summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/container/index.rst11
-rw-r--r--docs/configuration/firewall/flowtables.rst10
-rw-r--r--docs/configuration/firewall/global-options.rst32
-rw-r--r--docs/configuration/firewall/index.rst35
-rw-r--r--docs/configuration/firewall/ipv4.rst39
-rw-r--r--docs/configuration/firewall/ipv6.rst39
-rw-r--r--docs/configuration/interfaces/wireless.rst23
-rw-r--r--docs/configuration/loadbalancing/reverse-proxy.rst61
-rw-r--r--docs/configuration/nat/cgnat.rst55
-rw-r--r--docs/configuration/system/conntrack.rst39
-rw-r--r--docs/configuration/trafficpolicy/index.rst50
11 files changed, 315 insertions, 79 deletions
diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst
index 399f2ef5..a1672aa7 100644
--- a/docs/configuration/container/index.rst
+++ b/docs/configuration/container/index.rst
@@ -168,6 +168,17 @@ Configuration
setdomainame)
- **sys-time**: Permission to set system clock
+.. cfgcmd:: set container name <name> sysctl parameter <parameter> value <value>
+
+ Set container sysctl values.
+
+ The subset of possible parameters are:
+
+ - Kernel Parameters: kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem,
+ kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced
+ - Parameters beginning with fs.mqueue.*
+ - Parameters beginning with net.* (only if user-defined network is used)
+
.. cfgcmd:: set container name <name> label <label> value <value>
Add metadata label for this container.
diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst
index e8a5f2e8..ae95a85f 100644
--- a/docs/configuration/firewall/flowtables.rst
+++ b/docs/configuration/firewall/flowtables.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-12-26
+:lastproofread: 2024-06-20
.. _firewall-flowtables-configuration:
@@ -85,12 +85,12 @@ Provide a description to the flow table.
Creating rules for using flow tables:
-.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
action offload
Create firewall rule in forward chain, and set action to ``offload``.
-.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
offload-target <flowtable>
Create firewall rule in forward chain, and define which flowtbale
@@ -142,7 +142,7 @@ Explanation
Analysis on what happens for desired connection:
- 1. First packet is received on eht0, with destination address 192.0.2.100,
+ 1. First packet is received on eth0, with destination address 192.0.2.100,
protocol tcp and destination port 1122. Assume such destination address is
reachable through interface eth1.
@@ -159,7 +159,7 @@ Analysis on what happens for desired connection:
connection state is **established**, then rule 10 is hit, and a new entry
in the flowtable FT01 is added for this connection.
- 6. All subsecuent packets will skip traditional path, and will be offloaded
+ 6. All the following packets will skip traditional path, and will be offloaded
and will use the **Fast Path**.
Checks
diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst
index b3f311aa..7c52045e 100644
--- a/docs/configuration/firewall/global-options.rst
+++ b/docs/configuration/firewall/global-options.rst
@@ -145,3 +145,35 @@ Configuration
[emerg | alert | crit | err | warn | notice | info | debug]
Set the global setting for related connections.
+
+VyOS supports setting timeouts for connections according to the
+connection type. You can set timeout values for generic connections, for ICMP
+connections, UDP connections, or for TCP connections in a number of different
+states.
+
+.. cfgcmd:: set firewall global-options timeout icmp <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout other <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp close <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp close-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp established <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp fin-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp last-ack <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp syn-recv <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp syn-sent <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp time-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout udp other <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout udp stream <1-21474836>
+ :defaultvalue:
+
+ Set the timeout in seconds for a protocol or state. \ No newline at end of file
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 1d904901..daf5f116 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -26,14 +26,23 @@ firewall are covered below:
If the interface where the packet was received isn't part of a bridge, then
packet is processed at the **IP Layer**:
- * **Prerouting**: several actions can be done in this stage, and currently
- these actions are defined in different parts in VyOS configuration. Order
- is important, and all these actions are performed before any actions
- defined under ``firewall`` section. Relevant configuration that acts in
- this stage are:
+ * **Prerouting**: All packets that are received by the router
+ are processed in this stage, regardless of the destination of the packet.
