9 files changed, 223 insertions, 20 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 92f2da8d..a9fb3c93 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -417,6 +417,15 @@ There are a lot of matching criteria against which the package can be tested.
 
    Match against the state of a packet.
 
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | 
+   minute | hour>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | 
+   minute | hour>
+
+   Match when 'count' amount of connections are seen within 'time'. These 
+   matching criteria can be used to block brute-force attempts.
 
 ***********************************
 Applying a Rule-Set to an Interface
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst
index e2ca8599..c95cadc9 100644
--- a/docs/configuration/service/conntrack-sync.rst
+++ b/docs/configuration/service/conntrack-sync.rst
@@ -127,11 +127,11 @@ Operation
     conntrack is not enabled. To enable conntrack, just create a NAT or a firewall
     rule. :cfgcmd:`set firewall state-policy established action accept`
 
-.. opcmd:: show conntrack-sync external-cache
+.. opcmd:: show conntrack-sync cache external
 
   Show connection syncing external cache entries
 
-.. opcmd:: show conntrack-sync internal-cache
+.. opcmd:: show conntrack-sync cache internal
 
   Show connection syncing internal cache entries
 
diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst
index 5adb83bb..b9aefbfb 100644
--- a/docs/configuration/service/dhcp-relay.rst
+++ b/docs/configuration/service/dhcp-relay.rst
@@ -78,6 +78,7 @@ The generated configuration will look like:
 
   show service dhcp-relay
       interface eth1
+      interface eth2
       server 10.0.1.4
       relay-options {
          relay-agents-packets discard
diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst
index 38f4d7fc..f55c7a45 100644
--- a/docs/configuration/service/dhcp-server.rst
+++ b/docs/configuration/service/dhcp-server.rst
@@ -59,10 +59,17 @@ Configuration
    respond to the client. The lease will remain abandoned for a minimum of
    abandon-lease-time seconds (defaults to 24 hours).
 
-   If a there are no free addressses but there are abandoned IP addresses, the
+   If there are no free addresses but there are abandoned IP addresses, the
    DHCP server will attempt to reclaim an abandoned IP address regardless of the
    value of abandon-lease-time.
 
+.. cfgcmd:: set service dhcp-server listen-address <address>
+
+   This configuration parameter lets the DHCP server to listen for DHCP 
+   requests sent to the specified address, it is only realistically useful for 
+   a server whose only clients are reached via unicasts, such as via DHCP relay 
+   agents.
+
 Individual Client Subnet
 -------------------------
 
@@ -141,7 +148,7 @@ Individual Client Subnet
    respond to the client. The lease will remain abandoned for a minimum of
    abandon-lease-time seconds (defaults to 24 hours).
 
-   If a there are no free addressses but there are abandoned IP addresses, the
+   If a there are no free addresses but there are abandoned IP addresses, the
    DHCP server will attempt to reclaim an abandoned IP address regardless of the
    value of abandon-lease-time.
 
@@ -476,18 +483,6 @@ Operation Mode
 
    Show logs from specific `interface` DHCP client process.
 
-.. opcmd:: show log dhcpv6 server
-
-   Show DHCPv6 server daemon log file
-
-.. opcmd:: show log dhcpv6 client
-
-   Show logs from all DHCPv6 client processes.
-
-.. opcmd:: show log dhcpv6 client interface <interface>
-
-   Show logs from specific `interface` DHCPv6 client process.
-
 .. opcmd:: restart dhcp server
 
    Restart the DHCP server
@@ -697,6 +692,18 @@ The configuration will look as follows:
 Operation Mode
 ==============
 
+.. opcmd:: show log dhcpv6 server
+
+   Show DHCPv6 server daemon log file
+
+.. opcmd:: show log dhcpv6 client
+
+   Show logs from all DHCPv6 client processes.
+
+.. opcmd:: show log dhcpv6 client interface <interface>
+
+   Show logs from specific `interface` DHCPv6 client process.
+
 .. opcmd:: restart dhcpv6 server
 
