and an interface
-goes down
-
-.. code-block:: none
-
-  vyos@vyos# show system event-handler
-  feed Syslog {
-      policy MyPolicy
-      source {
-          preset syslog
-      }
-  }
-  policy MyPolicy {
-      description "Test policy"
-      event BadThingsHappened {
-          pattern "authentication failure"
-          pattern "interface \.* index \d+ .* DOWN.*"
-          run /config/scripts/email-to-admin
-      }
-  }
-\ No newline at end of file
diff --git a/docs/configuration/system/host-name.rst b/docs/configuration/system/host-name.rst
index 79fae851..d062fc62 100644
--- a/docs/configuration/system/host-name.rst
+++ b/docs/configuration/system/host-name.rst
@@ -46,7 +46,12 @@ Static Hostname Mapping
 
 How an IP address is assigned to an interface in :ref:`ethernet-interface`.
 This section shows how to statically map an IP address to a hostname for local
-(meaning on this VyOS instance) name resolution.
+(meaning on this VyOS instance) name resolution. This is the VyOS equivalent to
+`/etc/hosts` file entries.
+
+.. note:: Do *not* manually edit `/etc/hosts`. This file will automatically be
+   regenerated on boot based on the settings in this section, which means you'll
+   lose all your manual edits. Instead, configure static host mappings as follows.
 
 .. cfgcmd:: set system static-host-mapping host-name <hostname> inet <address>
 
diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst
index 9b4bf2e3..4df787a9 100644
--- a/docs/configuration/system/index.rst
+++ b/docs/configuration/system/index.rst
@@ -7,6 +7,7 @@ System
    :maxdepth: 1
    :includehidden:
 
+   acceleration
    conntrack
    console
    flow-accounting
@@ -16,10 +17,10 @@ System
    lcd
    login
    name-server
-   ntp
    option
    proxy
    syslog
+   sysctl
    task-scheduler
    time-zone
 
@@ -29,4 +30,3 @@ System
    :includehidden:
 
    default-route
-   eventhandler
diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst
index 78aeef4e..29f46ae9 100644
--- a/docs/configuration/system/ip.rst
+++ b/docs/configuration/system/ip.rst
@@ -9,6 +9,15 @@ System configuration commands
 
    Use this command to disable IPv4 forwarding on all interfaces.
 
+.. cfgcmd:: set system ip disable-directed-broadcast
+
+   Use this command to disable IPv4 directed broadcast forwarding on all
+   interfaces.
+
+   If set, IPv4 directed broadcast forwarding will be completely disabled
+   regardless of whether per-interface directed broadcast forwarding is
+   enabled or not.
+
 .. cfgcmd:: set system ip arp table-size <number>
 
    Use this command to define the maximum number of entries to keep in
@@ -67,4 +76,4 @@ And the different IPv4 **reset** commands available:
      bgp           Clear Border Gateway Protocol (BGP) statistics or status
      igmp          IGMP clear commands
      multicast     IP multicast routing table
-     route         Reset IP route
-\ No newline at end of file
+     route         Reset IP route
diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst
index 19016e7b..0b9f9cc8 100644
--- a/docs/configuration/system/ipv6.rst
+++ b/docs/configuration/system/ipv6.rst
@@ -160,7 +160,7 @@ Show commands
 Reset commands
 ^^^^^^^^^^^^^^
 
-.. opcmd:: reset ipv6 bgp <address>
+.. opcmd:: reset bgp ipv6 <address>
 
    Use this command to clear Border Gateway Protocol statistics or
    status.
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index 08746201..a5c1b558 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -1,8 +1,10 @@
+:lastproofread: 2022-10-15
+
 .. _user_management:
 
-###############
-User Management
-###############
+#####################
+Login/User Management
+#####################
 
 The default VyOS user account (`vyos`), as well as newly created user accounts,
 have all capabilities to configure the system. All accounts have sudo
@@ -52,6 +54,8 @@ and paste it. Some terminal emulators may accidentally split this over several
 lines. Be attentive when you paste it that it only pastes as a single line.
 The third part is simply an identifier, and is for your own reference.
 
