summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/_ext/vyos.py26
m---------docs/_include/vyos-1x0
-rw-r--r--docs/_static/images/vrf-example-topology-01.pngbin0 -> 32567 bytes
-rw-r--r--docs/_static/images/wireguard_site2site_diagram.jpgbin0 -> 21630 bytes
-rw-r--r--docs/automation/cloud-init.rst28
-rw-r--r--docs/automation/command-scripting.rst69
-rw-r--r--docs/automation/vyos-ansible.rst2
-rw-r--r--docs/automation/vyos-api.rst21
-rw-r--r--docs/changelog/1.3.rst68
-rw-r--r--docs/changelog/1.4.rst93
-rw-r--r--docs/configexamples/azure-vpn-bgp.rst2
-rw-r--r--docs/configexamples/azure-vpn-dual-bgp.rst2
-rw-r--r--docs/configexamples/bgp-ipv6-unnumbered.rst2
-rw-r--r--docs/configexamples/dhcp-relay-through-gre-bridge.rst5
-rw-r--r--docs/configexamples/ha.rst46
-rw-r--r--docs/configexamples/ospf-unnumbered.rst2
-rw-r--r--docs/configexamples/pppoe-ipv6-basic.rst24
-rw-r--r--docs/configexamples/tunnelbroker-ipv6.rst10
-rw-r--r--docs/configexamples/wan-load-balancing.rst25
-rw-r--r--docs/configexamples/zone-policy.rst6
-rw-r--r--docs/configuration/container/index.rst153
-rw-r--r--docs/configuration/firewall/index.rst60
-rw-r--r--docs/configuration/highavailability/index.rst6
-rw-r--r--docs/configuration/index.rst3
-rw-r--r--docs/configuration/interfaces/bonding.rst20
-rw-r--r--docs/configuration/interfaces/bridge.rst12
-rw-r--r--docs/configuration/interfaces/dummy.rst4
-rw-r--r--docs/configuration/interfaces/ethernet.rst3
-rw-r--r--docs/configuration/interfaces/geneve.rst2
-rw-r--r--docs/configuration/interfaces/index.rst2
-rw-r--r--docs/configuration/interfaces/l2tpv3.rst16
-rw-r--r--docs/configuration/interfaces/loopback.rst4
-rw-r--r--docs/configuration/interfaces/macsec.rst6
-rw-r--r--docs/configuration/interfaces/openvpn.rst22
-rw-r--r--docs/configuration/interfaces/pppoe.rst14
-rw-r--r--docs/configuration/interfaces/pseudo-ethernet.rst4
-rw-r--r--docs/configuration/interfaces/tunnel.rst20
-rw-r--r--docs/configuration/interfaces/vxlan.rst30
-rw-r--r--docs/configuration/interfaces/wireguard.rst162
-rw-r--r--docs/configuration/service/dhcp-server.rst2
-rw-r--r--docs/configuration/service/ssh.rst30
-rw-r--r--docs/configuration/system/login.rst4
-rw-r--r--docs/configuration/vpn/index.rst3
-rw-r--r--docs/configuration/vrf/index.rst126
-rw-r--r--docs/documentation.rst68
-rw-r--r--docs/installation/install.rst6
-rw-r--r--docs/operation/information.rst57
-rw-r--r--docs/troubleshooting/index.rst1
48 files changed, 1007 insertions, 264 deletions
diff --git a/docs/_ext/vyos.py b/docs/_ext/vyos.py
index 46ebae36..0a198821 100644
--- a/docs/_ext/vyos.py
+++ b/docs/_ext/vyos.py
@@ -1,6 +1,7 @@
import re
import json
import os
+from datetime import datetime
from docutils import io, nodes, utils, statemachine
from docutils.parsers.rst.roles import set_classes
from docutils.parsers.rst import Directive, directives, states
@@ -9,6 +10,9 @@ from sphinx.util.docutils import SphinxDirective
from testcoverage import get_working_commands
+from sphinx.util import logging
+
+logger = logging.getLogger(__name__)
def setup(app):
@@ -74,6 +78,7 @@ def setup(app):
app.add_directive('opcmd', OpCmdDirective)
app.add_directive('cmdinclude', CfgInclude)
app.connect('doctree-resolved', process_cmd_nodes)
+ app.connect('doctree-read', handle_document_meta_data)
class CfgcmdList(nodes.General, nodes.Element):
pass
@@ -640,4 +645,23 @@ def vytask_role(name, rawtext, text, lineno, inliner, options={}, content=[]):
def cmd_role(name, rawtext, text, lineno, inliner, options={}, content=[]):
node = nodes.literal(text, text)
- return [node], [] \ No newline at end of file
+ return [node], []
+
+
+def handle_document_meta_data(app, document):
+ docname = app.env.docname
+ lastproofread = app.env.metadata[docname].get('lastproofread', False)
+ if lastproofread:
+ try:
+ lastproofread_time = datetime.strptime(lastproofread, '%Y-%m-%d')
+ delta = datetime.now() - lastproofread_time
+ if delta.days > 180:
+ logger.warning(f'{delta.days} days since last proofread {app.env.doc2path(docname)}')
+
+ except Exception as e:
+ logger.warning(f'lastproofread meta data error in {app.env.doc2path(docname)}: {e}')
+ else:
+ pass
+ #logger.warning(f'lastproofread meta data missing in {app.env.doc2path(docname)}')
+
+
diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x
-Subproject 78099bccc510c90ad7cfa5f56475ba024d5d53a
+Subproject 562ead14a6dd1eb9190b9a9f38981423937bfc9
diff --git a/docs/_static/images/vrf-example-topology-01.png b/docs/_static/images/vrf-example-topology-01.png
new file mode 100644
index 00000000..57357509
--- /dev/null
+++ b/docs/_static/images/vrf-example-topology-01.png
Binary files differ
diff --git a/docs/_static/images/wireguard_site2site_diagram.jpg b/docs/_static/images/wireguard_site2site_diagram.jpg
new file mode 100644
index 00000000..fc305952
--- /dev/null
+++ b/docs/_static/images/wireguard_site2site_diagram.jpg
Binary files differ
diff --git a/docs/automation/cloud-init.rst b/docs/automation/cloud-init.rst
index be585321..7b2d53fb 100644
--- a/docs/automation/cloud-init.rst
+++ b/docs/automation/cloud-init.rst
@@ -1,29 +1,31 @@
-.. _cloud-init:
+:lastproofread: 2021-06-27
+
+. _cloud-init:
###############
VyOS cloud-init
###############
-Cloud instances of VyOS are initialized using the industry-standard cloud-init.