    To restart the DHCPv6 server
@@ -707,7 +714,7 @@ Operation Mode
 
 .. opcmd:: show dhcpv6 server leases
 
-   Show statuses of all assigned leases:
+   Shows status of all assigned leases:
 
 .. code-block:: none
 
diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst
index 18227027..de5e759a 100644
--- a/docs/configuration/service/https.rst
+++ b/docs/configuration/service/https.rst
@@ -93,4 +93,4 @@ To use this full configuration we asume a globally resolvable hostname.
    set service https virtual-host rtr01 listen-address 198.51.100.2
    set service https virtual-host rtr01 listen-port 11443
    set service https virtual-host rtr01 server-name rtr01.example.com
-   set service https api-restrict virtual-host rtr01.example.com
+   set service https api-restrict virtual-host rtr01
diff --git a/docs/configuration/system/conntrack.disable b/docs/configuration/system/conntrack.disable
deleted file mode 100644
index 7d5d4308..00000000
--- a/docs/configuration/system/conntrack.disable
+++ /dev/null
@@ -1,2 +0,0 @@
-conntrack
-#########
-\ No newline at end of file
diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst
new file mode 100644
index 00000000..6329fcf2
--- /dev/null
+++ b/docs/configuration/system/conntrack.rst
@@ -0,0 +1,186 @@
+
+#########
+Conntrack
+#########
+
+VyOS can be configured to track connections using the connection
+tracking subsystem. Connection tracking becomes operational once either
+stateful firewall or NAT is configured.
+
+*********
+Configure
+*********
+
+.. cfgcmd:: set system conntrack table-size <1-50000000>
+    :defaultvalue:
+
+    The connection tracking table contains one entry for each connection being
+    tracked by the system.
+
+.. cfgcmd:: set system conntrack expect-table-size <1-50000000>
+    :defaultvalue:
+
+    The connection tracking expect table contains one entry for each expected
+    connection related to an existing connection. These are generally used by
+    “connection tracking helper” modules such as FTP.
+    The default size of the expect table is 2048 entries.
+
+.. cfgcmd:: set system conntrack hash-size <1-50000000>
+    :defaultvalue:
+
+    Set the size of the hash table. The connection tracking hash table makes
+    searching the connection tracking table faster. The hash table uses “buckets” to
+    record entries in the connection tracking table.
+
+.. cfgcmd:: system conntrack modules ftp
+.. cfgcmd:: system conntrack modules h323
+.. cfgcmd:: system conntrack modules nfs
+.. cfgcmd:: system conntrack modules pptp
+.. cfgcmd:: system conntrack modules sip
+.. cfgcmd:: system conntrack modules sqlnet
+.. cfgcmd:: system conntrack modules tftp
+
+    Configure the connection tracking protocol helper modules.
+    All modules are enable by default.
+
+    | Use `delete system conntrack modules` to deactive all modules.
+    | Or, for example ftp, `delete system conntrack modules ftp`.
+
+
+Define Conection Timeouts
+=========================
+
+VyOS supports setting timeouts for connections according to the
+connection type. You can set timeout values for generic connections, for ICMP
+connections, UDP connections, or for TCP connections in a number of different states.
+
+.. cfgcmd:: system conntrack timeout icmp <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout other <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp close <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp close-wait <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp established <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp fin-wait <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp last-ack <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp syn-recv <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp syn-sent <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp time-wait <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout udp other <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: system conntrack timeout udp stream <1-21474836>
+    :defaultvalue:
+
+    Set the timeout in secounds for a protocol or state.
+
+
+You can also define custom timeout values to apply to a specific subset of
+connections, based on a packet and flow selector. To do this, you create a rule