+ Starting from vyos-1.5-rolling-202406120020, a new section was added to
+ firewall configuration. There are several actions that can be done in this
+ stage, and currently these actions are also defined in different parts in
+ VyOS configuration. Order is important, and relevant configuration that
+ acts in this stage are:
+
+ * **Firewall prerouting**: rules defined under ``set firewall [ipv4 |
+ ipv6] prerouting raw...``. All rules defined in this section are
+ processed before connection tracking subsystem.
* **Conntrack Ignore**: rules defined under ``set system conntrack ignore
- [ipv4 | ipv6] ...``.
+ [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020,
+ configuration done in this section can be done in ``firewall [ipv4 |
+ ipv6] prerouting ...``. For compatibility reasons, this feature is
+ still present, but it will be removed in the future.
* **Policy Route**: rules defined under ``set policy [route | route6]
...``.
@@ -67,11 +76,13 @@ packet is processed at the **IP Layer**:
new connection originated by a internal process running on VyOS router,
such as NTP, or a response to traffic received externally through
**input** (for example response to an ssh login attempt to the router).
- This includes ipv4 and ipv6 filtering rules, defined in:
+ This includes ipv4 and ipv6 rules, and two different sections are present:
- * ``set firewall ipv4 output filter ...``.
+ * **Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``.
+ As described in **Prerouting**, rules defined in this section are
+ processed before connection tracking subsystem.
- * ``set firewall ipv6 output filter ...``.
+ * **Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``.
* **Postrouting**: as in **Prerouting**, several actions defined in
different parts of VyOS configuration are performed in this
@@ -120,6 +131,9 @@ The main structure of the VyOS firewall CLI is shown next:
+ filter
- output
+ filter
+ + raw
+ - prerouting
+ + raw
- name
+ custom_name
* ipv6
@@ -129,6 +143,9 @@ The main structure of the VyOS firewall CLI is shown next:
+ filter
- output
+ filter
+ + raw
+ - prerouting
+ + raw
- ipv6-name
+ custom_name
* zone
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst
index f7f98dc7..39370c86 100644
--- a/docs/configuration/firewall/ipv4.rst
+++ b/docs/configuration/firewall/ipv4.rst
@@ -31,17 +31,34 @@ of the general structure:
+ filter
- output
+ filter
+ + raw
+ - prerouting
+ + raw
- name
+ custom_name
+First, all traffic is received by the router, and it is processed in the
+**prerouting** section.
+
+This stage includes:
+
+ * **Firewall Prerouting**: commands found under ``set firewall ipv4
+ prerouting raw ...``
+ * :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system
+ conntrack ignore ipv4...``
+ * :doc:`Policy Route</configuration/policy/route>`: commands found under
+ ``set policy route ...``
+ * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
+ ``set nat destination ...``
+
For transit traffic, which is received by the router and forwarded, base chain
is **forward**. A simplified packet flow diagram for transit traffic is shown
next:
.. figure:: /_static/images/firewall-fwd-packet-flow.png
-Where firewall base chain to configure firewall filtering rules for transit
-traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
+Firewall base chain to configure firewall filtering rules for transit traffic
+is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
highlighted with red color.
For traffic towards the router itself, base chain is **input**, while traffic
@@ -52,11 +69,17 @@ router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
-Base chain is for traffic toward the router is ``set firewall ipv4 input
+Base chain for traffic towards the router is ``set firewall ipv4 input
filter ...``
And base chain for traffic generated by the router is ``set firewall ipv4
-output filter ...``
+output ...``, where two sub-chains are available: **filter** and **raw**:
+
+* **Output Prerouting**: ``set firewall ipv4 output raw ...``.
+ As described in **Prerouting**, rules defined in this section are
+ processed before connection tracking subsystem.
+* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined
+ in this section are processed after connection tracking subsystem.
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
@@ -709,6 +732,10 @@ geoip) to keep database and rules updated.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supported. For example ``!eth2``
+.. note:: If an interface is attached to a non-default vrf, when using
+ **inbound-interface**, vrf name must be used. For example ``set firewall
+ ipv4 forward filter rule 10 inbound-interface name MGMT``
+
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
inbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
@@ -730,6 +757,10 @@ geoip) to keep database and rules updated.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supported. For example ``!eth2``
+.. note:: If an interface is attached to a non-default vrf, when using
+ **outbound-interface**, real interface name must be used. For example
+ ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``
+
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
outbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst
index cbf18a7d..511fd51f 100644
--- a/docs/configuration/firewall/ipv6.rst
+++ b/docs/configuration/firewall/ipv6.rst
@@ -31,17 +31,34 @@ of the general structure:
+ filter
- output
+ filter
+ + raw
+ - prerouting
+ + raw
- name
+ custom_name
+First, all traffic is received by the router, and it is processed in the
+**prerouting** section.