-Via cloud-init, the system performs tasks such as injecting SSH keys and
-configuring the network. In addition, the user can supply a custom
+Cloud instances of VyOS are initialized using the industry-standard
+cloud-init. Via cloud-init, the system performs tasks such as injecting
+SSH keys and configuring the network. In addition, the user can supply a custom
configuration at the time of instance launch.
**************
Config Sources
**************
-VyOS support three type of config sources.
-
-.. stop_vyoslinter
-
-* Metadata - Metadata is sourced by the cloud platform or hypervisor. In some clouds, there is implemented as an HTTP endpoint at http://169.254.169.254.
+VyOS support three types of config sources.
-* Network configuration - Ths config source informs the system about the network.
+* Metadata - Metadata is sourced by the cloud platform or hypervisor.
+ In some clouds, there is implemented as an HTTP endpoint at
+ http://169.254.169.254.
-* User-data - User-data is specified by the user. This config source offers the most flexibility and will be the focus of this documentation.
+* Network configuration - This config source informs the system about the
+ network.
-.. start_vyoslinter
+* User-data - User-data is specified by the user. This config source offers the
+ most flexibility and will be the focus of this documentation.
*********
@@ -86,7 +88,7 @@ These are the VyOS defaults and fallbacks.
* DHCP on first Ethernet interface if no network configuration is provided
-All of these can be overridden using configuration in user-data.
+All of these can be overridden using the configuration in user-data.
***************
diff --git a/docs/automation/command-scripting.rst b/docs/automation/command-scripting.rst
index 6bc6690c..14f2edfa 100644
--- a/docs/automation/command-scripting.rst
+++ b/docs/automation/command-scripting.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-27
+
.. _command-scripting:
Command Scripting
@@ -34,7 +36,7 @@ example, if you want to disable a BGP peer on VRRP transition to backup:
Run operational commands
------------------------
-Unlike a normal configuration sessions, all operational commands must be
+Unlike a normal configuration session, all operational commands must be
prepended with ``run``, even if you haven't created a session with configure.
.. code-block:: none
@@ -44,8 +46,8 @@ prepended with ``run``, even if you haven't created a session with configure.
run show interfaces
exit
-Other script language
----------------------
+Other script languages
+----------------------
If you want to script the configs in a language other than bash you can have
your script output commands and then source them in a bash script.
@@ -105,14 +107,71 @@ group, the script can be safeguarded like this:
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
+Executing pre-hooks/post-hooks Scripts
+--------------------------------------
+
+VyOS has the ability to run custom scripts before and after each commit
+
+The default directories where your custom Scripts should be located are:
+
+.. code-block:: none
+
+ /config/scripts/commit/pre-hooks.d - Directory with scripts that run before
+ each commit.
+
+ /config/scripts/commit/post-hooks.d - Directory with scripts that run after
+ each commit.
+
+Scripts are run in alphabetical order. Their names must consist entirely of
+ASCII upper- and lower-case letters,ASCII digits, ASCII underscores, and
+ASCII minus-hyphens.No other characters are allowed.
+
+.. note:: Custom scripts are not executed with root privileges
+ (Use sudo inside if this is necessary).
+
+A simple example is shown below, where the ops command executed in
+the post-hook script is "show interfaces".
+
+.. code-block:: none
+
+ vyos@vyos# set interfaces ethernet eth1 address 192.0.2.3/24
+ vyos@vyos# commit
+ Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+ Interface IP Address S/L Description
+ --------- ---------- --- -----------
+ eth0 198.51.100.10/24 u/u
+ eth1 192.0.2.3/24 u/u
+ eth2 - u/u
+ eth3 - u/u
+ lo 203.0.113.5/24 u/u
+
+Preconfig on boot
+-----------------
+
+The ``/config/scripts/vyos-preconfig-bootup.script`` script is called on boot
+before the VyOS configuration during boot process.
+
+Any modifications were done to work around unfixed bugs and implement
+enhancements that are not complete in the VyOS system can be placed here.
+
+The default file looks like this:
+
+.. code-block:: none
+
+ #!/bin/sh
+ # This script is executed at boot time before VyOS configuration is applied.
+ # Any modifications required to work around unfixed bugs or use
+ # services not available through the VyOS CLI system can be placed here.
+
+
Postconfig on boot
------------------
The ``/config/scripts/vyos-postconfig-bootup.script`` script is called on boot
after the VyOS configuration is fully applied.
-Any modifications done to work around unfixed bugs and implement enhancements
-which are not complete in the VyOS system can be placed here.
+Any modifications were done to work around unfixed bugs and implement
+enhancements that are not complete in the VyOS system can be placed here.