+defining the packet and flow selector.
+
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> description <test>
+
+    Set a rule description.
+
+
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> destination address <ip-address>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> source address <ip-address>
+
+    set a destination and/or source address. Accepted input:
+
+    .. code-block:: none
+
+        <x.x.x.x>    IP address to match
+        <x.x.x.x/x>  Subnet to match
+        <x.x.x.x>-<x.x.x.x>
+                        IP range to match
+        !<x.x.x.x>   Match everything except the specified address
+        !<x.x.x.x/x> Match everything except the specified subnet
+        !<x.x.x.x>-<x.x.x.x>
+                        Match everything except the specified range
+
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> destination port <value>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> source port <value>
+
+    Set a destination and/or source port. Accepted input:
+
+    .. code-block:: none
+
+        <port name>    Named port (any name in /etc/services, e.g., http)
+        <1-65535>      Numbered port
+        <start>-<end>  Numbered port range (e.g., 1001-1005)
+    
+    Multiple destination ports can be specified as a comma-separated list.
+    The whole list can also be "negated" using '!'. For example:
+    `!22,telnet,http,123,1001-1005``
+
+            
+
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol other <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836>
+
+    Set the timeout in secounds for a protocol or state in a custom rule.
+
+
+.. cfgcmd:: system conntrack tcp half-open-connections <1-21474836>
+    :defaultvalue:
+
+    Set the maximum number of TCP half-open connections.
+
+.. cfgcmd:: system conntrack tcp loose <enable | disable>
+    :defaultvalue:
+
+    Policy to track previously established connections.
+
+.. cfgcmd:: system conntrack tcp max-retrans <1-2147483647>
+    :defaultvalue:
+
+    Set the number of TCP maximum retransmit attempts.
+
+.. cfgcmd:: system conntrack ignore rule <1-9999> description <text>
+.. cfgcmd:: system conntrack ignore rule <1-9999> destination address <ip-address>
+.. cfgcmd:: system conntrack ignore rule <1-9999> destination port <port>
+.. cfgcmd:: system conntrack ignore rule <1-9999> inbound-interface <interface>
+.. cfgcmd:: system conntrack ignore rule <1-9999> protocol <protocol>
+.. cfgcmd:: system conntrack ignore rule <1-9999> source address <ip-address>
+.. cfgcmd:: system conntrack ignore rule <1-9999> source port <port>
+
+    Configure customized ignore rules for selective connection tracking
+
+.. cfgcmd:: system conntrack log icmp destroy
+.. cfgcmd:: system conntrack log icmp new
+.. cfgcmd:: system conntrack log icmp update
+.. cfgcmd:: system conntrack log other destroy
+.. cfgcmd:: system conntrack log other new
+.. cfgcmd:: system conntrack log other update
+.. cfgcmd:: system conntrack log tcp destroy
+.. cfgcmd:: system conntrack log tcp new
+.. cfgcmd:: system conntrack log tcp update close-wait
+.. cfgcmd:: system conntrack log tcp update established
+.. cfgcmd:: system conntrack log tcp update fin-wait
+.. cfgcmd:: system conntrack log tcp update last-ack
+.. cfgcmd:: system conntrack log tcp update syn-received
+.. cfgcmd:: system conntrack log tcp update time-wait
+.. cfgcmd:: system conntrack log udp destroy
+.. cfgcmd:: system conntrack log udp new
+.. cfgcmd:: system conntrack log udp update
+
+    Log the connection tracking events per protocol.
+\ No newline at end of file
diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst
index ac84da49..9791ddb1 100644
--- a/docs/configuration/system/index.rst
+++ b/docs/configuration/system/index.rst
@@ -8,6 +8,7 @@ System
    :includehidden:
 
    acceleration
+   conntrack
    console
    flow-accounting
    host-name
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index f11f4a20..e5e2fad5 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -276,6 +276,7 @@ spoke01-spoke04
    ip nhrp registration timeout 75
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
+   tunnel protection ipsec profile DMVPN
    tunnel key 1
   !
   interface FastEthernet0/0