+
+This stage includes:
+
+ * **Firewall Prerouting**: commands found under ``set firewall ipv6
+ prerouting raw ...``
+ * :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system
+ conntrack ignore ipv6...``
+ * :doc:`Policy Route</configuration/policy/route>`: commands found under
+ ``set policy route6 ...``
+ * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
+ ``set nat66 destination ...``
+
For transit traffic, which is received by the router and forwarded, base chain
is **forward**. A simplified packet flow diagram for transit traffic is shown
next:
.. figure:: /_static/images/firewall-fwd-packet-flow.png
-Where firewall base chain to configure firewall filtering rules for transit
-traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
+Firewall base chain to configure firewall filtering rules for transit traffic
+is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
highlighted with red color.
For traffic towards the router itself, base chain is **input**, while traffic
@@ -52,11 +69,17 @@ router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
-Base chain is for traffic toward the router is ``set firewall ipv6 input
+Base chain for traffic towards the router is ``set firewall ipv6 input
filter ...``
And base chain for traffic generated by the router is ``set firewall ipv6
-output filter ...``
+output filter ...``, where two sub-chains are available: **filter** and **raw**:
+
+* **Output Prerouting**: ``set firewall ipv6 output raw ...``.
+ As described in **Prerouting**, rules defined in this section are
+ processed before connection tracking subsystem.
+* **Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined
+ in this section are processed after connection tracking subsystem.
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
@@ -700,6 +723,10 @@ geoip) to keep database and rules updated.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supported. For example ``!eth2``
+.. note:: If an interface is attached to a non-default vrf, when using
+ **inbound-interface**, vrf name must be used. For example ``set firewall
+ ipv6 forward filter rule 10 inbound-interface name MGMT``
+
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
inbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
@@ -721,6 +748,10 @@ geoip) to keep database and rules updated.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supported. For example ``!eth2``
+.. note:: If an interface is attached to a non-default vrf, when using
+ **outbound-interface**, real interface name must be used. For example
+ ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``
+
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
outbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index b7188f44..d93e983e 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -36,14 +36,19 @@ Common interface configuration
:var0: wireless
:var1: wlan0
-Wireless options
-================
+System Wide configuration
+=========================
-.. cfgcmd:: set interfaces wireless <interface> channel <number>
+.. cfgcmd:: set system wireless country-code <cc>
- Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from
- 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173.
- On 6GHz (802.11 ax) channels range from 1 to 233.
+ Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed
+ to indicate country in which device is operating. This can limit available
+ channels and transmit power.
+
+ .. note:: This option is mandatory in Access-Point mode.
+
+Wireless options
+================
.. cfgcmd:: set system wireless country-code <cc>
@@ -53,6 +58,12 @@ Wireless options
.. note:: This option is mandatory in Access-Point mode.
+.. cfgcmd:: set interfaces wireless <interface> channel <number>
+
+ Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from
+ 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173.
+ On 6GHz (802.11 ax) channels range from 1 to 233.
+
.. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid
Send empty SSID in beacons and ignore probe request frames that do not specify
diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst
index 3edc4283..9cb49a7f 100644
--- a/docs/configuration/loadbalancing/reverse-proxy.rst
+++ b/docs/configuration/loadbalancing/reverse-proxy.rst
@@ -161,8 +161,34 @@ Backend
Set custom HTTP headers to be included in all responses using the backend
-HTTP health check
-^^^^^^^^^^^^^^^^^
+Global
+-------
+
+Global parameters
+
+.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections
+ <num>
+
+ Limit maximum number of connections
+
+.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers
+ <ciphers>
+
+ Limit allowed cipher algorithms used during SSL/TLS handshake
+
+.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min
+ <version>
+
+ Specify the minimum required TLS version 1.2 or 1.3
+
+
+Health checks
+=============
+
+
+HTTP checks
+-----------
+
For web application providing information about their state HTTP health
checks can be used to determine their availability.