The default file looks like this:
diff --git a/docs/automation/vyos-ansible.rst b/docs/automation/vyos-ansible.rst
index a199152f..e02d06a9 100644
--- a/docs/automation/vyos-ansible.rst
+++ b/docs/automation/vyos-ansible.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
.. _vyos-ansible:
Ansible
diff --git a/docs/automation/vyos-api.rst b/docs/automation/vyos-api.rst
index 988ff010..27655483 100644
--- a/docs/automation/vyos-api.rst
+++ b/docs/automation/vyos-api.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
.. _vyosapi:
########
@@ -10,11 +12,11 @@ For configuration and enabling the API see :ref:`http-api`
Authentication
**************
-All Endpoint only listen on HTTP POST requests and the API KEY must set as
+All endpoints only listen on HTTP POST requests and the API KEY must set as
``key`` in the formdata.
Below see one example for curl and one for python.
-In the following, the documentation is reduced to curl.
+The rest of the documentation is reduced to curl.
.. code-block:: none
@@ -74,8 +76,7 @@ To get the whole configuration, pass an empty list to the ``path`` field
}
-only get a part of the configuration,
-for example ``system syslog``.
+To only get a part of the configuration, for example ``system syslog``.
.. code-block:: none
@@ -105,7 +106,7 @@ for example ``system syslog``.
if you just want the Value of a multi-valued node, use the ``returnValues``
operation.
-for example get the addresses of a ``dum0`` interface
+For example, get the addresses of a ``dum0`` interface.
.. code-block:: none
@@ -165,9 +166,9 @@ delete an image, for example ``1.3-rolling-202006070117``
/show
=====
-The ``/show`` endpoint is to show everthing in operational mode
+The ``/show`` endpoint is to show everything in the operational mode.
-for example which images are installed
+For example, show which images are installed.
.. code-block:: none
@@ -189,7 +190,7 @@ for example which images are installed
/generate
=========
-to run a ``generate`` command use the
+THe ``generate`` endpoint run a ``generate`` command.
.. code-block:: none
@@ -242,10 +243,10 @@ You can pass a ``set``, ``delete`` or ``comment`` command to the
"error": null
}
-The API push every request to a session and commit it.
+The API pushes every request to a session and commit it.
But some of VyOS components like DHCP and PPPoE Servers, IPSec, VXLAN, and
other tunnels require full configuration for commit.
-The Endpoint will process multiple commands when you pass them as a list to
+The endpoint will process multiple commands when you pass them as a list to
the ``data`` field.
.. code-block:: none
diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst
index afc77f4a..17984e03 100644
--- a/docs/changelog/1.3.rst
+++ b/docs/changelog/1.3.rst
@@ -8,6 +8,71 @@
_ext/releasenotes.py
+2021-07-01
+==========
+
+* :vytask:`T3658` (feature): Add support for dhcpdv6 fixed-prefix6
+
+
+2021-06-29
+==========
+
+* :vytask:`T3593` (bug): PPPoE server called-sid format does not work
+
+
+2021-06-27
+==========
+
+* :vytask:`T3653` (default): Cloudinit subnet error if a cidr (/24) is used instead of a subnet mask (255.255.255.0)
+
+
+2021-06-25
+==========
+
+* :vytask:`T3650` (bug): OpenVPN: Upgrade package to 2.5.1 before releasing VyOS 1.3.0
+* :vytask:`T3649` (feature): Add bonding additional hash-policy
+
+
+2021-06-24
+==========
+
+* :vytask:`T2722` (bug): get_config_dict() and key_mangling=('-', '_') will alter CLI data for tagNodes
+
+
+2021-06-22
+==========
+
+* :vytask:`T3629` (bug): IPoE server shifting address in the range
+* :vytask:`T3582` (default): 'delete log file' does not work
+
+
+2021-06-19
+==========
+
+* :vytask:`T3633` (feature): Add LRO offload for interface ethernet
+* :vytask:`T3632` (bug): policy: route-map: unable to configure route-target / site-of-origin
+
+
+2021-06-18
+==========
+
+* :vytask:`T3634` (feature): Add op command option for ping for do not fragment bit to be set
+
+
+2021-06-17
+==========
+
+* :vytask:`T3631` (feature): route-map: migrate "set extcommunity-rt" and "set extcommunity-soo" to "set extcommunity rt|soo" to match FRR syntax
+
+
+2021-06-16
+==========
+
+* :vytask:`T3623` (default): Fix for dummy interface option in the operational command "clear interfaces dummy"
+* :vytask:`T2425` (feature): Rewrite all policy zebra filters to XML/Python style
+* :vytask:`T3630` (feature): op-mode: add "show version kernel" command
+
+
2021-06-13
==========
@@ -168,6 +233,7 @@
* :vytask:`T3532` (bug): Not possible to change ethertype after interface creation
* :vytask:`T3550` (bug): Router-advert completion typo
* :vytask:`T3547` (feature): conntrackd: remove deprecated config options
+* :vytask:`T3535` (feature): Rewrite vyatta-conntrack-sync in new XML and Python flavor
* :vytask:`T2049` (feature): Update strongSwan cipher suites list for IPSec settings
@@ -528,7 +594,7 @@
2021-02-16
==========
-* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.125 / 5.10.43
+* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.129 / 5.10.47
2021-02-14
diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst
index 8d4d8125..ce43c7c9 100644
--- a/docs/changelog/1.4.rst
+++ b/docs/changelog/1.4.rst
@@ -8,6 +8,97 @@
_ext/releasenotes.py
+2021-07-03
+==========
+
+* :vytask:`T57` (enhancment): Make it possible to disable the entire IPsec peer
+
+
+2021-07-01
+==========
+
+* :vytask:`T3658` (feature): Add support for dhcpdv6 fixed-prefix6
+* :vytask:`T2035` (bug): Executing vyos-smoketest multiple times makes ssh test fail on execution
+
+
+2021-06-29
+==========
+
+* :vytask:`T3593` (bug): PPPoE server called-sid format does not work