+.. seealso:: SSH :ref:`ssh_operation`
+
 .. cfgcmd:: set system login user <username> authentication public-keys
    <identifier> key <key>
 
@@ -77,44 +81,154 @@ The third part is simply an identifier, and is for your own reference.
 .. cfgcmd:: set system login user <username> authentication public-keys
    <identifier> options <options>
 
-   Set the options for this public key. See the ssh ``authorized_keys`` man page
-   for details of what you can specify here. To place a ``"`` character in the
-   options field, use ``&quot;``, for example ``from=&quot;10.0.0.0/24&quot;``
-   to restrict where the user may connect from when using this key.
+   Set the options for this public key. See the ssh ``authorized_keys`` man
+   page for details of what you can specify here. To place a ``"`` 
+   character in the options field, use ``&quot;``, for example 
+   ``from=&quot;10.0.0.0/24&quot;`` to restrict where the user
+   may connect from when using this key.
 
-.. cfgcmd:: loadkey <username> <location>
+MFA/2FA authentication using OTP (one time passwords)
+-----------------------------------------------------
 
-   **Deprecation notice:** ``loadkey`` has been deprecated in favour of
-   :opcmd:`generate public-key-commands` and will be removed in a future
-   version. See :ref:`ssh`.
+It is possible to enhance authentication security by using the :abbr:`2FA
+(Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature
+together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor
+authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured
+independently per each user. If an OTP key is configured for a user, 2FA/MFA
+is automatically enabled for that particular user. If a user does not have an
+OTP key configured, there is no 2FA/MFA check for that user.
 
-   SSH keys can not only be specified on the command-line but also loaded for
-   a given user with `<username>` from a file pointed to by `<location>.` Keys
-   can be either loaded from local filesystem or any given remote location
-   using one of the following :abbr:`URIs (Uniform Resource Identifier)`:
+.. cfgcmd:: set system login user <username> authentication otp key <key>
 
-   * ``<file>`` - Load from file on local filesystem path
-   * ``scp://<user>@<host>:/<file>`` - Load via SCP from remote machine
-   * ``sftp://<user>@<host>/<file>`` - Load via SFTP from remote machine
-   * ``ftp://<user>@<host>/<file>`` - Load via FTP from remote machine
-   * ``http://<host>/<file>`` - Load via HTTP from remote machine
-   * ``tftp://<host>/<file>`` - Load via TFTP from remote machine
+   Enable OTP 2FA for user `username` with default settings, using the BASE32
+   encoded 2FA/MFA key specified by `<key>`.
 
-Example
--------
+Optional/default settings
+^^^^^^^^^^^^^^^^^^^^^^^^^
 
-In the following example, both `User1` and `User2` will be able to SSH into
-VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only
-be able to connect from a single IP address.
+.. cfgcmd:: set system login user <username> authentication otp rate-limit <limit>
+   :defaultvalue:
+
+   Limit logins to `<limit>` per every ``rate-time`` seconds. Rate limit
+   must be between 1 and 10 attempts.
+
+.. cfgcmd:: set system login user <username> authentication otp rate-time <seconds>
+   :defaultvalue:
+
+   Limit logins to ``rate-limit`` attemps per every `<seconds>`. Rate time must
+   be between 15 and 600 seconds.
+
+.. cfgcmd:: set system login user <username> authentication otp window-size <size>
+   :defaultvalue:
+
+   Set window of concurrently valid codes.
+
+   By default, a new token is generated every 30 seconds by the mobile
+   application. In order to compensate for possible time-skew between
+   the client and the server, an extra token before and after the current
+   time is allowed. This allows for a time skew of up to 30 seconds
+   between authentication server and client.
+
+   For example, if problems with poor time synchronization are experienced,
+   the window can be increased from its default size of 3 permitted codes
+   (one previous code, the current code, the next code) to 17 permitted codes
+   (the 8 previous codes, the current code, and the 8 next codes). This will
+   permit for a time skew of up to 4 minutes between client and server.
+
+   The window size must be between 1 and 21.
+
+OTP-key generation
+^^^^^^^^^^^^^^^^^^
+
+The following command can be used to generate the OTP key as well
+as the CLI commands to configure them:
+
+.. cfgcmd:: generate system login username <username> otp-key hotp-time
+   rate-limit <1-10> rate-time <15-600> window-size <1-21>
+
+An example of key generation:
 