@@ -185,31 +211,32 @@ checks can be used to determine their availability.
expect <condition>
Sets the expected result condition for considering a server healthy.
+
Some possible examples are:
* ``status 200`` Expecting a 200 response code
* ``status 200-399`` Expecting a non-failure response code
* ``string success`` Expecting the string `success` in the response body
-Global
--------
-
-Global parameters
-
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections
- <num>
-
- Limit maximum number of connections
+TCP checks
+----------
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers
- <ciphers>
+Health checks can also be configured for TCP mode backends. You can configure
+protocol aware checks for a range of Layer 7 protocols:
- Limit allowed cipher algorithms used during SSL/TLS handshake
+.. cfgcmd:: set load-balancing reverse-proxy backend <name> health-check <protocol>
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min
- <version>
+ Available health check protocols:
+ * ``ldap`` LDAP protocol check.
+ * ``redis`` Redis protocol check.
+ * ``mysql`` MySQL protocol check.
+ * ``pgsql`` PostgreSQL protocol check.
+ * ``smtp`` SMTP protocol check.
- Specify the minimum required TLS version 1.2 or 1.3
+.. note:: If you specify a server to be checked but do not configure a
+ protocol, a basic TCP health check will be attempted. A server shall be
+ deemed online if it responses to a connection attempt with a valid
+ ``SYN/ACK`` packet.
Redirect HTTP to HTTPS
diff --git a/docs/configuration/nat/cgnat.rst b/docs/configuration/nat/cgnat.rst
index 70916318..7fc5e03b 100644
--- a/docs/configuration/nat/cgnat.rst
+++ b/docs/configuration/nat/cgnat.rst
@@ -82,9 +82,10 @@ Configuration
Set external source port limits that will be allocated to each subscriber
individually. The default value is 2000.
-.. cfgcmd:: set nat cgnat pool external <pool-name> range [address | address range | network]
+.. cfgcmd:: set nat cgnat pool external <pool-name> range [address | address range | network] [seq]
Set the range of external IP addresses for the CGNAT pool.
+ The sequence is optional; if set, a lower value means higher priority.
.. cfgcmd:: set nat cgnat pool internal <pool-name> range [address range | network]
@@ -98,6 +99,9 @@ Configuration
Set the rule for the translation pool.
+.. cfgcmd:: set nat cgnat log-allocation
+
+ Enable logging of IP address and ports allocations.
Configuration Examples
@@ -134,6 +138,55 @@ Multiple external addresses
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
+External address sequences
+-----------------------------------
+
+.. code-block:: none
+
+ set nat cgnat pool external ext-01 per-user-limit port '16000'
+ set nat cgnat pool external ext-01 range 203.0.113.1/32 seq '10'
+ set nat cgnat pool external ext-01 range 192.0.2.1/32 seq '20'
+ set nat cgnat pool internal int-01 range '100.64.0.0/29'
+ set nat cgnat rule 10 source pool 'int-01'
+ set nat cgnat rule 10 translation pool 'ext-01'
+
+
+Operation commands
+==================
+
+.. opcmd:: show nat cgnat allocation
+
+ Show address and port allocations
+
+.. opcmd:: show nat cgnat allocation external-address <address>
+
+ Show all allocations for an external IP address
+
+.. opcmd:: show nat cgnat allocation internal-address <address>
+
+ Show all allocations for an internal IP address
+
+Show CGNAT allocations
+----------------------
+
+.. code-block:: none
+
+ vyos@vyos:~$ show nat cgnat allocation
+ Internal IP External IP Port range
+ ------------- ------------- ------------
+ 100.64.0.0 203.0.113.1 1024-17023
+ 100.64.0.1 203.0.113.1 17024-33023
+ 100.64.0.2 203.0.113.1 33024-49023
+ 100.64.0.3 203.0.113.1 49024-65023
+ 100.64.0.4 192.0.2.1 1024-17023
+ 100.64.0.5 192.0.2.1 17024-33023
+ 100.64.0.6 192.0.2.1 33024-49023
+ 100.64.0.7 192.0.2.1 49024-65023
+
+ vyos@vyos:~$ show nat cgnat allocation internal-address 100.64.0.4
+ Internal IP External IP Port range
+ ------------- ------------- ------------
+ 100.64.0.4 192.0.2.1 1024-17023
Further Reading
diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst
index 1401e02e..6d551575 100644
--- a/docs/configuration/system/conntrack.rst
+++ b/docs/configuration/system/conntrack.rst
@@ -64,39 +64,7 @@ Configure
Contrack Timeouts
=================
-VyOS supports setting timeouts for connections according to the
-connection type. You can set timeout values for generic connections, for ICMP
-connections, UDP connections, or for TCP connections in a number of different
-states.
