diff options
Diffstat (limited to 'docs')
24 files changed, 689 insertions, 238 deletions
diff --git a/docs/_include/interface-common-with-dhcp.txt b/docs/_include/interface-common-with-dhcp.txt index 1cacdd53..46dddb9b 100644 --- a/docs/_include/interface-common-with-dhcp.txt +++ b/docs/_include/interface-common-with-dhcp.txt @@ -15,3 +15,7 @@ .. cmdinclude:: /_include/interface-dhcpv6-options.txt :var0: {{ var0 }} :var1: {{ var1 }} + +.. cmdinclude:: ../_include/interface-dhcpv6-prefix-delegation.txt + :var0: {{ var0 }} + :var1: {{ var1 }} diff --git a/docs/_include/interface-common.txt b/docs/_include/interface-common.txt index 68c9c448..79269fe3 100644 --- a/docs/_include/interface-common.txt +++ b/docs/_include/interface-common.txt @@ -22,15 +22,14 @@ :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: /_include/interface-ipv6-addr-autoconf.txt +.. cmdinclude:: ../_include/interface-ip.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: /_include/interface-ipv6-addr-eui64.txt +.. cmdinclude:: ../_include/interface-ipv6.txt :var0: {{ var0 }} :var1: {{ var1 }} .. cmdinclude:: /_include/interface-vrf.txt :var0: {{ var0 }} :var1: {{ var1 }} - diff --git a/docs/_include/interface-dhcpv6-options.txt b/docs/_include/interface-dhcpv6-options.txt index a47d9f32..e7eaffb1 100644 --- a/docs/_include/interface-dhcpv6-options.txt +++ b/docs/_include/interface-dhcpv6-options.txt @@ -29,14 +29,3 @@ .. code-block:: none set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} dhcpv6-options temporary - -.. cmdinclude:: /_include/interface-dhcpv6-prefix-delegation.txt - :var0: {{ var0 }} - :var1: {{ var1 }} - :var2: {{ var2 }} - :var3: {{ var3 }} - :var4: {{ var4 }} - :var5: {{ var5 }} - :var6: {{ var6 }} - :var7: {{ var7 }} - diff --git a/docs/_include/interface-ip.txt b/docs/_include/interface-ip.txt new file mode 100644 index 00000000..89937806 --- /dev/null +++ b/docs/_include/interface-ip.txt @@ -0,0 +1,157 @@ +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip arp-cache-timeout + + Once a neighbor has been found, the entry is considered to be valid for at + least for this specifc time. An entry's validity will be extended if it + receives positive feedback from higher level protocols. + + This defaults to 30 seconds. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip arp-cache-timeout 180 + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip disable-arp-filter + + If set the kernel can respond to arp requests with addresses from other + interfaces. This may seem wrong but it usually makes sense, because it + increases the chance of successful communication. IP addresses are owned by + the complete host on Linux, not by particular interfaces. Only for more + complex setups like load-balancing, does this behaviour cause problems. + + If not set (default) allows you to have multiple network interfaces on the + same subnet, and have the ARPs for each interface be answered based on whether + or not the kernel would route a packet from the ARP'd IP out that interface + (therefore you must use source based routing for this to work). + + In other words it allows control of which cards (usually 1) will respond to an + arp request. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip disable-arp-filter + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip disable-forwarding + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip enable-arp-accept + + Define behavior for gratuitous ARP frames who's IP is not already present in + the ARP table. If configured create new entries in the ARP table. + + Both replies and requests type gratuitous arp will trigger the ARP table to be + updated, if this setting is on. + + If the ARP table already contains the IP address of the gratuitous arp frame, + the arp table will be updated regardless if this setting is on or off. + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-arp-accept + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip enable-arp-announce + + Define different restriction levels for announcing the local source IP address + from IP packets in ARP requests sent on interface. + + Use any local address, configured on any interface if this is not set. + + If configured, try to avoid local addresses that are not in the target's + subnet for this interface. This mode is useful when target hosts reachable via + this interface require the source IP address in ARP requests to be part of + their logical network configured on the receiving interface. When we generate + the request we will check all our subnets that include the target IP and will + preserve the source address if it is from such subnet. If there is no such + subnet we select source address according to the rules for level 2. + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-arp-announce + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip enable-arp-ignore + + Define different modes for sending replies in response to received ARP + requests that resolve local target IP addresses: + + If configured, reply only if the target IP address is local address configured + on the incoming interface. + + If this option is unset (default), reply for any local target IP address, + configured on any interface. + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-arp-ignore + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip enable-proxy-arp + + Use this command to enable proxy Address Resolution Protocol (ARP) on this + interface. Proxy ARP allows an Ethernet interface to respond with its own + :abbr:`MAC (Media Access Control)` address to ARP requests for destination IP + addresses on subnets attached to other interfaces on the system. Subsequent + packets sent to those destination IP addresses are forwarded appropriately by + the system. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-proxy-arp + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip proxy-arp-pvlan + + Private VLAN proxy arp. Basically allow proxy arp replies back to the same + interface (from which the ARP request/solicitation was received). + + This is done to support (ethernet) switch features, like :rfc:`3069`, where + the individual ports are NOT allowed to communicate with each other, but they + are allowed to talk to the upstream router. As described in :rfc:`3069`, it is + possible to allow these hosts to communicate through the upstream router by + proxy_arp'ing. + + .. note:: Don't need to be used together with proxy_arp. + + This technology is known by different names: + + - In :rfc:`3069` it is called VLAN Aggregation + + - Cisco and Allied Telesyn call it Private VLAN + + - Hewlett-Packard call it Source-Port filtering or port-isolation + + - Ericsson call it MAC-Forced Forwarding (RFC Draft) + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip source-validation <strict | loose | disable> + + Enable policy for source validation by reversed path, as specified in + :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict + mode to prevent IP spoofing from DDos attacks. If using asymmetric routing + or other complicated routing, then loose mode is recommended. + + - strict: Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. By default failed + packets are discarded. + + - loose: Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface the packet + check will fail. + + - disable: No source validation diff --git a/docs/_include/interface-ipv6-addr-autoconf.txt b/docs/_include/interface-ipv6-addr-autoconf.txt deleted file mode 100644 index fea1125e..00000000 --- a/docs/_include/interface-ipv6-addr-autoconf.txt +++ /dev/null @@ -1,19 +0,0 @@ -.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} - {{ var5 }} {{ var6 }} ipv6 address autoconf - - :abbr:`SLAAC (Stateless Address Autoconfiguration)` :rfc:`4862`. IPv6 hosts - can configure themselves automatically when connected to an IPv6 network using - the Neighbor Discovery Protocol via :abbr:`ICMPv6 (Internet Control Message - Protocol version 6)` router discovery messages. When first connected to a - network, a host sends a link-local router solicitation multicast request for - its configuration parameters; routers respond to such a request with a router - advertisement packet that contains Internet Layer configuration parameters. - - .. note:: This method automatically disables IPv6 traffic forwarding on the - interface in question. - - Example: - - .. code-block:: none - - set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 address autoconf diff --git a/docs/_include/interface-ipv6-addr-eui64.txt b/docs/_include/interface-ipv6-addr-eui64.txt deleted file mode 100644 index e6a58372..00000000 --- a/docs/_include/interface-ipv6-addr-eui64.txt +++ /dev/null @@ -1,9 +0,0 @@ -.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} - {{ var5 }} {{ var6 }} ipv6 address eui64 <prefix> - - :abbr:`EUI-64 (64-Bit Extended Unique Identifier)` as specified in - :rfc:`4291` allows a host to assign iteslf a unique 64-Bit IPv6 address. - - .. code-block:: none - - set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 address eui64 2001:db8:beef::/64 diff --git a/docs/_include/interface-ipv6.txt b/docs/_include/interface-ipv6.txt new file mode 100644 index 00000000..e03817cf --- /dev/null +++ b/docs/_include/interface-ipv6.txt @@ -0,0 +1,55 @@ +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ipv6 address autoconf + + :abbr:`SLAAC (Stateless Address Autoconfiguration)` :rfc:`4862`. IPv6 hosts + can configure themselves automatically when connected to an IPv6 network using + the Neighbor Discovery Protocol via :abbr:`ICMPv6 (Internet Control Message + Protocol version 6)` router discovery messages. When first connected to a + network, a host sends a link-local router solicitation multicast request for + its configuration parameters; routers respond to such a request with a router + advertisement packet that contains Internet Layer configuration parameters. + + .. note:: This method automatically disables IPv6 traffic forwarding on the + interface in question. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 address autoconf + + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ipv6 address eui64 <prefix> + + :abbr:`EUI-64 (64-Bit Extended Unique Identifier)` as specified in + :rfc:`4291` allows a host to assign iteslf a unique 64-Bit IPv6 address. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 address eui64 2001:db8:beef::/64 + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ipv6 address no-default-link-local + + Do not assign a link-local IPv6 address to this interface. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 address no-default-link-local + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ipv6 disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 disable-forwarding diff --git a/docs/_include/interface-vlan-8021ad.txt b/docs/_include/interface-vlan-8021ad.txt index 74bc2080..6a34786f 100644 --- a/docs/_include/interface-vlan-8021ad.txt +++ b/docs/_include/interface-vlan-8021ad.txt @@ -88,7 +88,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: <vlan-id> :var7: 20 -.. cmdinclude:: /_include/interface-ipv6-addr-autoconf.txt +.. cmdinclude:: ../_include/interface-ip.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -98,7 +98,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: <vlan-id> :var7: 20 -.. cmdinclude:: /_include/interface-ipv6-addr-eui64.txt +.. cmdinclude:: ../_include/interface-ipv6.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -140,4 +140,14 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: <vlan-id> :var7: 20 -.. include:: /_include/common-references.txt +.. cmdinclude:: ../_include/interface-dhcpv6-prefix-delegation.txt + :var0: {{ var0 }} + :var1: {{ var1 }} + :var2: vif-s + :var3: <vlan-id> + :var4: 1000 + :var5: vif-c + :var6: <vlan-id> + :var7: 20 + +.. include:: ../common-references.rst diff --git a/docs/_include/interface-vlan-8021q.txt b/docs/_include/interface-vlan-8021q.txt index db22a1ce..e4ed9db0 100644 --- a/docs/_include/interface-vlan-8021q.txt +++ b/docs/_include/interface-vlan-8021q.txt @@ -71,14 +71,14 @@ term used for this is ``vif``. :var3: <vlan-id> :var4: 10 -.. cmdinclude:: /_include/interface-ipv6-addr-autoconf.txt +.. cmdinclude:: ../_include/interface-ip.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: <vlan-id> :var4: 10 -.. cmdinclude:: /_include/interface-ipv6-addr-eui64.txt +.. cmdinclude:: ../_include/interface-ipv6.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif @@ -108,4 +108,11 @@ term used for this is ``vif``. :var3: <vlan-id> :var4: 10 -.. include:: /_include/common-references.txt