+* :vytask:`T3657` (default): BGP neighbors ipv6 not able to establish with IPv6 link-local addresses
+* :vytask:`T1441` (feature): Add support for IPSec XFRM interfaces
+
+
+2021-06-27
+==========
+
+* :vytask:`T3653` (default): Cloudinit subnet error if a cidr (/24) is used instead of a subnet mask (255.255.255.0)
+
+
+2021-06-25
+==========
+
+* :vytask:`T3641` (feature): Upgrade base system from Debian Buster -> Debian Bullseye
+* :vytask:`T3649` (feature): Add bonding additional hash-policy
+
+
+2021-06-23
+==========
+
+* :vytask:`T3647` (feature): Bullseye: gcc defaults to passing --as-needed to linker
+* :vytask:`T3644` (default): Replace GCC with a simpler preprocessor for including nested XML snippets in XML documents
+* :vytask:`T3356` (feature): Script for remote file transfers
+
+
+2021-06-22
+==========
+
+* :vytask:`T3629` (bug): IPoE server shifting address in the range
+* :vytask:`T3645` (feature): Bullseye: ethtool changed output for ring-buffer information
+* :vytask:`T3582` (default): 'delete log file' does not work
+
+
+2021-06-21
+==========
+
+* :vytask:`T3628` (bug): commit-archive source-address Interface Broken
+* :vytask:`T3563` (default): commit-archive breaks with IPv6 source addresses
+
+
+2021-06-20
+==========
+
+* :vytask:`T3637` (bug): vrf: bind-to-all didn't work properly
+* :vytask:`T3639` (default): GCC preprocessor clobbers C comments
+
+
+2021-06-19
+==========
+
+* :vytask:`T3633` (feature): Add LRO offload for interface ethernet
+* :vytask:`T3632` (bug): policy: route-map: unable to configure route-target / site-of-origin
+
+
+2021-06-18
+==========
+
+* :vytask:`T3634` (feature): Add op command option for ping for do not fragment bit to be set
+* :vytask:`T3599` (default): Migrate NHRP to XML/Python
+
+
+2021-06-17
+==========
+
+* :vytask:`T3624` (feature): BGP: add support for extended community bandwidth definition
+
+
+2021-06-16
+==========
+
+* :vytask:`T3623` (default): Fix for dummy interface option in the operational command "clear interfaces dummy"
+* :vytask:`T3630` (feature): op-mode: add "show version kernel" command
+
+
2021-06-13
==========
@@ -621,7 +712,7 @@
==========
* :vytask:`T3313` (bug): ospfv3 interface missing options
-* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.125 / 5.10.43
+* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.129 / 5.10.47
2021-02-15
diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
index c40e1b76..7dc2f332 100644
--- a/docs/configexamples/azure-vpn-bgp.rst
+++ b/docs/configexamples/azure-vpn-bgp.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
.. _examples-azure-vpn-bgp:
Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst
index 6df5d2ff..8cf2c0ef 100644
--- a/docs/configexamples/azure-vpn-dual-bgp.rst
+++ b/docs/configexamples/azure-vpn-dual-bgp.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
.. _examples-azure-vpn-dual-bgp:
Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
diff --git a/docs/configexamples/bgp-ipv6-unnumbered.rst b/docs/configexamples/bgp-ipv6-unnumbered.rst
index 12ce2bd6..d8965b6b 100644
--- a/docs/configexamples/bgp-ipv6-unnumbered.rst
+++ b/docs/configexamples/bgp-ipv6-unnumbered.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
.. _examples-bgp-ipv6-unnumbered:
#########################################
diff --git a/docs/configexamples/dhcp-relay-through-gre-bridge.rst b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
index 10184970..16d8488b 100644
--- a/docs/configexamples/dhcp-relay-through-gre-bridge.rst
+++ b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
@@ -1,7 +1,4 @@
-
-
-
-
+:lastproofread: 2021-06-28
.. _examples-dhcp-relay-through-gre-bridge:
diff --git a/docs/configexamples/ha.rst b/docs/configexamples/ha.rst
index 401d7b9f..12c431f0 100644
--- a/docs/configexamples/ha.rst
+++ b/docs/configexamples/ha.rst
@@ -1,24 +1,26 @@
+:lastproofread: 2021-06-28
+
#############################
High Availability Walkthrough
#############################
This document walks you through a complete HA setup of two VyOS machines. This
-design is based on a VM as the primary router, and a physical machine as a
-backup, using VRRP, BGP, OSPF and conntrack sharing.
+design is based on a VM as the primary router and a physical machine as a
+backup, using VRRP, BGP, OSPF, and conntrack sharing.
-The aim of this document is to walk you through setting everything up, so
+This document aims to walk you through setting everything up, so
at a point where you can reboot any machine and not lose more than a few
seconds worth of connectivity.
Design
======
-This is based on a real life, in production design. One of the complex issues
+This is based on a real-life production design. One of the complex issues
is ensuring you have redundant data INTO your network. We do this with a pair
-of Cisco Nexus switches, and using Virtual PortChannels that are spanned across
-them. This as an added bonus, also allows for complete switch failure without
-an outage. How you achieve this yourself is left as an exercise to the reader
-but our setup is documented here.
+of Cisco Nexus switches and using Virtual PortChannels that are spanned across
+them. As a bonus, this also allows for complete switch failure without
+an outage. How you achieve this yourself is left as an exercise to the reader.
+But our setup is documented here.
Walkthrough suggestion
----------------------
@@ -31,7 +33,7 @@ If you are following through this document, it is strongly suggested you
complete the entire document, ONLY doing the virtual router1 steps, and then
come back and walk through it AGAIN on the backup hardware router.