 .. code-block:: none
 
-  set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
-  set system login user vyos authentication public-keys 'User1' type ssh-rsa
-  set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
-  set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
-  set system login user vyos authentication public-keys 'User2' type ssh-rsa
+   vyos@vyos:~$ generate system login username otptester otp-key hotp-time rate-limit 2 rate-time 20 window-size 5
+   # You can share it with the user, he just needs to scan the QR in his OTP app
+   # username:  otptester
+   # OTP KEY:  J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
+   # OTP URL:  otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
+   █████████████████████████████████████████████
+   █████████████████████████████████████████████
+   ████ ▄▄▄▄▄ █▀█ █▄   ▀▄▀▄█▀▄  ▀█▀ █ ▄▄▄▄▄ ████
+   ████ █   █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀  ▄█ █   █ ████
+   ████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
+   ████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
+   ████ ▄   █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄  █ █▄█ █████
+   ████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█  ████
+   █████▄  ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄   ▄████
+   ████▀▀▄   ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄  ▀█ █  ████
+   ████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄  ▄ ▄▀ █▄████
+   ████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄   ▄▄ ████
+   ████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
+   ████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █  ▀▄▄  ▄█▀ ▄▄   ▀▄▄ ████
+   ████  ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄  ▄████
+   ████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀  ███▄ ▄████
+   ████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
+   ████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█  ████
+   ████ █   █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄  ▀ ▄    ▄ ▄▄████
+   ████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
+   ████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
+   █████████████████████████████████████████████
+   █████████████████████████████████████████████
+   # To add this OTP key to configuration, run the following commands:
+   set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
+   set system login user otptester authentication otp rate-limit '2'
+   set system login user otptester authentication otp rate-time '20'
+   set system login user otptester authentication otp window-size '5'
+
+Display OTP key for user
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+To display the configured OTP user key, use the command:
+
+.. cfgcmd:: sh system login authentication user <username> otp 
+   <full|key-b32|qrcode|uri>
+
+An example:
+
+.. code-block:: none
 
+   vyos@vyos:~$ sh system login authentication user otptester otp full
+   # You can share it with the user, he just needs to scan the QR in his OTP app
+   # username: otptester
+   # OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
+   # OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
+   █████████████████████████████████████████████
+   █████████████████████████████████████████████
+   ████ ▄▄▄▄▄ █▀█ █▄   ▀▄▀▄█▀▄  ▀█▀ █ ▄▄▄▄▄ ████
+   ████ █   █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀  ▄█ █   █ ████
+   ████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
+   ████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
+   ████ ▄   █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄  █ █▄█ █████
+   ████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█  ████
+   █████▄  ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄   ▄████
+   ████▀▀▄   ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄  ▀█ █  ████
+   ████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄  ▄ ▄▀ █▄████
+   ████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄   ▄▄ ████
+   ████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
+   ████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █  ▀▄▄  ▄█▀ ▄▄   ▀▄▄ ████
+   ████  ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄  ▄████
+   ████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀  ███▄ ▄████
+   ████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
+   ████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█  ████
+   ████ █   █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄  ▀ ▄    ▄ ▄▄████
+   ████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
+   ████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
+   █████████████████████████████████████████████
+   █████████████████████████████████████████████
+   # To add this OTP key to configuration, run the following commands:
+   set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
+   set system login user otptester authentication otp rate-limit '2'
+   set system login user otptester authentication otp rate-time '20'
+   set system login user otptester authentication otp window-size '5'
 
 RADIUS
 ======
@@ -158,7 +272,6 @@ Configuration
    the attribute you will only get regular, non privilegued, system users.
 
 
-
 Login Banner
 ============
 
@@ -176,3 +289,25 @@ information for this system.
 