\ No newline at end of file +.. cmdinclude:: ../_include/interface-dhcpv6-prefix-delegation.txt + :var0: {{ var0 }} + :var1: {{ var1 }} + :var2: vif + :var3: <vlan-id> + :var4: 10 + +.. include:: ../common-references.rst diff --git a/docs/changelog/1.2.6.rst b/docs/changelog/1.2.6.rst new file mode 100644 index 00000000..9c048f58 --- /dev/null +++ b/docs/changelog/1.2.6.rst @@ -0,0 +1,106 @@ +1.2.6-S1 +======== + +1.2.6-S1 is a security release release made in September 2020. + +Resolved issues +--------------- + +VyOS 1.2.6 release was found to be suspectible to CVE-2020-10995. It's a low- +impact vulnerability in the PowerDNS recursor that allows an attacker to cause +performance degradation via a specially crafted authoritative DNS server reply. + +* :vytask:`2899` remote syslog server migration error on update + +1.2.6 +===== + +1.2.6 is a maintenance release made in September 2020. + +Resolved issues +--------------- + +* :vytask:`103` DHCP server prepends shared network name to hostnames +* :vytask:`125` Missing PPPoE interfaces in l2tp configuration +* :vytask:`1194` cronjob is being setup even if not saved +* :vytask:`1205` module pcspkr missing +* :vytask:`1219` Redundant active-active configuration, asymmetric routing and + conntrack-sync cache +* :vytask:`1220` Show transceiver information from plugin modules, e.g SFP+, + QSFP +* :vytask:`1221` BGP - Default route injection is not processed by the specific + route-map +* :vytask:`1241` Remove of policy route throws CLI error +* :vytask:`1291` Under certain conditions the VTI will stay forever down +* :vytask:`1463` Missing command `show ip bgp scan` appears in command + completion +* :vytask:`1575` `show snmp mib ifmib` crashes with IndexError +* :vytask:`1699` Default net.ipv6.route.max_size 32768 is too low +* :vytask:`1729` PIM (Protocol Independent Multicast) implementation +* :vytask:`1901` Semicolon in values is interpreted as a part of the shell + command by validators +* :vytask:`1934` Change default hostname when deploy from OVA without params. +* :vytask:`1938` syslog doesn't start automatically +* :vytask:`1949` Multihop IPv6 BFD is unconfigurable +* :vytask:`1953` DDNS service name validation rejects valid service names +* :vytask:`1956` PPPoE server: support PADO-delay +* :vytask:`1973` Allow route-map to match on BGP local preference value +* :vytask:`1974` Allow route-map to set administrative distance +* :vytask:`1982` Increase rotation for atop.acct +* :vytask:`1983` Expose route-map when BGP routes are programmed in to FIB +* :vytask:`1985` pppoe: Enable ipv6 modules without configured ipv6 pools +* :vytask:`2000` strongSwan does not install routes to table 220 in certain + cases +* :vytask:`2021` OSPFv3 doesn't support decimal area syntax +* :vytask:`2062` Wrong dhcp-server static route subnet bytes +* :vytask:`2091` swanctl.conf file is not generated properly is more than one + IPsec profile is used +* :vytask:`2131` Improve syslog remote host CLI definition +* :vytask:`2224` Update Linux Kernel to v4.19.114 +* :vytask:`2286` IPoE server vulnerability +* :vytask:`2303` Unable to delete the image version that came from OVA +* :vytask:`2305` Add release name to "show version" command +* :vytask:`2311` Statically configured name servers may not take precedence + over ones from DHCP +* :vytask:`2327` Unable to create syslog server entry with different port +* :vytask:`2332` Backport node option for a syslog server +* :vytask:`2342` Bridge l2tpv3 + ethX errors +* :vytask:`2344` PPPoE server client static IP assignment silently fails +* :vytask:`2385` salt-minion: improve completion helpers +* :vytask:`2389` BGP community-list unknown command +* :vytask:`2398` op-mode "dhcp client leases interface" completion helper + misses interfaces +* :vytask:`2402` Live ISO should warn when configuring that changes won't + persist +* :vytask:`2443` NHRP: Add debugging information to syslog +* :vytask:`2448` `monitor protocol bgp` subcommands fail with 'command + incomplete' +* :vytask:`2458` Update FRR to 7.3.1 +* :vytask:`2476` Bond member description change leads to network outage +* :vytask:`2478` login radius: use NAS-IP-Address if defined source address +* :vytask:`2482` Update PowerDNS recursor to 4.3.1 for CVE-2020-10995 +* :vytask:`2517` vyos-container: link_filter: No such file or directory +* :vytask:`2526` Wake-On-Lan CLI implementation +* :vytask:`2528` "update dns dynamic" throws FileNotFoundError excepton +* :vytask:`2536` "show log dns forwarding" still refers to dnsmasq +* :vytask:`2538` Update Intel NIC drivers to recent release (preparation for + Kernel >=5.4) +* :vytask:`2545` Show physical device offloading capabilities for specified + ethernet interface +* :vytask:`2563` Wrong interface binding for Dell VEP 1445 +* :vytask:`2605` SNMP service is not disabled by default +* :vytask:`2625` Provide generic Library for package builds +* :vytask:`2686` FRR: BGP: large-community configuration is not applied + properly after upgrading FRR to 7.3.x series +* :vytask:`2701` `vpn ipsec pfs enable` doesn't work with IKE groups +* :vytask:`2728` Protocol option ignored for IPSec peers in transport mode +* :vytask:`2734` WireGuard: fwmark CLI definition is inconsistent +* :vytask:`2757` "show system image version" contains additional new-line + character breaking output +* :vytask:`2797` Update Linux Kernel to v4.19.139 +* :vytask:`2822` Update Linux Kernel to v4.19.141 +* :vytask:`2829` PPPoE server: mppe setting is implemented as node instead of + leafNode +* :vytask:`2831` Update Linux Kernel to v4.19.142 +* :vytask:`2852` rename dynamic dns interface breaks ddclient.cache permissions +* :vytask:`2853` Intel QAT acceleration does not work
\ No newline at end of file diff --git a/docs/changelog/index.rst b/docs/changelog/index.rst index 8d2e8a86..ae964145 100644 --- a/docs/changelog/index.rst +++ b/docs/changelog/index.rst @@ -10,6 +10,7 @@ Changelog :maxdepth: 1 :includehidden: + 1.2.6 1.2.5 1.2.4 1.2.3 diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index decfd348..393c71ed 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -168,10 +168,6 @@ PPPoE options IPv6 ---- -.. cfgcmd:: set interfaces pppoe <interface> ipv6 enable - - Use this command to enable IPv6 support on this PPPoE connection. - .. cfgcmd:: set interfaces pppoe <interface> ipv6 address autoconf Use this command to enable acquisition of IPv6 address using stateless @@ -303,5 +299,4 @@ If you do not know the prefix size delegated to you, start with sla-len 0. set interfaces pppoe pppoe0 dhcpv6-options prefix-delegation interface eth0 sla-id 0 set interfaces pppoe pppoe0 dhcpv6-options prefix-delegation interface eth0 sla-len 8 set interfaces pppoe pppoe0 ipv6 address autoconf - set interfaces pppoe pppoe0 ipv6 enable set interfaces pppoe pppoe0 source-interface eth1 diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index 82f66cf4..fca285eb 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -225,12 +225,14 @@ VHT (Very High