diff options
Diffstat (limited to 'docs/configuration')
25 files changed, 423 insertions, 115 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 5081ce2f..a36877b7 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -325,15 +325,25 @@ There are a lot of matching criteria against which the package can be tested. .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code <country> +.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip country-code <country> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip + inverse-match .. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip country-code <country> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip + inverse-match .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip + inverse-match -Match IP addresses based on its geolocation. More info: `geoip matching -<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_ +Match IP addresses based on its geolocation. +More info: `geoip matching +<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + +Use inverse-match to match anything except the given country-codes. Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB @@ -459,6 +469,16 @@ geoip) to keep database and rules updated. Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | + minute | hour> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | + minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. *********************************** Applying a Rule-Set to an Interface @@ -531,10 +551,10 @@ Applying a Rule-Set to a Zone Before you are able to apply a rule-set to a zone you have to create the zones first. -It helps to think of the syntax as: (see below). The 'rule-set' should be +It helps to think of the syntax as: (see below). The 'rule-set' should be written from the perspective of: *Source Zone*-to->*Destination Zone* -.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone> +.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone> firewall name <rule-set> .. cfgcmd:: set zone-policy zone <name> from <name> firewall name @@ -829,4 +849,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets.
\ No newline at end of file + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/interfaces/bridge.rst b/docs/configuration/interfaces/bridge.rst index ebb2232a..ddc293cc 100644 --- a/docs/configuration/interfaces/bridge.rst +++ b/docs/configuration/interfaces/bridge.rst @@ -78,7 +78,11 @@ Bridge Options .. cfgcmd:: set interfaces bridge <interface> igmp querier - Enable IGMP querier + Enable IGMP and MLD querier. + +.. cfgcmd:: set interfaces bridge <interface> igmp snooping + + Enable IGMP and MLD snooping. .. _stp: diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index dcc9e529..96ccb25f 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -71,8 +71,8 @@ Ethernet options Offloading ---------- -.. cfgcmd:: set interfaces ethernet <interface> offload <gro | gso | sg | tso | - ufo | rps> +.. cfgcmd:: set interfaces ethernet <interface> offload <gro | gso | lro | rps | + sg | tso> Enable different types of hardware offloading on the given NIC. diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst index 544bd4fc..338ad3ae 100644 --- a/docs/configuration/interfaces/macsec.rst +++ b/docs/configuration/interfaces/macsec.rst @@ -53,11 +53,12 @@ individual peers. .. cfgcmd:: set interfaces macsec <interface> security mka cak <key> IEEE 802.1X/MACsec pre-shared key mode. This allows configuring MACsec with - a pre-shared key using a (CAK,CKN) pair. + a pre-shared key using a :abbr:`CAK (MACsec connectivity association key)` and + :abbr:`CKN (MACsec connectivity association name)` pair. .. cfgcmd:: set interfaces macsec <interface> security mka ckn <key> - CAK Name + :abbr:`CKN (MACsec connectivity association name)` key .. cfgcmd:: set interfaces macsec <interface> security mka priority <priority> @@ -80,28 +81,27 @@ Replay protection Operation ********* -.. opcmd:: run generate macsec mka-cak +.. opcmd:: run generate macsec mka cak <gcm-aes-128|gcm-aes-256> - Generate :abbr:`MKA (MACsec Key Agreement protocol)` CAK key + Generate :abbr:`MKA (MACsec Key Agreement protocol)` CAK key 128 or 256 bits. .. code-block:: none - vyos@vyos:~$ generate macsec mka-cak + vyos@vyos:~$ generate macsec mka cak gcm-aes-128 20693b6e08bfa482703a563898c9e3ad +.. opcmd:: run generate macsec mka ckn -.. opcmd:: run generate macsec mka-ckn - - Generate :abbr:`MKA (MACsec Key Agreement protocol)` CAK key + Generate :abbr:`MKA (MACsec Key Agreement protocol)` CAK key. .. code-block:: none - vyos@vyos:~$ generate macsec mka-ckn + vyos@vyos:~$ generate macsec mka ckn 