-This ensures you don't go to fast, or miss a step. However, it will make your
+This ensures you don't go too fast or miss a step. However, it will make your
life easier to configure the fixed IP address and default route now on the
hardware router.
@@ -43,7 +45,7 @@ provider, which we are publishing on VLAN100.
They want us to establish a BGP session to their routers on 192.0.2.11 and
192.0.2.12 from our routers 192.0.2.21 and 192.0.2.22. They are AS 65550 and
-we are AS65551.
+we are AS 65551.
Our routers are going to have a floating IP address of 203.0.113.1, and use
.2 and .3 as their fixed IPs.
@@ -54,13 +56,13 @@ When traffic is originated from the 10.200.201.0/24 network, it will be
masqueraded to 203.0.113.1
For connection between sites, we are running a WireGuard link to two REMOTE
-routers, and using OSPF over those links to distribute routes. That remote
+routers and using OSPF over those links to distribute routes. That remote
site is expected to send traffic from anything in 10.201.0.0/16
VLANs
-----
-These are the vlans we wll be using:
+These are the vlans we will be using:
* 50: Upstream, using the 192.0.2.0/24 network allocated by them.
* 100: 'Public' network, using our 203.0.113.0/24 network.
@@ -95,7 +97,7 @@ of scope of this.
.. note:: Our implementation uses VMware's Distributed Port Groups, which allows
VMware to use LACP. This is a part of the ENTERPRISE licence, and is not
- available on a Free licence. If you are implementing this and do not have
+ available on a free licence. If you are implementing this and do not have
access to DPGs, you should not use VMware, and use some other virtualization
platform instead.
@@ -103,7 +105,7 @@ of scope of this.
Basic Setup (via console)
=========================
-Create your router1 VM so it is able to withstand a VM Host failing, or a
+Create your router1 VM. So it can withstand a VM Host failing or a
network link failing. Using VMware, this is achieved by enabling vSphere DRS,
vSphere Availability, and creating a Distributed Port Group that uses LACP.
@@ -177,7 +179,7 @@ Enable SSH so you can now SSH into the routers, rather than using the console.
commit
save
-At this point you should be able to SSH into both of them, and will no longer
+At this point, you should be able to SSH into both of them, and will no longer
need access to the console (unless you break something!)
@@ -417,9 +419,9 @@ Make sure you can ping 10.254.60.1 and .2 from both routers.
Create Export Filter
--------------------
-We only want to export the networks we know we should be exporting. Always
-whitelist your route filters, both importing and exporting. A good rule of
-thumb is **'If you are not the default router for a network, don't advertise
+We only want to export the networks we know. Always do a whitelist on your route
+filters, both importing and exporting. A good rule of thumb is
+**'If you are not the default router for a network, don't advertise
it'**. This means we explicitly do not want to advertise the 192.0.2.0/24
network (but do want to advertise 10.200.201.0 and 203.0.113.0, which we ARE
the default route for). This filter is applied to ``redistribute connected``.
@@ -448,7 +450,7 @@ default again. This is called 'flapping'.
Create Import Filter
--------------------
-We only want to import networks we know about. Our OSPF peer should only be
+We only want to import networks we know. Our OSPF peer should only be
advertising networks in the 10.201.0.0/16 range. Note that this is an INVERSE
MATCH. You deny in access-list 100 to accept the route.
@@ -491,7 +493,7 @@ Test OSPF
When you have enabled OSPF on both routers, you should be able to see each
other with the command ``show ip ospf neighbour``. The state must be 'Full'
-or '2-Way', if it is not then there is a network connectivity issue between the
+or '2-Way'. If it is not, then there is a network connectivity issue between the
hosts. This is often caused by NAT or MTU issues. You should not see any new
routes (unless this is the second pass) in the output of ``show ip route``
@@ -514,8 +516,8 @@ You should now be able to see the advertised network on the other host.
Duplicate configuration
-----------------------
-At this pont you now need to create the X link between all four routers. Use a
-different /30 for each link.
+At this point, you now need to create the X link between all four routers.
+Use amdifferent /30 for each link.
Priorities
----------
diff --git a/docs/configexamples/ospf-unnumbered.rst b/docs/configexamples/ospf-unnumbered.rst
index dfb4eec1..6a5a1bb4 100644
--- a/docs/configexamples/ospf-unnumbered.rst
+++ b/docs/configexamples/ospf-unnumbered.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _examples-ospf-unnumbered:
#########################
diff --git a/docs/configexamples/pppoe-ipv6-basic.rst b/docs/configexamples/pppoe-ipv6-basic.rst
index 451d2b09..f569d9c3 100644
--- a/docs/configexamples/pppoe-ipv6-basic.rst
+++ b/docs/configexamples/pppoe-ipv6-basic.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _examples-pppoe-ipv6-basic:
#######################################
@@ -5,9 +7,9 @@ PPPoE IPv6 Basic Setup for Home Network
#######################################
This document is to describe a basic setup using PPPoE with DHCPv6-PD +
-SLAAC to construct a typical home network. The user can follow steps described
-here to quickly setup a working network and use this as a starting point to
-further configure or fine tune other settings.
+SLAAC to construct a typical home network. The user can follow the steps
+described here to quickly setup a working network and use this as a starting
+point to further configure or fine-tune other settings.
To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure,
please contact your ISP for more information.
@@ -40,8 +42,8 @@ DHCPv6-PD Setup
---------------
During address configuration, in addition to assigning an address to the WAN
-interface, ISP also provides a prefix to allow router to configure addresses of
-LAN interface and other nodes connecting to LAN, which is called prefix
+interface, ISP also provides a prefix to allow the router to configure addresses
+of LAN interface and other nodes connecting to LAN, which is called prefix
delegation (PD).