Throughput) capabilities (802.11ac) * ``multi-user-beamformer`` - Support for operation as single user beamformer * ``multi-user-beamformee`` - Support for operation as single user beamformer -.. cfgcmd:: set interfaces wireless <interface> capabilities vht center-channel-freq <freq-1 | freq-2> +.. cfgcmd:: set interfaces wireless <interface> capabilities vht center-channel-freq <freq-1 | freq-2> <number> VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes) VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode) + <number> must be from 34 - 173. For 80 MHz channels it should be channel + 6. + .. cfgcmd:: set interfaces wireless <interface> capabilities vht channel-set-width <0 | 1 | 2 | 3> * ``0`` - 20 or 40 MHz channel width (default) diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst index 271b6056..819db4df 100644 --- a/docs/configuration/protocols/index.rst +++ b/docs/configuration/protocols/index.rst @@ -11,6 +11,7 @@ Protocols bgp igmp igmp-proxy + is-is mpls ospf ospfv3 diff --git a/docs/configuration/protocols/isis.rst b/docs/configuration/protocols/isis.rst new file mode 100644 index 00000000..807dca83 --- /dev/null +++ b/docs/configuration/protocols/isis.rst @@ -0,0 +1,74 @@ +.. include:: ../_include/need_improvement.txt + +.. _isis: + +##### +IS-IS +##### + +:abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway routing protocol. +Like OSPF, IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s +topology and, from that database, to determine the best (that is, shortest) path to a destination. +The routers exchange topology information with their nearest neighbors. +IS-IS runs directly on the data link layer (Layer 2). +IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long. + +For example :abbr:`NET (Network Entity Title)` + +.. code-block:: none + + 49.0001.1921.6800.1002.00 + +The IS-IS address consists of three parts: + + :abbr:`AFI (Address family authority identifier)` + ``49`` The AFI value 49 is what IS-IS uses for private addressing. + + Area identifier: + ``0001`` IS-IS area number (Area1) + + System identifier: + ``1921.6800.1002`` For system idetifier we recommend to use IP address or MAC address of the router. + + NET selector: + ``00`` Must always be 00, to indicate "this system". + +Simple IS-IS configuration using 2 nodes and redistributing connected interfaces. + +**Node 1:** + +.. code-block:: none + + set interfaces dummy dum0 address '203.0.113.1/24' + set interfaces ethernet eth1 address '192.0.2.1/24' + + set policy prefix-list EXPORT-ISIS rule 10 action 'permit' + set policy prefix-list EXPORT-ISIS rule 10 prefix '203.0.113.0/24' + set policy route-map EXPORT-ISIS rule 10 action 'permit' + set policy route-map EXPORT-ISIS rule 10 match ip address prefix-list 'EXPORT-ISIS' + + set protocols isis FOO interface eth1 + set protocols isis FOO net '49.0001.1921.6800.1002.00' + set protocols isis FOO redistribute ipv4 connected level-2 route-map 'EXPORT-ISIS' + +**Node 2:** + +.. code-block:: none + + set interfaces ethernet eth1 address '192.0.2.2/24' + + set protocols isis FOO interface eth1 + set protocols isis FOO net '49.0001.1921.6800.2002.00' + +Show ip routes on Node2: + +.. code-block:: none + + vyos@r2:~$ show ip route isis + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, + F - PBR, f - OpenFabric, + > - selected route, * - FIB route, q - queued route, r - rejected route + + I 203.0.113.0/24 [115/10] via 192.0.2.1, eth1, 00:03:42 diff --git a/docs/configuration/protocols/mpls.rst b/docs/configuration/protocols/mpls.rst index 82e99a17..4451c5c3 100644 --- a/docs/configuration/protocols/mpls.rst +++ b/docs/configuration/protocols/mpls.rst @@ -58,6 +58,11 @@ It is highly recommended to use the same address for both the LDP router-id and the discovery transport address, but for VyOS MPLS LDP to work both parameters must be explicitly set in the configuration. +Another thing to keep in mind with LDP is that much like BGP, it is a protocol that +runs on top of TCP. It however does not have an ability to do something like a +refresh capability like BGPs route refresh capability. Therefore one might have +to reset the neighbor for a capability change or a configuration change to work. + Configuration Options ===================== @@ -76,16 +81,29 @@ Configuration Options Use this command to set the IPv4 or IPv6 transport-address used by LDP. -.. cfgcmd:: set protocols mpls ldp neighbor <IPv4 address> password <password> +.. cfgcmd:: set protocols mpls ldp neighbor <address> password <password> Use this command to configure authentication for LDP peers. Set the IP address of the LDP peer and a password that should be shared in - order to become neighbors. - -.. cfgcmd:: set protocols mpls ldp discovery hello-interval <seconds> -.. cfgcmd:: set protocols mpls ldp discovery hello-holdtime <seconds> - - Use this command if you would like to set the discovery hello and hold time + order to become neighbors. + +.. cfgcmd:: set protocols mpls ldp neighbor <address> session-holdtime <seconds> + + Use this command to configure a specific session hold time for LDP peers. + Set the IP address of the LDP peer and a session hold time that should be + configured for it. You may have to reset the neighbor for this to work. + +.. cfgcmd:: set protocols mpls ldp neighbor <address> ttl-security <disable | hop count> + + Use this command to enable, disable, or specify hop count for TTL security + for LDP peers. By default the value is set to 255 (or max TTL). + +.. cfgcmd:: set protocols mpls ldp discovery hello-ipv4-interval <seconds> +.. cfgcmd:: set protocols mpls ldp discovery hello-ipv4-holdtime <seconds> +.. cfgcmd:: set protocols mpls ldp discovery hello-ipv6-interval <seconds> +.. cfgcmd:: set protocols mpls ldp discovery hello-ipv6-holdtime <seconds> + + Use these commands if you would like to set the discovery hello and hold time parameters. .. cfgcmd:: set protocols mpls ldp discovery session-ipv4-holdtime <seconds> @@ -98,6 +116,44 @@ Configuration Options Use this command if you would like for the router to advertise FECs with a label of 0 for explicit null operations. + +.. cfgcmd:: set protocols mpls ldp allocation ipv4 access-list <access list number> +.. cfgcmd:: set protocols mpls ldp allocation ipv6 access-list6 <access list number> + + Use this command if you would like to control the local FEC allocations for LDP. A + good example would be for your local router to not allocate a label for everything. + Just a label for what it's useful. A good example would be just a loopback label. + +.. cfgcmd:: set protocols mpls ldp parameters cisco-interop-tlv + + Use this command to use a Cisco non-compliant format to send and interpret the + Dual-Stack capability TLV for IPv6 LDP communications. This is related to :rfc:`7552`. + +.. cfgcmd:: set protocols mpls ldp parameters transport-prefer-ipv4 + + Use this command to prefer IPv4 for TCP peer transport connection for LDP when + both an IPv4 and IPv6 LDP address are configured on the same interface. + +.