88737efef314ee319b2cbf30210a5f164957d884672c143aefdc0f5f6bc49eb2 .. opcmd:: show interfaces macsec - List all MACsec interfaces + List all MACsec interfaces. .. code-block:: none diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index e1bb3056..dbf92caf 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-07-09 +:lastproofread: 2022-07-27 .. _pppoe-interface: @@ -126,6 +126,9 @@ PPPoE options set interfaces pppoe pppoe0 no-default-route + .. note:: This command got added in VyOS 1.4 and inverts the logic from the old + ``default-route`` CLI option. + .. cfgcmd:: set interfaces pppoe <interface> default-route-distance <distance> Set the distance for the default gateway sent by the PPPoE server. @@ -310,11 +313,6 @@ Requirements: If you are switching from a DHCP based ISP like cable then be aware that things like VPN links may need to have their MTU sizes adjusted to work within this limit. -* With the ``default-route`` option set to ``auto``, VyOS will only add the - default gateway you receive from your DSL ISP to the routing table if you - have no other WAN connections. If you wish to use a dual WAN connection, - change the ``default-route`` option to ``force``. You could also install - a static route and set the ``default-route`` option to ``none``. * With the ``name-server`` option set to ``none``, VyOS will ignore the nameservers your ISP sends you and thus you can fully rely on the ones you have configured statically. @@ -322,10 +320,11 @@ Requirements: .. note:: Syntax has changed from VyOS 1.2 (crux) and it will be automatically migrated during an upgrade. +.. note:: A default route is automatically installed once the interface is up. + To change this behavior use the ``no-default-route`` CLI option. + .. code-block:: none - set interfaces pppoe pppoe0 default-route 'auto' - set interfaces pppoe pppoe0 mtu 1492 set interfaces pppoe pppoe0 authentication user 'userid' set interfaces pppoe pppoe0 authentication password 'secret' set interfaces pppoe pppoe0 source-interface 'eth0' @@ -351,8 +350,6 @@ which is the default VLAN for Deutsche Telekom: .. code-block:: none - set interfaces pppoe pppoe0 default-route 'auto' - set interfaces pppoe pppoe0 mtu 1492 set interfaces pppoe pppoe0 authentication user 'userid' set interfaces pppoe pppoe0 authentication password 'secret' set interfaces pppoe pppoe0 source-interface 'eth0.7' diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index b775011f..231652a0 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -590,3 +590,24 @@ To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system. + +.. _wireless-interface-intel-ax200: + +Intel AX200 +=========== + +The Intel AX200 card does not work out of the box in AP mode, see +https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can +still put this card into AP mode using the following configuration: + +.. stop_vyoslinter +.. code-block:: none + + set interfaces wireless wlan0 channel '1' + set interfaces wireless wlan0 country-code 'us' + set interfaces wireless wlan0 mode 'n' + set interfaces wireless wlan0 physical-device 'phy0' + set interfaces wireless wlan0 ssid 'VyOS' + set interfaces wireless wlan0 type 'access-point' + +.. start_vyoslinter diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index b46f821c..e83272f5 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -272,7 +272,7 @@ also to display them. Show only information for specified Certificate Authority. -.. opcmd:: show pki certificates +.. opcmd:: show pki certificate Show a list of installed certificates @@ -285,7 +285,7 @@ also to display them. ac2 Server CN=ac2.vyos.net CN=R3 2021-07-05 07:29:59 2021-10-03 07:29:58 No Yes Yes (R3) rw_server Server CN=VyOS RW CN=VyOS RW CA 2021-07-05 13:48:02 2022-07-05 13:48:02 No Yes Yes (vyos_rw) -.. opcmd:: show pki certificates <name> +.. opcmd:: show pki certificate <name> Show only information for specified certificate. diff --git a/docs/configuration/policy/examples.rst b/docs/configuration/policy/examples.rst index c83e5f64..2d44f4bc 100644 --- a/docs/configuration/policy/examples.rst +++ b/docs/configuration/policy/examples.rst @@ -11,7 +11,7 @@ BGP Example set policy route-map setmet rule 2 set as-path prepend '2 2 2' # Apply policy to BGP - set protocols bgp local-as 1 + set protocols bgp system-as 1 set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast route-map import 'setmet' set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast soft-reconfiguration 'inbound' diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index 6e979a32..7743b14b 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -69,6 +69,14 @@ Route Map IP address of route to match, based on prefix-list. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip address + prefix-len <0-32> + + IP address of route to match, based on specified prefix-length. + Note that this can be used for kernel routes only. + Do not apply to the routes of dynamic routing protocols (e.g. BGP, + RIP, OSFP), as this can lead to unexpected results.. + .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop access-list <1-2699> @@ -114,6 +122,14 @@ Route Map IPv6 address of route to match, based on IPv6 prefix-list. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 address + prefix-len <0-128> + + IPv6 address of route to match, based on specified prefix-length. + Note that this can be used for kernel routes only. + Do not apply to the routes of dynamic routing protocols (e.g. BGP, + RIP, OSFP), as this can lead to unexpected results.. + .. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 nexthop <h:h:h:h:h:h:h:h> diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index fb9b9d6e..6593730f 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -37,7 +37,7 @@ The :abbr:`ASN (Autonomous System Number)` is one of the essential elements of BGP. BGP is a distance vector routing protocol, and the AS-Path framework provides distance vector metric and loop detection to BGP. -.. cfgcmd:: set protocols bgp local-as <asn> +.. cfgcmd:: set protocols bgp system-as <asn> Set local :abbr:`ASN (Autonomous System Number)` that this router represents. This is a a mandatory option! @@ -174,7 +174,7 @@ The BGP protocol uses the AS number for detecting whether the BGP connection is internal or external. VyOS does not have a special command to start the BGP process. The BGP process starts when the first neighbor is configured. -.. cfgcmd:: set protocols bgp local-as <asn> +.. cfgcmd:: set protocols bgp system-as <asn> Set local autonomous system number that this router represents. This is a mandatory option! @@ -1069,7 +1069,7 @@ A simple eBGP configuration: .. code-block:: none - set protocols bgp local-as 65534 + set protocols bgp system-as 65534 set protocols bgp neighbor 192.168.0.2 ebgp-multihop '2' set protocols bgp neighbor 192.168.0.2 remote-as '65535' set protocols bgp neighbor 192.168.0.2 update-source '192.168.0.1' @@ -1080,7 +1080,7 @@ A simple eBGP configuration: .. code-block:: none - set protocols bgp local-as 65535 + set protocols bgp system-as 65535 set protocols bgp neighbor 192.168.0.1 ebgp-multihop '2' set protocols bgp neighbor 192.168.0.1 remote-as '65534' set protocols bgp neighbor 192.168.0.1 update-source '192.168.0.2' @@ -1114,7 +1114,7 @@ A simple BGP configuration via IPv6. .. code-block:: none - set protocols bgp local-as 65534 + set protocols bgp system-as 65534 set protocols bgp neighbor 2001:db8::2 ebgp-multihop '2' set protocols bgp neighbor 2001:db8::2 remote-as '65535' set protocols bgp neighbor 2001:db8::2 update-source '2001:db8::1' @@ -1126,7 +1126,7 @@ A simple BGP configuration via IPv6. .. code-block:: none - set protocols bgp local-as 65535 + set protocols bgp system-as 65535 set protocols bgp neighbor 2001:db8::1 ebgp-multihop '2' set protocols bgp neighbor 2001:db8::1 remote-as '65534' set protocols bgp neighbor 2001:db8::1 update-source '2001:db8::2' @@ -1177,7 +1177,7 @@ Route filter can be applied using a route-map: set policy route-map AS65535-OUT rule 10 match ipv6 address prefix-list 'AS65535-OUT' set policy route-map AS65535-OUT rule 20 action 'permit' - set protocols bgp local-as 65534 + set protocols bgp system-as 65534 set protocols bgp neighbor 2001:db8::2 address-family ipv4-unicast route-map export 'AS65535-OUT' set protocols bgp neighbor 2001:db8::2 address-family ipv4-unicast route-map import 'AS65535-IN' set protocols bgp neighbor 2001:db8::2 address-family ipv6-unicast route-map export 'AS65535-OUT' @@ -1205,7 +1205,7 @@ Route filter can be applied using a route-map: set policy route-map AS65534-OUT rule 10 match ipv6 address prefix-list 'AS65534-OUT' set policy route-map AS65534-OUT rule 20 action 'permit' - set protocols bgp local-as 65535 + set protocols bgp system-as 65535 set protocols bgp neighbor 2001:db8::1 address-family ipv4-unicast route-map export 'AS65534-OUT' set protocols bgp neighbor 2001:db8::1 address-family ipv4-unicast route-map import 'AS65534-IN' set protocols bgp neighbor 2001:db8::1 address-family ipv6-unicast route-map export 'AS65534-OUT' diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index a7cd7060..1b72f8eb 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -114,11 +114,11 @@ Operation conntrack is not enabled. To