.. code-block:: none
@@ -49,8 +51,8 @@ delegation (PD).
set interfaces pppoe pppoe0 ipv6 address autoconf
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 address '100'
-* Here we use prefix to configure the address of eth1 (LAN) to form ``<prefix>::64``,
- where ``64`` is hexadecimal of address 100.
+* Here we use the prefix to configure the address of eth1 (LAN) to form
+ ``<prefix>::64``, where ``64`` is hexadecimal of address 100.
* For home network users, most of time ISP only provides /64 prefix, hence
there is no need to set SLA ID and prefix length. See :ref:`pppoe-interface`
for more information.
@@ -59,7 +61,7 @@ Router Advertisement
--------------------
We need to enable router advertisement for LAN network so that PC can receive
-the prefix and use SLAAC to configure address automatically.
+the prefix and use SLAAC to configure the address automatically.
.. code-block:: none
@@ -68,8 +70,8 @@ the prefix and use SLAAC to configure address automatically.
set service router-advert interface eth1 prefix ::/64 valid-lifetime '172800'
* Set MTU in advertisement to 1492 because of PPPoE header overhead.
-* Set DNS server address in advertisement so that clients can obtain it by using
- RDNSS option. Most operating systems (Windows, Linux, Mac) should
+* Set DNS server address in the advertisement so that clients can obtain it by
+ using RDNSS option. Most operating systems (Windows, Linux, Mac) should
already support it.
* Here we set the prefix to ``::/64`` to indicate advertising any /64 prefix
the LAN interface is assigned.
@@ -106,5 +108,5 @@ To have basic protection while keeping IPv6 network functional, we need to:
set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN'
set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL'
-Note to allow router to receive DHCPv6 response from ISP, we need to allow
+Note to allow the router to receive DHCPv6 response from ISP. We need to allow
packets with source port 547 (server) and destination port 546 (client).
diff --git a/docs/configexamples/tunnelbroker-ipv6.rst b/docs/configexamples/tunnelbroker-ipv6.rst
index 9317912a..b3f8d5e1 100644
--- a/docs/configexamples/tunnelbroker-ipv6.rst
+++ b/docs/configexamples/tunnelbroker-ipv6.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _examples-tunnelbroker-ipv6:
.. stop_vyoslinter
@@ -6,7 +8,7 @@
Tunnelbroker.net (IPv6)
#######################
-This guides walks through the setup of https://www.tunnelbroker.net/ for an
+This guide walks through the setup of https://www.tunnelbroker.net/ for an
IPv6 Tunnel.
Prerequisites
@@ -78,12 +80,12 @@ You should now be able to ping something by IPv6 DNS name:
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 16.880/17.153/17.426/0.273 ms
-Assuming everything works, you can proceed to client configuration
+Assuming everything works, you can proceed to the client configuration
LAN Configuration
=================
-At this point your VyOS install should have full IPv6, but now your LAN devices
+At this point, your VyOS install should have full IPv6, but now your LAN devices
need access.
With Tunnelbroker.net, you have two options:
@@ -140,7 +142,7 @@ The format of these addresses:
In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff
(1-65535).
-So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc:
+So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:
.. code-block:: none
diff --git a/docs/configexamples/wan-load-balancing.rst b/docs/configexamples/wan-load-balancing.rst
index cd150121..ace9a981 100644
--- a/docs/configexamples/wan-load-balancing.rst
+++ b/docs/configexamples/wan-load-balancing.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _wan-load-balancing:
.. stop_vyoslinter # pictures and text have to change
@@ -65,21 +67,20 @@ Configure the WAN load balancer with the parameters described above:
Example 2: Failover based on interface weights
----------------------------------------------
-This examples uses the failover mode.
-
+This example uses the failover mode.
.. _wan:example2_overwiew:
Overview
^^^^^^^^
-In this example eth0 is the primary interface and eth1 is the secondary
-interface to provide simple failover functionality. If eth0 fails, eth1
+In this example, eth0 is the primary interface and eth1 is the secondary
+interface. To provide simple failover functionality. If eth0 fails, eth1
takes over.
Create interface weight based configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The configuration steps are the same as in the previous example, except
-rule 10 so we keep the configuration, remove rule 10 and add a new rule
+rule 10. So we keep the configuration, remove rule 10 and add a new rule
for the failover mode:
.. code-block:: none
@@ -93,8 +94,8 @@ for the failover mode:
Example 3: Failover based on rule order
---------------------------------------
-The previous example used the failover command to send traffic thorugh
-eth1 if eth0 fails. In this example failover functionality is provided
+The previous example used the failover command to send traffic through
+eth1 if eth0 fails. In this example, failover functionality is provided
by rule order.
.. _wan:example3_overwiew:
@@ -108,7 +109,7 @@ directing traffic to eth1.
Create rule order based configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-We keep the configurtation from the previous example, delete rule 10
+We keep the configuration from the previous example, delete rule 10
and create the two new rules as described:
.. code-block:: none
@@ -122,20 +123,20 @@ and create the two new rules as described:
Example 4: Failover based on rule order - priority traffic
----------------------------------------------------------
-A rule order for prioritising traffic is useful in scenarios where the
+A rule order for prioritizing traffic is useful in scenarios where the
secondary link has a lower speed and should only carry high priority
traffic. It is assumed for this example that eth1 is connected to a
-slower connection than eth0 and should prioritise VoIP traffic.
+slower connection than eth0 and should prioritize VoIP traffic.