 .. note:: To create a new line in your login message you need to escape the new
    line character by using ``\\n``.
+
+
+Example
+=======
+
+In the following example, both `User1` and `User2` will be able to SSH into
+VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only
+be able to connect from a single IP address. In addition if password base login
+is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to
+the password.
+
+.. code-block:: none
+
+  set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
+  set system login user vyos authentication public-keys 'User1' type ssh-rsa
+  set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
+
+  set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
+  set system login user vyos authentication public-keys 'User2' type ssh-rsa
+
+  set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
+  set system login user vyos authentication plaintext-password vyos
diff --git a/docs/configuration/system/ntp.rst b/docs/configuration/system/ntp.rst
deleted file mode 100644
index 223447f5..00000000
--- a/docs/configuration/system/ntp.rst
+++ /dev/null
@@ -1,77 +0,0 @@
-.. _ntp:
-
-###
-NTP
-###
-
-:abbr:`NTP (Network Time Protocol`) is a networking protocol for clock
-synchronization between computer systems over packet-switched, variable-latency
-data networks. In operation since before 1985, NTP is one of the oldest Internet
-protocols in current use.
-
-NTP is intended to synchronize all participating computers to within a few
-milliseconds of :abbr:`UTC (Coordinated Universal Time)`. It uses the
-intersection algorithm, a modified version of Marzullo's algorithm, to select
-accurate time servers and is designed to mitigate the effects of variable
-network latency. NTP can usually maintain time to within tens of milliseconds
-over the public Internet, and can achieve better than one millisecond accuracy
-in local area networks under ideal conditions. Asymmetric routes and network
-congestion can cause errors of 100 ms or more.
-
-The protocol is usually described in terms of a client-server model, but can as
-easily be used in peer-to-peer relationships where both peers consider the other
-to be a potential time source. Implementations send and receive timestamps using
-:abbr:`UDP (User Datagram Protocol)` on port number 123.
-
-NTP supplies a warning of any impending leap second adjustment, but no
-information about local time zones or daylight saving time is transmitted.
-
-The current protocol is version 4 (NTPv4), which is a proposed standard as
-documented in :rfc:`5905`. It is backward compatible with version 3, specified
-in :rfc:`1305`.
-
-Configuration
-=============
-
-.. cfgcmd:: set system ntp server <address>
-
-   Configure one or more servers for synchronisation. Server name can be either
-   an IP address or :abbr:`FQDN (Fully Qualified Domain Name)`.
-
-   There are 3 default NTP server set. You are able to change them.
-
-   * ``0.pool.ntp.org``
-   * ``1.pool.ntp.org``
-   * ``2.pool.ntp.org``
-
-.. cfgcmd:: set system ntp server <address> <noselect | pool | preempt | prefer>
-
-   Configure one or more attributes to the given NTP server.
-
-   * ``noselect`` marks the server as unused, except for display purposes. The
-     server is discarded by the selection algorithm.
-
-   * ``pool`` mobilizes persistent client mode association with a number of
-     remote servers.
-
-   * ``preempt`` a preemptable association is expendable.
-
-   * ``prefer`` marks the server as preferred. All other things being equal,
-     this host will be chosen for synchronization among a set of correctly
-     operating hosts.
-
-.. cfgcmd:: set system ntp listen-address <address>
-
-   NTP process will only listen on the specified IP address. You must specify
-   the `<address>` and optionally the permitted clients. Multiple listen
-   addresses can be configured.
-
-.. cfgcmd:: set system ntp allow-clients address <address>
-
-   List of networks or client addresses permitted to contact this NTP server.
-
-   Multiple networks can be configured.
-
-.. cfgcmd:: set system ntp vrf <name>
-
-  Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst
index a4e08245..c9c9bfb1 100644
--- a/docs/configuration/system/option.rst
+++ b/docs/configuration/system/option.rst
@@ -39,6 +39,20 @@ HTTP client
 .. note:: `source-address` and `source-interface` can not be used at the same
    time.
 
+**********
+SSH client
+**********
+
+.. cfgcmd:: set system option ssh-client source-address <address>
+
+   Use the specified address on the local machine as the source address of the
+   connection. Only useful on systems with more than one address.
+
+.. cfgcmd:: set system option ssh-client source-interface <interface>
+
+   Use the address of the specified interface on the local machine as the
+   source address of the connection.
+
 ***************
 Keyboard Layout
 ***************
diff --git a/docs/configuration/system/sysctl.disable b/docs/configuration/system/sysctl.disable
deleted file mode 100644
index 82ffd159..00000000
--- a/docs/configuration/system/sysctl.disable
+++ /dev/null
@@ -1,2 +0,0 @@
-sysctl
-######
-\ No newline at end of file
diff --git a/docs/configuration/system/sysctl.rst b/docs/configuration/system/sysctl.rst
new file mode 100644
index 00000000..06e15031
--- /dev/null
+++ b/docs/configuration/system/sysctl.rst
@@ -0,0 +1,12 @@
+.. _sysctl:
+
+######
+Sysctl
+######
+
+This chapeter describes how to configure kernel parameters at runtime.
+
+``sysctl`` is used to modify kernel parameters at runtime.  The parameters
+available are those listed under /proc/sys/. 
+
+.. cfgcmd:: set system sysctl parameter <parameter> value <value>