enable conntrack, just create a NAT or a firewall rule. :cfgcmd:`set firewall state-policy established action accept` -.. opcmd:: show conntrack-sync external-cache +.. opcmd:: show conntrack-sync cache external Show connection syncing external cache entries -.. opcmd:: show conntrack-sync internal-cache +.. opcmd:: show conntrack-sync cache internal Show connection syncing internal cache entries diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 46604dfd..3f4b7b89 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -69,10 +69,17 @@ Configuration respond to the client. The lease will remain abandoned for a minimum of abandon-lease-time seconds (defaults to 24 hours). - If a there are no free addressses but there are abandoned IP addresses, the + If there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time. +.. cfgcmd:: set service dhcp-server listen-address <address> + + This configuration parameter lets the DHCP server to listen for DHCP + requests sent to the specified address, it is only realistically useful for + a server whose only clients are reached via unicasts, such as via DHCP relay + agents. + Individual Client Subnet ------------------------- @@ -151,7 +158,7 @@ Individual Client Subnet respond to the client. The lease will remain abandoned for a minimum of abandon-lease-time seconds (defaults to 24 hours). - If a there are no free addressses but there are abandoned IP addresses, the + If a there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time. @@ -516,18 +523,6 @@ Operation Mode Show logs from specific `interface` DHCP client process. -.. opcmd:: show log dhcpv6 server - - Show DHCPv6 server daemon log file - -.. opcmd:: show log dhcpv6 client - - Show logs from all DHCPv6 client processes. - -.. opcmd:: show log dhcpv6 client interface <interface> - - Show logs from specific `interface` DHCPv6 client process. - .. opcmd:: restart dhcp server Restart the DHCP server @@ -736,6 +731,18 @@ The configuration will look as follows: Operation Mode ============== +.. opcmd:: show log dhcpv6 server + + Show DHCPv6 server daemon log file + +.. opcmd:: show log dhcpv6 client + + Show logs from all DHCPv6 client processes. + +.. opcmd:: show log dhcpv6 client interface <interface> + + Show logs from specific `interface` DHCPv6 client process. + .. opcmd:: restart dhcpv6 server To restart the DHCPv6 server @@ -746,7 +753,7 @@ Operation Mode .. opcmd:: show dhcpv6 server leases - Show statuses of all assigned leases: + Shows status of all assigned leases: .. code-block:: none diff --git a/docs/configuration/service/eventhandler.rst b/docs/configuration/service/eventhandler.rst new file mode 100644 index 00000000..15f08239 --- /dev/null +++ b/docs/configuration/service/eventhandler.rst @@ -0,0 +1,127 @@ +.. _event-handler: + +############# +Event Handler +############# + +********************************* +Event Handler Technology Overview +********************************* + +Event handler allows you to execute scripts when a string that matches a regex or a regex with +a service name appears in journald logs. You can pass variables, arguments, and a full matching string to the script. + + +****************************** +How to configure Event Handler +****************************** + + `1. Create an event handler`_ + + `2. Add regex to the script`_ + + `3. Add a full path to the script`_ + + `4. Add optional parameters`_ + +********************************* +Event Handler Configuration Steps +********************************* + +1. Create an event handler +========================== + + .. cfgcmd:: set service event-handler event <event-handler name> + + This is an optional command because the event handler will be automatically created after any of the next commands. + + +2. Add regex to the script +=========================================== + + .. cfgcmd:: set service event-handler event <event-handler name> filter pattern <regex> + + This is a mandatory command. Sets regular expression to match against log string message. + + .. note:: The regular expression matches if and only if the entire string matches the pattern. + + + +3. Add a full path to the script +================================ + + .. cfgcmd:: set service event-handler event <event-handler name> script path <path to script> + + This is a mandatory command. Sets the full path to the script. The script file must be executable. + + + +4. Add optional parameters +========================== + + .. cfgcmd:: set service event-handler event <event-handler name> filter syslog-identifier <sylogid name> + + This is an optional command. Filters log messages