.. _wan:example4_overwiew:
Overview
^^^^^^^^
-A rule order for prioritising traffic is useful in scenarios where the
+A rule order for prioritizing traffic is useful in scenarios where the
secondary link has a lower speed and should only carry high priority
traffic. It is assumed for this example that eth1 is connected to a
-slower connection than eth0 and should prioritise VoIP traffic.
+slower connection than eth0 and should prioritize VoIP traffic.
Create rule order based configuration with low speed secondary link
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst
index bfe77c2e..cf11a01e 100644
--- a/docs/configexamples/zone-policy.rst
+++ b/docs/configexamples/zone-policy.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _examples-zone-policy:
Zone-Policy example
@@ -132,7 +134,7 @@ To add logging to the default rule, do:
set firewall name <ruleSet> enable-default-log
-By default, iptables does not allow traffic for established session to
+By default, iptables does not allow traffic for established sessions to
return, so you must explicitly allow this. I do this by adding two rules
to every ruleset. 1 allows established and related state packets through
and rule 2 drops and logs invalid state packets. We place the
@@ -367,7 +369,7 @@ IPv6 Tunnel
^^^^^^^^^^^
If you are using a IPv6 tunnel from HE.net or someone else, the basis is
-the same except you have two WAN interface. One for v4 and one for v6.
+the same except you have two WAN interfaces. One for v4 and one for v6.
You would have 5 zones instead of just 4 and you would configure your v6
ruleset between your tunnel interface and your LAN/DMZ zones instead of
diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst
new file mode 100644
index 00000000..ed510477
--- /dev/null
+++ b/docs/configuration/container/index.rst
@@ -0,0 +1,153 @@
+:lastproofread: 2021-06-30
+
+.. include:: /_include/need_improvement.txt
+
+.. _container:
+
+#########
+Container
+#########
+
+*************
+Configuration
+*************
+
+.. cfgcmd:: set container <name>
+
+ Set a named container.
+
+.. cfgcmd:: set container network <networkname>
+
+ Creates a named container network
+
+.. cfgcmd:: set container registry <name>
+
+ Adds registry to list of unqualified-search-registries. By default, for any
+ image that does not include the registry in the image name, Vyos will use
+ docker.io as the container registry.
+
+.. cfgcmd:: set container <name> image
+
+ Sets the image name in the hub registry
+
+ .. code-block:: none
+
+ set container name mysql-server image mysql:8.0
+
+ If a registry is not specified, Docker.io will be used as the container
+ registry unless an alternative registry is specified using
+ **set container registry <name>** or the registry is included in the image name
+
+ .. code-block:: none
+
+ set container name mysql-server image quay.io/mysql:8.0
+
+.. cfgcmd:: set container <name> allow-host-networks
+
+ Allow host networking in a container. The network stack of the container is
+ not isolated from the host and will use the host IP.
+
+ The following commands translate to "--net host" when the container
+ is created
+
+ .. note:: **allow-host-networks** cannot be used with **network**
+
+.. cfgcmd:: set container <name> description <text>
+
+ Sets the container description
+
+.. cfgcmd:: set container <name> environment '<key>' value '<value>'
+
+ Add custom environment variables.
+ Multiple environment variables are allowed.
+ The following commands translate to "-e key=value" when the container
+ is created.
+
+ .. code-block:: none
+
+ set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
+ set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
+ set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+ set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+.. cfgcmd:: set container <name> network <networkname>
+
+ Attaches user-defined network to a container.
+ Only one network must be specified and must already exist.
+
+ Optionally a specific static IPv4 or IPv6 address can be set for
+ the container. This address must be within the named network.
+
+ .. code-block:: none
+
+ set container <name> network <networkname> address <address>
+
+ .. note:: The first IP in the container network is reserved by the engine and cannot be used
+
+.. cfgcmd:: set container <name> port <portname> [source | destination ] <portnumber>
+
+ Publishes a port for the container
+
+ .. code-block:: none
+
+ set container name zabbix-web-nginx-mysql port http source 80
+ set container name zabbix-web-nginx-mysql port http destination 8080
+
+.. cfgcmd:: set container <name> volume <volumename> [source | destination ] <path>
+
+ Mount a volume into the container
+
+ .. code-block:: none
+
+ set container name coredns volume 'corefile' source /config/coredns/Corefile
+ set container name coredns volume 'corefile' destination /etc/Corefile
+
+*********************
+Example Configuration
+*********************
+
+ For the sake of demonstration, `example #1 in the official documentation
+ <https://www.zabbix.com/documentation/current/manual/installation/containers>`_
+ to the declarative VyOS CLI syntax.
+
+ .. code-block:: none
+
+ set container network zabbix-net prefix 172.20.0.0/16
+ set container network zabbix-net description 'Network for Zabbix component containers'
+
+ set container name mysql-server image mysql:8.0
+ set container name mysql-server network zabbix-net
+
+ set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
+ set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
+ set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+ set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+ set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest
+ set container name zabbix-java-gateway network zabbix-net
+
+ set container name zabbix-server-mysql image zabbix/zabbix-server-mysql:alpine-5.2-latest
+ set container name zabbix-server-mysql network zabbix-net
+
+ set container name zabbix-server-mysql environment 'DB_SERVER_HOST' value 'mysql-server'
+ set container name zabbix-server-mysql environment 'MYSQL_DATABASE' value 'zabbix'
+ set container name zabbix-server-mysql environment 'MYSQL_USER' value 'zabbix'
+ set container name zabbix-server-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+ set container name zabbix-server-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+ set container name zabbix-server-mysql environment 'ZBX_JAVAGATEWAY' value 'zabbix-java-gateway'
+
+ set container name zabbix-server-mysql port zabbix source 10051
+ set container name zabbix-server-mysql port zabbix destination 10051
+
+ set container name zabbix-web-nginx-mysql image zabbix/zabbix-web-nginx-mysql:alpine-5.2-latest
+ set container name zabbix-web-nginx-mysql network zabbix-net
+
+ set container name zabbix-web-nginx-mysql environment 'MYSQL_DATABASE' value 'zabbix'
+ set container name zabbix-web-nginx-mysql environment 'ZBX_SERVER_HOST' value 'zabbix-server-mysql'
+ set container name zabbix-web-nginx-mysql environment 'DB_SERVER_HOST' value 'mysql-server'
+ set container name zabbix-web-nginx-mysql environment 'MYSQL_USER' value 'zabbix'
+ set container name zabbix-web-nginx-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+ set container name zabbix-web-nginx-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+ set container name zabbix-web-nginx-mysql port http source 80
+ set container name zabbix-web-nginx-mysql port http destination 8080 \ No newline at end of file
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 667a4653..d52d6f2a 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _firewall:
########
@@ -29,7 +31,7 @@ or zone based firewall policy.