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv4 enable +.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv6 enable + + Use this command to enable targeted LDP sessions to the local router. The router + will then respond to any sessions that are trying to connect to it that are not + a link local type of TCP connection. + +.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv4 address <address> +.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv6 address <address> + + Use this command to enable the local router to try and connect with a targeted + LDP session to another router. + +.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv4 hello-holdtime <seconds> +.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv4 hello-interval <seconds> +.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv6 hello-holdtime <seconds> +.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv6 hello-interval <seconds> + + Use these commands if you would like to set the discovery hello and hold time + parameters for the targeted LDP neighbors. Sample configuration to setup LDP on VyOS diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 56316793..6cb0bc83 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -1,15 +1,16 @@ .. _dhcp: -############# -DHCP / DHCPv6 -############# - -VyOS uses ISC DHCPd for both IPv4 and IPv6 address assignment. - .. _dhcp-server: +########### DHCP Server -=========== +########### + +VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment. + +*********** +IPv4 server +*********** The network topology is declared by shared-network-name and the subnet declarations. The DHCP service can serve multiple shared networks, with each @@ -20,7 +21,7 @@ mappings can be set to assign "static" addresses to clients based on their MAC address. Configuration -------------- +============= .. cfgcmd:: set service dhcp-server shared-network-name <name> authoritative @@ -77,9 +78,8 @@ Configuration request where no full FQDN is passed. This option can be given multiple times if you need multiple search domains (DHCP Option 119). - Failover -^^^^^^^^ +-------- VyOS provides support for DHCP failover. DHCP failover must be configured explicitly by the following statements. @@ -115,9 +115,8 @@ explicitly by the following statements. that the failover partnership is immune to disruption (accidental or otherwise) via third parties. - Static mappings -^^^^^^^^^^^^^^^ +--------------- You can specify a static DHCP assignment on a per host basis. You will need the MAC address of the station and your desired IP address. The address must be @@ -140,9 +139,8 @@ inside the subnet definition but can be outside of the range statement. .. hint:: This is the equivalent of the host block in dhcpd.conf of isc-dhcpd. - Options -^^^^^^^ +======= .. list-table:: :header-rows: 1 @@ -272,9 +270,8 @@ Options Multi: can be specified multiple times. - Raw Parameters -^^^^^^^^^^^^^^ +============== Raw parameters can be passed to shared-network-name, subnet and static-mapping: @@ -299,44 +296,15 @@ Quotes can be used inside parameter values by replacing all quote characters with the string ``"``. They will be replaced with literal quote characters when generating dhcpd.conf. - Example -^^^^^^^ - -Quick-Start -""""""""""" - -* We are offering address space in the `192.0.2.0/24` network. -* We are using the network name `mypool`. - -.. code-block:: none - - set service dhcp-server shared-network-name mypool authoritative - set service dhcp-server shared-network-name mypool subnet 192.0.2.0/24 default-router 192.0.2.1 - set service dhcp-server shared-network-name mypool subnet 192.0.2.0/24 dns-server 192.0.2.1 - set service dhcp-server shared-network-name mypool subnet 192.0.2.0/24 lease 86400 - set service dhcp-server shared-network-name mypool subnet 192.0.2.0/24 range 0 start 192.0.2.100 - set service dhcp-server shared-network-name mypool subnet 192.0.2.0/24 range 0 stop 192.0.2.199 - -The generated config will look like: - -.. code-block:: none - - vyos@vyos# show service dhcp-server shared-network-name mypool - authoritative - subnet 192.0.2.0/24 { - default-router 192.0.2.1 - dns-server 192.0.2.1 - lease 86400 - range 0 { - start 192.0.2.100 - stop 192.0.2.199 - } - } +======= +Please see the :ref:`dhcp-dns-quick-start` configuration. Failover -"""""""" +-------- + +Configuration of a DHCP failover pair * Setup DHCP failover for network 192.0.2.0/24 * Default gateway and DNS server is at `192.0.2.254` @@ -344,37 +312,38 @@ Failover * The secondary DHCP server uses address `192.168.189.253` * DHCP range spans from `192.168.189.10` - `192.168.189.250` -**Primary** +Common configuration, valid for both primary and secondary node. .. code-block:: none set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 dns-server '192.0.2.254' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' + + +**Primary** + +.. code-block:: none + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover local-address '192.168.189.252' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover name 'NET-VYOS' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover peer-address '192.168.189.253' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover status 'primary' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.168.189.10' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.168.189.250' **Secondary** .. code-block:: none - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 dns-server '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover local-address '192.168.189.253' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover name 'NET-VYOS' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover peer-address '192.168.189.252' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover status 'primary' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.168.189.10' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.168.189.250' Raw Parameters -"""""""""""""" +-------------- * Override static-mapping's dns-server with a custom one that will be