by syslog-identifier. + + .. cfgcmd:: set service event-handler event <event-handler name> script environment <env name> value <env value> + + This is an optional command. Adds environment and its value to the script. Use separate commands for each environment. + + One implicit environment exists. + + * ``message``: Full message that has triggered the script. + + .. cfgcmd:: set service event-handler event <event-handler name> script arguments <arguments> + + This is an optional command. Adds arguments to the script. Arguments must be separated by spaces. + + .. note:: We don't recomend to use arguments. Using environments is more preffereble. + + +******* +Example +******* + + Event handler that monitors the state of interface eth0. + + .. code-block:: none + + set service event-handler event INTERFACE_STATE_DOWN filter pattern '.*eth0.*,RUNNING,.*->.*' + set service event-handler event INTERFACE_STATE_DOWN filter syslog-identifier 'netplugd' + set service event-handler event INTERFACE_STATE_DOWN script environment interface_action value 'down' + set service event-handler event INTERFACE_STATE_DOWN script environment interface_name value 'eth2' + set service event-handler event INTERFACE_STATE_DOWN script path '/config/scripts/eventhandler.py' + + Event handler script + + .. code-block:: none + + #!/usr/bin/env python3 + # + # VyOS event-handler script example + from os import environ + import subprocess + from sys import exit + + # Perform actions according to requirements + def process_event() -> None: + # Get variables + message_text = environ.get('message') + interface_name = environ.get('interface_name') + interface_action = environ.get('interface_action') + # Print the message that triggered this script + print(f'Logged message: {message_text}') + # Prepare a command to run + command = f'sudo ip link set {interface_name} {interface_action}'.split() + # Execute a command + subprocess.run(command) + + if __name__ == '__main__': + try: + # Run script actions and exit + process_event() + exit(0) + except Exception as err: + # Exit properly in case if something in the script goes wrong + print(f'Error running script: {err}') + exit(1) diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 4ff777e9..08b16575 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -93,4 +93,4 @@ To use this full configuration we asume a public accessible hostname. set service https virtual-host rtr01 listen-address 198.51.100.2 set service https virtual-host rtr01 listen-port 11443 set service https virtual-host rtr01 server-name rtr01.example.com - set service https api-restrict virtual-host rtr01.example.com + set service https api-restrict virtual-host rtr01 diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst index 11a1a118..8607490d 100644 --- a/docs/configuration/service/index.rst +++ b/docs/configuration/service/index.rst @@ -25,3 +25,4 @@ Service ssh tftp-server webproxy + eventhandler diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index 36fa600d..0de72941 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -61,6 +61,8 @@ Advertising a Prefix :header: "VyOS Field", "Description" :widths: 10,30 + "decrement-lifetime", "Lifetime is decremented by the number of seconds since the last RA - use in conjunction with a DHCPv6-PD prefix" + "deprecate-prefix", "Upon shutdown, this option will deprecate the prefix by announcing it in the shutdown RA" "no-autonomous-flag","Prefix can not be used for stateless address auto-configuration" "no-on-link-flag","Prefix can not be used for on-link determination" "preferred-lifetime","Time in seconds that the prefix will remain preferred (default 4 hours)" diff --git a/docs/configuration/service/webproxy.rst b/docs/configuration/service/webproxy.rst index e8f6423e..a6c5ff0a 100644 --- a/docs/configuration/service/webproxy.rst +++ b/docs/configuration/service/webproxy.rst @@ -137,6 +137,17 @@ Configuration set service webproxy reply-body-max-size 2048 +.. cfgcmd:: set service webproxy safe-ports <port> + + Add new port to Safe-ports acl. Ports included by default in Safe-ports acl: + 21, 70, 80, 210, 280, 443, 488, 591, 777, 873, 1025-65535 + +.. cfgcmd:: set service webproxy ssl-safe-ports <port> + + Add new port to SSL-ports acl. Ports included by default in SSL-ports acl: + 443 + + Authentication ============== diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst new file mode 100644 index 00000000..4c595022 --- /dev/null +++ b/docs/configuration/system/acceleration.rst @@ -0,0 +1,146 @@ +.. _acceleration: + +############ +Acceleration +############ + +In this command tree, all hardware