4 files changed, 128 insertions, 1 deletions

diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index 5dfceed6..a8d5c9c2 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -349,6 +349,37 @@ There are a lot of matching criteria against which the package can be tested.
       set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
       set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
 
+.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask
+   [address]
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask
+   [address]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask
+   [address]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination
+   address-mask [address]
+
+   An arbitrary netmask can be applied to mask addresses to only match against
+   a specific portion. This is particularly useful with IPv6 and a zone-based
+   firewall as rules will remain valid if the IPv6 prefix changes and the host
+   portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses
+   <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
+   
+   This functions for both individual addresses and address groups.
+
+   .. code-block:: none
+
+      # Match any IPv6 address with the suffix ::0000:0000:0000:beef
+      set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef
+      set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff
+      # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
+      set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13
+      set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255
+      # Address groups
+      set firewall group ipv6-address-group WEBSERVERS address ::1000
+      set firewall group ipv6-address-group WEBSERVERS address ::2000
+      set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS
+      set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff
+
 .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
    <country>
 .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst
index 8440feca..ba09d9a7 100644
--- a/docs/configuration/interfaces/dummy.rst
+++ b/docs/configuration/interfaces/dummy.rst
@@ -68,7 +68,7 @@ Operation
 
    .. code-block:: none
 
-     vyos@vyos:~$ show interfaces ethernet eth0
+     vyos@vyos:~$ show interfaces dummy dum0
      dum0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
          link/ether 26:7c:8e:bc:fc:f5 brd ff:ff:ff:ff:ff:ff
          inet 172.18.254.201/32 scope global dum0
diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst
index 23792203..97ad709e 100644
--- a/docs/configuration/interfaces/index.rst
+++ b/docs/configuration/interfaces/index.rst
@@ -20,6 +20,7 @@ Interfaces
    pppoe
    pseudo-ethernet
    tunnel
+   virtual-ethernet
    vti
    vxlan
    wireless
diff --git a/docs/configuration/interfaces/virtual-ethernet.rst b/docs/configuration/interfaces/virtual-ethernet.rst
new file mode 100644
index 00000000..a6988318
--- /dev/null
+++ b/docs/configuration/interfaces/virtual-ethernet.rst
@@ -0,0 +1,95 @@
+:lastproofread: 2022-11-25
+
+.. _virtual-ethernet:
+
+################
+Virtual Ethernet
+################
+
+The veth devices are virtual Ethernet devices. They can act as tunnels between
+network namespaces to create a bridge to a physical network device in another
+namespace or VRF, but can also be used as standalone network devices.
+
+.. note:: veth interfaces need to be created in pairs - it's called the peer name
+
+*************
+Configuration
+*************
+
+Common interface configuration
+==============================
+
+.. cmdinclude:: /_include/interface-address-with-dhcp.txt
+   :var0: virtual-ethernet
+   :var1: veth0
+
+.. cmdinclude:: /_include/interface-description.txt
+   :var0: virtual-ethernet
+   :var1: veth0
+
+.. cmdinclude:: /_include/interface-disable.txt
+   :var0: virtual-ethernet
+   :var1: veth0
+
+.. cmdinclude:: /_include/interface-vrf.txt
+   :var0: virtual-ethernet
+   :var1: veth0
+
+*********
+Operation
+*********
+
+.. opcmd:: show interfaces virtual-ethernet
+
+   Show brief interface information.
+
+   .. code-block:: none
+
+     vyos@vyos:~$ show interfaces virtual-ethernet
+     Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+     Interface        IP Address                        S/L  Description
+     ---------        ----------                        ---  -----------
+     veth10           100.64.0.0/31                     u/u
+     veth11           100.64.0.1/31                     u/u
+
+.. opcmd:: show interfaces virtual-ethernet <interface>
+
+   Show detailed information on given `<interface>`
+
+   .. code-block:: none
+
+     vyos@vyos:~$ show interfaces virtual-ethernet veth11
+     10: veth11@veth10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master red state UP group default qlen 1000
+         link/ether b2:7b:df:47:e9:11 brd ff:ff:ff:ff:ff:ff
+         inet 100.64.0.1/31 scope global veth11
+            valid_lft forever preferred_lft forever
+         inet6 fe80::b07b:dfff:fe47:e911/64 scope link
+            valid_lft forever preferred_lft forever
+
+
+         RX:  bytes    packets     errors    dropped    overrun      mcast
+                  0          0          0          0          0          0
+         TX:  bytes    packets     errors    dropped    carrier collisions
+            1369707       4267          0          0          0          0
+
+*******
+Example
+*******
+
+Interconnect the global VRF with vrf "red" using the veth10 <-> veth 11 pair
+
+.. code-block:: none
+
+  set interfaces virtual-ethernet veth10 address '100.64.0.0/31'
+  set interfaces virtual-ethernet veth10 peer-name 'veth11'
+  set interfaces virtual-ethernet veth11 address '100.64.0.1/31'
+  set interfaces virtual-ethernet veth11 peer-name 'veth10'
+  set interfaces virtual-ethernet veth11 vrf 'red'
+  set vrf name red table '1000'
+
+  vyos@vyos:~$ ping 100.64.0.1
+  PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data.
+  64 bytes from 100.64.0.1: icmp_seq=1 ttl=64 time=0.080 ms
+  64 bytes from 100.64.0.1: icmp_seq=2 ttl=64 time=0.119 ms
+
+