summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/firewall/general.rst31
-rw-r--r--docs/configuration/interfaces/dummy.rst2
-rw-r--r--docs/configuration/interfaces/index.rst1
-rw-r--r--docs/configuration/interfaces/virtual-ethernet.rst95
4 files changed, 128 insertions, 1 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index 5dfceed6..a8d5c9c2 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -349,6 +349,37 @@ There are a lot of matching criteria against which the package can be tested.
set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
+.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask
+ [address]
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask
+ [address]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask
+ [address]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination
+ address-mask [address]
+
+ An arbitrary netmask can be applied to mask addresses to only match against
+ a specific portion. This is particularly useful with IPv6 and a zone-based
+ firewall as rules will remain valid if the IPv6 prefix changes and the host
+ portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses
+ <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
+
+ This functions for both individual addresses and address groups.
+
+ .. code-block:: none
+
+ # Match any IPv6 address with the suffix ::0000:0000:0000:beef
+ set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef
+ set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff
+ # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
+ set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13
+ set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255
+ # Address groups
+ set firewall group ipv6-address-group WEBSERVERS address ::1000
+ set firewall group ipv6-address-group WEBSERVERS address ::2000
+ set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS
+ set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff
+
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
<country>
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst
index 8440feca..ba09d9a7 100644
--- a/docs/configuration/interfaces/dummy.rst
+++ b/docs/configuration/interfaces/dummy.rst
@@ -68,7 +68,7 @@ Operation
.. code-block:: none
- vyos@vyos:~$ show interfaces ethernet eth0
+ vyos@vyos:~$ show interfaces dummy dum0
dum0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 26:7c:8e:bc:fc:f5 brd ff:ff:ff:ff:ff:ff
inet 172.18.254.201/32 scope global dum0
diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst
index 23792203..97ad709e 100644
--- a/docs/configuration/interfaces/index.rst
+++ b/docs/configuration/interfaces/index.rst
@@ -20,6 +20,7 @@ Interfaces
pppoe
pseudo-ethernet
tunnel
+ virtual-ethernet
vti
vxlan
wireless
diff --git a/docs/configuration/interfaces/virtual-ethernet.rst b/docs/configuration/interfaces/virtual-ethernet.rst
new file mode 100644
index 00000000..a6988318
--- /dev/null
+++ b/docs/configuration/interfaces/virtual-ethernet.rst
@@ -0,0 +1,95 @@
+:lastproofread: 2022-11-25
+
+.. _virtual-ethernet:
+
+################
+Virtual Ethernet
+################
+
+The veth devices are virtual Ethernet devices. They can act as tunnels between
+network namespaces to create a bridge to a physical network device in another
+namespace or VRF, but can also be used as standalone network devices.
+
+.. note:: veth interfaces need to be created in pairs - it's called the peer name
+
+*************
+Configuration
+*************
+
+Common interface configuration
+==============================
+
+.. cmdinclude:: /_include/interface-address-with-dhcp.txt
+ :var0: virtual-ethernet
+ :var1: veth0
+
+.. cmdinclude:: /_include/interface-description.txt
+ :var0: virtual-ethernet
+ :var1: veth0
+
+.. cmdinclude:: /_include/interface-disable.txt
+ :var0: virtual-ethernet
+ :var1: veth0
+
+.. cmdinclude:: /_include/interface-vrf.txt
+ :var0: virtual-ethernet
+ :var1: veth0
+
+*********
+Operation
+*********
+
+.. opcmd:: show interfaces virtual-ethernet
+
+ Show brief interface information.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show interfaces virtual-ethernet
+ Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+ Interface IP Address S/L Description
+ --------- ---------- --- -----------
+ veth10 100.64.0.0/31 u/u
+ veth11 100.64.0.1/31 u/u
+
+.. opcmd:: show interfaces virtual-ethernet <interface>
+
+ Show detailed information on given `<interface>`
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show interfaces virtual-ethernet veth11
+ 10: veth11@veth10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master red state UP group default qlen 1000
+ link/ether b2:7b:df:47:e9:11 brd ff:ff:ff:ff:ff:ff
+ inet 100.64.0.1/31 scope global veth11
+ valid_lft forever preferred_lft forever
+ inet6 fe80::b07b:dfff:fe47:e911/64 scope link
+ valid_lft forever preferred_lft forever
+
+
+ RX: bytes packets errors dropped overrun mcast
+ 0 0 0 0 0 0
+ TX: bytes packets errors dropped carrier collisions
+ 1369707 4267 0 0 0 0
+
+*******
+Example
+*******
+
+Interconnect the global VRF with vrf "red" using the veth10 <-> veth 11 pair
+
+.. code-block:: none
+
+ set interfaces virtual-ethernet veth10 address '100.64.0.0/31'
+ set interfaces virtual-ethernet veth10 peer-name 'veth11'
+ set interfaces virtual-ethernet veth11 address '100.64.0.1/31'
+ set interfaces virtual-ethernet veth11 peer-name 'veth10'
+ set interfaces virtual-ethernet veth11 vrf 'red'
+ set vrf name red table '1000'
+
+ vyos@vyos:~$ ping 100.64.0.1
+ PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data.
+ 64 bytes from 100.64.0.1: icmp_seq=1 ttl=64 time=0.080 ms
+ 64 bytes from 100.64.0.1: icmp_seq=2 ttl=64 time=0.119 ms
+
+