acceleration options will be handled. +At the moment only `Intel® QAT`_ is supported + +********** +Intel® QAT +********** + +.. opcmd:: show system acceleration qat + + use this command to check if there is an Intel® QAT supported Processor in + your system. + + .. code-block:: + + vyos@vyos:~$ show system acceleration qat + 01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11) + + if there is non device the command will show ```No QAT device found``` + +.. cfgcmd:: set system acceleration qat + + if there is a supported device, enable Intel® QAT + +.. opcmd:: show system acceleration qat status + + Check if the Intel® QAT device is up and ready to do the job. + + .. code-block:: + + vyos@vyos:~$ show system acceleration qat status + Checking status of all devices. + There is 1 QAT acceleration device(s) in the system: + qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up + +Operation Mode +============== + +.. opcmd:: show system acceleration qat device <device> config + + Show the full config uploaded to the QAT device. + +.. opcmd:: show system acceleration qat device <device> flows + + Get an overview over the encryption counters. + +.. opcmd:: show system acceleration qat interrupts + + Show binded qat device interrupts to certain core. + + +Example +======= + +Let's build a simple VPN between 2 Intel® QAT ready devices. + +Side A: + +.. code-block:: + + set interfaces vti vti1 address '192.168.1.2/24' + set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' + set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' + set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' + set vpn ipsec ipsec-interfaces interface 'eth0' + set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123' + set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate' + set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2' + set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1' + +Side B: + +.. code-block:: + + set interfaces vti vti1 address '192.168.1.1/24' + set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' + set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' + set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' + set vpn ipsec ipsec-interfaces interface 'eth0' + set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123' + set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate' + set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1' + set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1' + +a bandwidth test over the VPN got these results: + +.. code-block:: + + Connecting to host 192.168.1.2, port 5201 + [ 9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201 + [ ID] Interval Transfer Bitrate Retr Cwnd + [ 9] 0.00-1.01 sec 32.3 MBytes 268 Mbits/sec 0 196 KBytes + [ 9] 1.01-2.03 sec 32.5 MBytes 268 Mbits/sec 0 208 KBytes + [ 9] 2.03-3.03 sec 32.5 MBytes 271 Mbits/sec 0 208 KBytes + [ 9] 3.03-4.04 sec 32.5 MBytes 272 Mbits/sec 0 208 KBytes + [ 9] 4.04-5.00 sec 31.2 MBytes 272 Mbits/sec 0 208 KBytes + [ 9] 5.00-6.01 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes + [ 9] 6.01-7.04 sec 32.5 MBytes 265 Mbits/sec 0 234 KBytes + [ 9] 7.04-8.04 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes + [ 9] 8.04-9.04 sec 32.5 MBytes 273 Mbits/sec 0 336 KBytes + [ 9] 9.04-10.00 sec 31.2 MBytes 272 Mbits/sec 0 336 KBytes + - - - - - - - - - - - - - - - - - - - - - - - - - + [ ID] Interval Transfer Bitrate Retr + [ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec 0 sender + [ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec receiver + +with :cfgcmd:`set system acceleration qat` on both systems the bandwidth +increases. + +.. code-block:: + + Connecting to host 192.168.1.2, port 5201 + [ 9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201 + [ ID] Interval Transfer Bitrate Retr Cwnd + [ 9] 0.00-1.00 sec 97.3 MBytes 817 Mbits/sec 0 1000 KBytes + [ 9] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 0 1.07 MBytes + [ 9] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 820 KBytes + [ 9] 3.00-4.00 sec 92.5 MBytes 776 Mbits/sec 0 899 KBytes + [ 9] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 972 KBytes + [ 9] 5.00-6.00 sec 92.5 MBytes 776 Mbits/sec 0 1.02 MBytes + [ 9] 6.00-7.00 sec 92.5 MBytes 776 Mbits/sec 0 1.08 MBytes + [ 9] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 0 1.14 MBytes + [ 9] 8.00-9.00 sec 91.2 MBytes 765 Mbits/sec 0 915 KBytes + [ 9] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 0 1000 KBytes + - - - - - - - - - - - - - - - - - - - - - - - - - + [ ID] Interval Transfer Bitrate Retr + [ 9] 0.00-10.00 sec 927 MBytes 778 Mbits/sec 0 sender + [ 9] 0.00-10.01 sec 925 MBytes 775 Mbits/sec receiver + + +.. _`Intel® QAT`: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html