sent only to this host. @@ -390,9 +359,8 @@ Raw Parameters set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";" - Operation Mode --------------- +============== .. opcmd:: restart dhcp server @@ -442,14 +410,15 @@ Operation Mode Show only leases with the specified state. Possible states: all, active, free, expired, released, abandoned, reset, backup (default = active) -DHCPv6 Server -============= +*********** +IPv6 server +*********** VyOS also provides DHCPv6 server functionality which is described in this section. -Configuration Options ---------------------- +Configuration +============= .. cfgcmd:: set service dhcpv6-server preference <preference value> @@ -490,7 +459,7 @@ Configuration Options A SNTP server address can be specified for DHCPv6 clients. Prefix Delegation -^^^^^^^^^^^^^^^^^ +----------------- To hand out individual prefixes to your clients the following configuration is used: @@ -541,7 +510,7 @@ The configuration will look as follows: } Static mappings -^^^^^^^^^^^^^^^ +--------------- In order to map specific IPv6 addresses to specific hosts static mappings can be created. The following example explains the process. @@ -583,7 +552,7 @@ The configuration will look as follows: } Operation Mode --------------- +============== .. opcmd:: restart dhcpv6 server @@ -622,8 +591,9 @@ Operation Mode Show only leases with the specified state. Possible states: abandoned, active, all, backup, expired, free, released, reset (default = active) +########## DHCP Relay -========== +########## If you want your router to forward DHCP requests to an external DHCP server you can configure the system to act as a DHCP relay agent. The DHCP relay @@ -631,8 +601,12 @@ agent works with IPv4 and IPv6 addresses. All interfaces used for the DHCP relay must be configured. +********** +IPv4 relay +********** + Configuration -------------- +============= .. cfgcmd:: set service dhcp-relay interface <interface> @@ -648,30 +622,6 @@ Configuration The router should discard DHCP packages already containing relay agent information to ensure that only requests from DHCP clients are forwarded. -Example -------- - -* Listen for DHCP requests on interface ``eth1``. -* DHCP server is located at IPv4 address 10.0.1.4. -* Router receives DHCP client requests on ``eth1`` and relays them to the server at 10.0.1.4. - -.. figure:: /_static/images/service_dhcp-relay01.png - :scale: 80 % - :alt: DHCP relay example - - DHCP relay example - -The generated configuration will look like: - -.. code-block:: none - - show service dhcp-relay - interface eth1 - server 10.0.1.4 - relay-options { - relay-agents-packets discard - } - Options ------- @@ -703,18 +653,43 @@ Options * **replace:** Relay information already present in a packet is stripped and replaced with the router's own relay information set. +Example +======= + +* Listen for DHCP requests on interface ``eth1``. +* DHCP server is located at IPv4 address 10.0.1.4. +* Router receives DHCP client requests on ``eth1`` and relays them to the server at 10.0.1.4. + +.. figure:: /_static/images/service_dhcp-relay01.png + :scale: 80 % + :alt: DHCP relay example + + DHCP relay example + +The generated configuration will look like: + +.. code-block:: none + + show service dhcp-relay + interface eth1 + server 10.0.1.4 + relay-options { + relay-agents-packets discard + } + Operation ---------- +========= .. opcmd:: restart dhcp relay-agent Restart DHCP relay service -DHCPv6 relay -============ +********** +IPv6 relay +********** Configuration -------------- +============= .. cfgcmd:: set service dhcpv6-relay listen-interface <interface> @@ -727,8 +702,20 @@ Configuration Specifies an upstream network `<interface>` from which replies from `<server>` and other relay agents will be accepted. +Options +------- + +.. cfgcmd:: set service dhcpv6-relay max-hop-count 'count' + + Set maximum hop count before packets are discarded, default: 10 + +.. cfgcmd:: set service dhcpv6-relay use-interface-id-option + + If this is set the relay agent will insert the interface ID. This option is + set automatically if more than one listening interfaces are in use. + Example -^^^^^^^ +======= * DHCPv6 requests are received by the router on `listening interface` ``eth1`` * Requests are forwarded through ``eth2`` as the `upstream interface` @@ -752,24 +739,8 @@ The generated configuration will look like: address 2001:db8::4 } -Options -------- - -.. cfgcmd:: set service dhcpv6-relay max-hop-count 'count' - - Set maximum hop count before packets are discarded, default: 10 - -.. cfgcmd:: set service dhcpv6-relay use-interface-id-option - - If this is set the relay agent will insert the interface ID. This option is - set automatically if more than one listening interfaces are in use. - Operation ---------- - -.. opcmd:: show dhcpv6 relay-agent status - - Show the current status of the DHCPv6 relay agent: +========= .. opcmd:: restart dhcpv6 relay-agent diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index 28d1f097..224ff0d8 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -39,7 +39,7 @@ First steps Use this command to define the interface the PPPoE server will use to listen for PPPoE clients. -.. cfgcmd:: set service pppoe-server local-ip <address> +.. cfgcmd:: set service pppoe-server gateway-address <address> Use this command to configure the local gateway IP address. @@ -57,7 +57,7 @@ To automatically assign the client an IP address as tunnel endpoint, a client IP pool is needed. The source can be either RADIUS or a local subnet or IP range definition. -Once the local tunnel endpoint ``set service pppoe-server local-ip +Once the local tunnel endpoint ``set service pppoe-server gateway-address '10.1.1.2'`` has been defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. If the CIDR notation is used, multiple subnets can be setup which are used sequentially. @@ -116,7 +116,7 @@ and then configure it. set service pppoe-server authentication mode 'radius' set service pppoe-server authentication radius server 10.1.100.1 key 'secret' set service pppoe-server interface 'eth1' - set service pppoe-server local-ip '10.1.1.2' + set service pppoe-server gateway-address '10.1.1.2' RADIUS provides the IP addresses in the example above via Framed-IP-Address. @@ -210,7 +210,7 @@ For Local Users set service pppoe-server name-server '10.100.100.1' set service pppoe-server name-server '10.100.200.1' set service pppoe-server interface 'eth1' - set service pppoe-server local-ip '10.1.1.2' + set service pppoe-server gateway-address '10.1.1.2' Once the user is connected, the user session is using the set limits and @@ -359,7 +359,7 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint set service pppoe-server client-ip-pool start '10.1.1.100' set service pppoe-server client-ip-pool stop '10.1.1.111' set service pppoe-server interface eth1 - set service pppoe-server local-ip '10.1.1.2' + set service pppoe-server gateway-address '10.1.1.2' set service pppoe-server name-server '10.100.100.1' set service pppoe-server name-server '10.100.200.1' @@ -381,7 +381,7 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server name-server '8.8.8.8' set service pppoe-server name-server '2001:4860:4860::8888' set service pppoe-server interface 'eth2' - set service pppoe-server local-ip '10.100.100.1' + set service pppoe-server gateway-address '10.100.100.1' The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address to terminate the pppoe endpoint on the client side and diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index 6da8560f..0153d918 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -27,80 +27,82 @@ rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet. +.. note:: VyOS 1.1 supported login as user ``root``. This has been removed due + to tighter security in VyOS 1.2. + +.. seealso:: SSH :ref:`ssh_key_based_authentication` + Configuration ============= .. cfgcmd:: set service ssh port <port> -Enabling SSH only requires you to specify the port ``<port>`` you want SSH to -listen on. By default, SSH runs on port 22. + Enabling SSH only requires you to specify the port ``<port>`` you want SSH to + listen on. By default, SSH runs on port 22. .. cfgcmd:: set service ssh listen-address <address> -Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be -defined. + Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be + defined. .. cfgcmd:: set service ssh ciphers <cipher> -Define allowed ciphers used for the SSH connection. A number of allowed ciphers -can be specified, use multiple occurrences to allow multiple ciphers. You can -choose from the following ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``, -``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``, ``arcfour128``, -``arcfour256``, ``arcfour``, ``blowfish-cbc``, ``cast128-cbc`` + Define allowed ciphers used for the SSH connection. A number of allowed ciphers + can be specified, use multiple occurrences to allow multiple ciphers. + + List of supported ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``, + ``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``, ``arcfour128``, + ``arcfour256``, ``arcfour``, ``blowfish-cbc``, ``cast128-cbc`` .. cfgcmd:: set service ssh disable-password-authentication -Disable password based authentication. Login via SSH keys only. This hardens -security! + Disable password based authentication. Login via SSH keys only. This hardens + security! .. cfgcmd:: set service ssh disable-host-validation -Disable the host validation through reverse DNS lookups - can speedup login -time when reverse lookup is not possible. + Disable the host validation through reverse DNS lookups - can speedup login + time when reverse lookup is not possible. .. cfgcmd:: set service ssh macs <mac> -Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms. -The MAC algorithm is used in protocol version 2 for data integrity protection. -Multiple algorithms can be provided. Supported MACs: ``hmac-md5``, -``hmac-md5-96``, ``hmac-ripemd160``, ``hmac-sha1``, ``hmac-sha1-96``, -``hmac-sha2-256``, ``hmac-sha2-512``, ``umac-64@openssh.com``, -``umac-128@openssh.com``, ``hmac-md5-etm@openssh.com``, -``hmac-md5-96-etm@openssh.com``, ``hmac-ripemd160-etm@openssh.com``, -``hmac-sha1-etm@openssh.com``, ``hmac-sha1-96-etm@openssh.com``, -``hmac-sha2-256-etm@openssh.com``, ``hmac-sha2-512-etm@openssh.com``, -``umac-64-etm@openssh.com``, ``umac-128-etm@openssh.com`` + Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms. + The MAC algorithm is used in protocol version 2 for data integrity protection. + Multiple algorithms can be provided. -.. note:: VyOS 1.1 supported login as user ``root``. This has been removed due - to tighter security in VyOS 1.2. + List of supported MACs: ``hmac-md5``, ``hmac-md5-96``, ``hmac-ripemd160``, + ``hmac-sha1``, ``hmac-sha1-96``, ``hmac-sha2-256``, ``hmac-sha2-512``, + ``umac-64@openssh.com``, ``umac-128@openssh.com``, ``hmac-md5-etm@openssh.com``, + ``hmac-md5-96-etm@openssh.com``, ``hmac-ripemd160-etm@openssh.com``, + ``hmac-sha1-etm@openssh.com``, ``hmac-sha1-96-etm@openssh.com``, + ``hmac-sha2-256-etm@openssh.com``, ``hmac-sha2-512-etm@openssh.com``, + ``umac-64-etm@openssh.com``, ``umac-128-etm@openssh.com`` .. cfgcmd:: set service ssh access-control <allow | deny> <group | user> <name> -Add access-control directive to allow or deny users and groups. Directives are -processed in the following order of precedence: ``deny-users``, ``allow-users``, -``deny-groups`` and ``allow-groups``. + Add access-control directive to allow or deny users and groups. Directives + are processed in the following order of precedence: ``deny-users``, + ``allow-users``, ``deny-groups`` and ``allow-groups``. .. cfgcmd:: set service ssh client-keepalive-interval <interval> -Specify timeout interval for keepalive message in seconds. + Specify timeout interval for keepalive message in seconds. .. cfgcmd:: set service ssh key-exchange <kex> -Specify allowed :abbr:`KEX (Key Exchange)` algorithms. -Supported algorithms: ``diffie-hellman-group1-sha1``, -``diffie-hellman-group14-sha1``, ``diffie-hellman-group14-sha256``, -``diffie-hellman-group16-sha512``, ``diffie-hellman-group18-sha512``, -``diffie-hellman-group-exchange-sha1``, -``diffie-hellman-group-exchange-sha256``, ``ecdh-sha2-nistp256``, -``ecdh-sha2-nistp384``, ``ecdh-sha2-nistp521``, ``curve25519-sha256`` and -``curve25519-sha256@libssh.org``. + Specify allowed :abbr:`KEX (Key Exchange)` algorithms. + + List of supported algorithms: ``diffie-hellman-group1-sha1``, + ``diffie-hellman-group14-sha1``, ``diffie-hellman-group14-sha256``, + ``diffie-hellman-group16-sha512``, ``diffie-hellman-group18-sha512``, + ``diffie-hellman-group-exchange-sha1``, ``diffie-hellman-group-exchange-sha256``, + ``ecdh-sha2-nistp256``, ``ecdh-sha2-nistp384``, ``ecdh-sha2-nistp521``, + ``curve25519-sha256`` and ``curve25519-sha256@libssh.org``. .. cfgcmd:: set service ssh loglevel <quiet | fatal | error | info | verbose> -Set the ``sshd`` log level. The default is ``info``. + Set the ``sshd`` log level. The default is ``info``. .. cfgcmd:: set service ssh vrf <name> -Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. - -.. seealso:: SSH :ref:`ssh_key_based_authentication` + Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. diff --git a/docs/configuration/system/ntp.rst b/docs/configuration/system/ntp.rst index 5fd1837f..223447f5 100644 --- a/docs/configuration/system/ntp.rst +++ b/docs/configuration/system/ntp.rst @@ -40,17 +40,38 @@ Configuration There are 3 default NTP server set. You are able to change them. - * 0.pool.ntp.org - * 1.pool.ntp.org - * 2.pool.ntp.org + * ``0.pool.ntp.org`` + * ``1.pool.ntp.org`` + * ``2.pool.ntp.org`` + +.. cfgcmd:: set system ntp server <address> <noselect | pool | preempt | prefer> + + Configure one or more attributes to the given NTP server. + + * ``noselect`` marks the server as unused, except for display purposes. The + server is discarded by the selection algorithm. + + * ``pool`` mobilizes persistent client mode association with a number of + remote servers. + + * ``preempt`` a preemptable association is expendable. + + * ``prefer`` marks the server as preferred. All other things being equal, + this host will be chosen for synchronization among a set of correctly + operating hosts. .. cfgcmd:: set system ntp listen-address <address> - Setup VyOS as an NTP responder, you must specify the `<address>` and - optionally the permitted clients. Multiple listen addresses can be - configured. + NTP process will only listen on the specified IP address. You must specify + the `<address>` and optionally the permitted clients. Multiple listen + addresses can be configured. .. cfgcmd:: set system ntp allow-clients address <address> List of networks or client addresses permitted to contact this NTP server. + Multiple networks can be configured. + +.. cfgcmd:: set system ntp vrf <name> + + Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index d6706421..62c0f002 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -199,7 +199,7 @@ Hub set vpn ipsec esp-group ESP-HUB compression 'disable' set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'tunnel' + set vpn ipsec esp-group ESP-HUB mode 'transport' set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' @@ -307,7 +307,7 @@ VyOS can also run in DMVPN spoke mode. set vpn ipsec esp-group ESP-HUB compression 'disable' set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'tunnel' + set vpn ipsec esp-group ESP-HUB mode 'transport' set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' diff --git a/docs/contributing/build-vyos.rst b/docs/contributing/build-vyos.rst index 627d79d0..2fe2d3c0 100644 --- a/docs/contributing/build-vyos.rst +++ b/docs/contributing/build-vyos.rst @@ -429,6 +429,28 @@ In the end you will be presented with the Kernel binary packages which you can then use in your custom ISO build process, by placing all the `*.deb` files in the vyos-build/packages folder where they will be used automatically when building VyOS as documented above. +Firmware +^^^^^^^^ + +If you upgrade your kernel or include new drivers you may need new firmware. +Build a new ``vyos-linux-firmware`` package with the included helper scripts. + +.. code-block:: none + + $ cd vyos-build/packages/linux-kernel + $ git clone https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git + $ ./build-linux-firmware.sh + $ cp vyos-linux-firmware_*.deb ../ + +This tries to automatically detect which blobs are needed based on which drivers +were built. If it fails to find the correct files you can add them manually to +``vyos-build/packages/linux-kernel/build-linux-firmware.sh``: + +.. code-block:: bash + + ADD_FW_FILES="iwlwifi* ath11k/QCA6390/*/*.bin" + + Building Out-Of-Tree Modules ---------------------------- diff --git a/docs/contributing/debugging.rst b/docs/contributing/debugging.rst index 644545bf..a4c73d15 100644 --- a/docs/contributing/debugging.rst +++ b/docs/contributing/debugging.rst @@ -51,7 +51,7 @@ interface debugging. It is also possible to set up the debugging using environment variables. In that case, the name will be (in uppercase) VYOS_FEATURE_DEBUG. -For example running, ``export VYOS_IFCONFIG_DEBUG=""`` on your vash, +For example running, ``export VYOS_IFCONFIG_DEBUG=""`` on your vbash, will have the same effect as ``touch /tmp/vyos.ifconfig.debug``. * ``ifconfig`` - Once set, all commands used, and their responses received @@ -71,6 +71,11 @@ will have the same effect as ``touch /tmp/vyos.ifconfig.debug``. including during boot. This option sends all commands used by VyOS to a file. The default file is ``/tmp/full-log`` but it can be changed. +.. note:: In order to retrieve the debug output on the command-line you need to + disable ``vyos-configd`` in addition. This can be run either one-time by calling + ``sudo systemctl stop vyos-configd`` or make this reboot-safe by calling + ``sudo systemctl disable vyos-configd``. + Config Migration Scripts ------------------------ diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 550bfd77..c70d4cc5 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -70,8 +70,10 @@ on specific addresses only. set service ssh port '22' -Configure DHCP/DNS Servers -########################## +.. _dhcp-dns-quick-start: + +DHCP/DNS quick-start +#################### The following settings will configure DHCP and DNS services on your internal/LAN network, where VyOS will act as the default gateway and DNS server. @@ -81,7 +83,7 @@ where VyOS will act as the default gateway and DNS server. * DHCP clients will be assigned IP addresses within the range of `192.168.0.9 - 192.168.0.254` and have a domain name of `internal-network` * DHCP leases will hold for one day (86400 seconds) -* VyOS will serve as a full DNS recursor, replacing the need to utilize Google, +* VyOS will serve as a full DNS recursor, replacing the need to utilize Google, Cloudflare, or other public DNS servers (which is good for privacy) * Only hosts from your internal/LAN network can use the DNS recursor @@ -89,7 +91,7 @@ where VyOS will act as the default gateway and DNS server. set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1' - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'vyos.net' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start 192.168.0.9 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254' @@ -214,5 +216,5 @@ As above, commit your changes, save the configuration, and exit configuration mo Done vyos@vyos# exit vyos@vyos$ - + You now should have a simple yet secure and functioning router to experiment with further. Enjoy! |