-
-.. cfgcmd:: set system conntrack timeout icmp <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout other <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp close <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp established <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout udp other <1-21474836>
- :defaultvalue:
-.. cfgcmd:: set system conntrack timeout udp stream <1-21474836>
- :defaultvalue:
-
- Set the timeout in seconds for a protocol or state.
-
-You can also define custom timeout values to apply to a specific subset of
+You can define custom timeout values to apply to a specific subset of
connections, based on a packet and flow selector. To do this, you need to
create a rule defining the packet and flow selector.
@@ -177,6 +145,11 @@ create a rule defining the packet and flow selector.
Conntrack ignore rules
======================
+.. note:: **Important note about conntrack ignore rules:**
+ Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in
+ ``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in
+ the future the conntrack ignore rules will be removed.
+
Customized ignore rules, based on a packet and flow selector.
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
diff --git a/docs/configuration/trafficpolicy/index.rst b/docs/configuration/trafficpolicy/index.rst
index f99c2a66..5414ce77 100644
--- a/docs/configuration/trafficpolicy/index.rst
+++ b/docs/configuration/trafficpolicy/index.rst
@@ -212,6 +212,56 @@ You can also write a description for a filter:
.. note:: IPv6 TCP filters will only match IPv6 packets with no header
extension, see https://en.wikipedia.org/wiki/IPv6_packet#Extension_headers
+Traffic Match Group
+-------------------
+In some case where we need to have an organization of our matching selection,
+in order to be more flexible and organize with our filter definition. We can
+apply traffic match groups, allowing us to create distinct filter groups within
+our policy and define various parameters for each group:
+
+.. code-block:: none
+
+ set qos traffic-match-group <group_name> match <match_name>
+ Possible completions:
+ description Description
+ > ip Match IP protocol header
+ > ipv6 Match IPv6 protocol header
+ mark Match on mark applied by firewall
+ vif Virtual Local Area Network (VLAN) ID for this match
+
+inherit matches from another group
+
+.. code-block:: none
+
+ set qos traffic-match-group <group_name> match-group <match_group_name>
+
+A match group can contain multiple criteria and inherit them in the same policy.
+
+For example:
+
+.. code-block:: none
+
+ set qos traffic-match-group Mission-Critical match AF31 ip dscp 'AF31'
+ set qos traffic-match-group Mission-Critical match AF32 ip dscp 'AF42'
+ set qos traffic-match-group Mission-Critical match CS3 ip dscp 'CS3'
+ set qos traffic-match-group Streaming-Video match AF11 ip dscp 'AF11'
+ set qos traffic-match-group Streaming-Video match AF41 ip dscp 'AF41'
+ set qos traffic-match-group Streaming-Video match AF43 ip dscp 'AF43'
+ set qos policy shaper VyOS-HTB class 10 bandwidth '30%'
+ set qos policy shaper VyOS-HTB class 10 description 'Multimedia'
+ set qos policy shaper VyOS-HTB class 10 match CS4 ip dscp 'CS4'
+ set qos policy shaper VyOS-HTB class 10 match-group 'Streaming-Video'
+ set qos policy shaper VyOS-HTB class 10 priority '1'
+ set qos policy shaper VyOS-HTB class 10 queue-type 'fair-queue'
+ set qos policy shaper VyOS-HTB class 20 description 'MC'
+ set qos policy shaper VyOS-HTB class 20 match-group 'Mission-Critical'
+ set qos policy shaper VyOS-HTB class 20 priority '2'
+ set qos policy shaper VyOS-HTB class 20 queue-type 'fair-queue'
+ set qos policy shaper VyOS-HTB default bandwidth '20%'
+ set qos policy shaper VyOS-HTB default queue-type 'fq-codel'
+
+In this example, we can observe that different DSCP criteria are defined based
+on our QoS configuration within the same policy group.
Default
-------