\ No newline at end of file diff --git a/docs/configuration/system/eventhandler.rst b/docs/configuration/system/eventhandler.rst deleted file mode 100644 index 3eab4e2c..00000000 --- a/docs/configuration/system/eventhandler.rst +++ /dev/null @@ -1,51 +0,0 @@ -.. _event-handler: - -Event Handler -------------- - -Event handler allows you to execute scripts when a string that matches a regex -appears in a text stream (e.g. log file). - -It uses "feeds" (output of commands, or a named pipes) and "policies" that -define what to execute if a regex is matched. - -.. code-block:: none - - system - event-handler - feed <name> - description <feed description> - policy <policy name> - source - preset - syslog # Use the syslog logs for feed - custom - command <command to execute> # E.g. "tail -f /var/log/somelogfile" - named-pipe <path to a names pipe> - policy <policy name> - description <policy description> - event <event name> - description <event description> - pattern <regex> - run <command to run> - -In this small example a script runs every time a login failed and an interface -goes down - -.. code-block:: none - - vyos@vyos# show system event-handler - feed Syslog { - policy MyPolicy - source { - preset syslog - } - } - policy MyPolicy { - description "Test policy" - event BadThingsHappened { - pattern "authentication failure" - pattern "interface \.* index \d+ .* DOWN.*" - run /config/scripts/email-to-admin - } - }
\ No newline at end of file diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index 9b4bf2e3..5bf781af 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -7,6 +7,7 @@ System :maxdepth: 1 :includehidden: + acceleration conntrack console flow-accounting @@ -29,4 +30,3 @@ System :includehidden: default-route - eventhandler diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst index 78aeef4e..29f46ae9 100644 --- a/docs/configuration/system/ip.rst +++ b/docs/configuration/system/ip.rst @@ -9,6 +9,15 @@ System configuration commands Use this command to disable IPv4 forwarding on all interfaces. +.. cfgcmd:: set system ip disable-directed-broadcast + + Use this command to disable IPv4 directed broadcast forwarding on all + interfaces. + + If set, IPv4 directed broadcast forwarding will be completely disabled + regardless of whether per-interface directed broadcast forwarding is + enabled or not. + .. cfgcmd:: set system ip arp table-size <number> Use this command to define the maximum number of entries to keep in @@ -67,4 +76,4 @@ And the different IPv4 **reset** commands available: bgp Clear Border Gateway Protocol (BGP) statistics or status igmp IGMP clear commands multicast IP multicast routing table - route Reset IP route
\ No newline at end of file + route Reset IP route diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst index 19016e7b..0b9f9cc8 100644 --- a/docs/configuration/system/ipv6.rst +++ b/docs/configuration/system/ipv6.rst @@ -160,7 +160,7 @@ Show commands Reset commands ^^^^^^^^^^^^^^ -.. opcmd:: reset ipv6 bgp <address> +.. opcmd:: reset bgp ipv6 <address> Use this command to clear Border Gateway Protocol statistics or status. diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index f2c7b162..50563e8b 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -278,6 +278,7 @@ spoke01-spoke04 ip nhrp registration timeout 75 tunnel source FastEthernet0/0 tunnel mode gre multipoint + tunnel protection ipsec profile DMVPN tunnel key 1 ! interface FastEthernet0/0 diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 43641d06..1b48571d 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -48,7 +48,7 @@ Server Configuration set vpn openconnect authentication local-users username <user> password <pass> set vpn openconnect authentication mode <local password|radius> - set vpn opneconnect network-settings client-ip-settings subnet <subnet> + set vpn openconnect network-settings client-ip-settings subnet <subnet> set vpn openconnect network-settings name-server <address> set vpn openconnect network-settings name-server <address> set vpn openconnect ssl ca-certificate <pki-ca-name> diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index f8bc4063..4f90260e 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -158,9 +158,6 @@ SSL Certificates Path to `<file>` pointing to the servers certificate (public portion). -.. cfgcmd:: set vpn sstp ssl key-file <file> - - Path to `<file>` pointing to the servers certificate (private portion). PPP Settings ------------ |