Global settings
***************
-Some firewall settings are global and have a affect on the whole system.
+Some firewall settings are global and have an affect on the whole system.
.. cfgcmd:: set firewall all-ping [enable | disable]
@@ -89,7 +91,7 @@ Some firewall settings are global and have a affect on the whole system.
.. cfgcmd:: set firewall send-redirects [enable | disable]
- enable or disable of ICMPv4 redirect messages send by VyOS
+ enable or disable ICMPv4 redirect messages send by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
@@ -127,7 +129,7 @@ Some firewall settings are global and have a affect on the whole system.
.. cfgcmd:: set firewall state-policy established log enable
- Set the global setting for a established connections.
+ Set the global setting for an established connection.
.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
@@ -163,8 +165,8 @@ names.
Address Groups
==============
-In a **address group** a single IP adresses or IP address ranges are
-definded.
+In an **address group** a single IP address or IP address ranges are
+defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
@@ -221,7 +223,7 @@ filtering unnecessary ports. Ranges of ports can be specified by using
.. cfgcmd:: set firewall group port-group <name> port
[portname | portnumber | startport-endport]
- Define a port group. A port name are any name defined in
+ Define a port group. A port name can be any name defined in
/etc/services. e.g.: http
.. code-block:: none
@@ -240,10 +242,10 @@ Rule-Sets
*********
A rule-set is a named collection of firewall rules that can be applied
-to an interface or zone. Each rule is numbered, has an action to apply
+to an interface or a zone. Each rule is numbered, has an action to apply
if the rule is matched, and the ability to specify the criteria to
match. Data packets go through the rules from 1 - 9999, at the first match
-the action of the rule will executed.
+the action of the rule will be executed.
.. cfgcmd:: set firewall name <name> description <text>
.. cfgcmd:: set firewall ipv6-name <name> description <text>
@@ -267,7 +269,7 @@ the action of the rule will executed.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> action [drop | reject |
accept]
- This required setting define the action of the current rule.
+ This required setting defines the action of the current rule.
.. cfgcmd:: set firewall name <name> rule <1-9999> description <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> description <text>
@@ -287,7 +289,7 @@ the action of the rule will executed.
Matching criteria
=================
-There are a lot of matching criteria gainst which the package can be tested.
+There are a lot of matching criteria against which the package can be tested.
.. cfgcmd:: set firewall name <name> rule <1-9999> source address
@@ -299,7 +301,7 @@ There are a lot of matching criteria gainst which the package can be tested.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination address
[address | addressrange | CIDR]
- This is similiar to the network groups part, but here you are able to negate
+ This is similar to the network groups part, but here you are able to negate
the matching addresses.
.. code-block:: none
@@ -315,7 +317,7 @@ There are a lot of matching criteria gainst which the package can be tested.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> source mac-address
<mac-address>
- Only in the source criteria you can specify a mac-address
+ Only in the source criteria, you can specify a mac-address.
.. code-block:: none
@@ -331,7 +333,7 @@ There are a lot of matching criteria gainst which the package can be tested.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination port
[1-65535 | portname | start-end]
- A port can be set with a portnumber or a name which is here
+ A port can be set with a port number or a name which is here
defined: ``/etc/services``.
.. code-block:: none
@@ -410,9 +412,9 @@ There are a lot of matching criteria gainst which the package can be tested.
set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
.. cfgcmd:: set firewall name <name> rule <1-9999> state [established |
- invalid | new | related] [enable | disable ]
+ invalid | new | related] [enable | disable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> state [established |
- invalid | new | related] [enable | disable ]
+ invalid | new | related] [enable | disable]
Match against the state of a packet.
@@ -423,8 +425,8 @@ Applying a Rule-Set to an Interface
A Rule-Set can be applied to every interface:
-* ``in``: Ruleset for forwarded packets on inbound interface
-* ``out``: Ruleset for forwarded packets on outbound interface
+* ``in``: Ruleset for forwarded packets on an inbound interface
+* ``out``: Ruleset for forwarded packets on an outbound interface
* ``local``: Ruleset for packets destined for this router
.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
@@ -451,7 +453,7 @@ Zone-based Firewall Policy
As an alternative to applying policy to an interface directly, a
zone-based firewall can be created to simplify configuration when
multiple interfaces belong to the same security zone. Instead of
-applying rulesets to interfaces, they are applied to source
+applying rule-sets to interfaces, they are applied to source
zone-destination zone pairs.
An basic introduction to zone-based firewalls can be found `here
@@ -465,12 +467,12 @@ To define a zone setup either one with interfaces or a local zone.
.. cfgcmd:: set zone-policy zone <name> interface <interfacenames>
- Set a interfaces to a zone. A zone can have multiple interfaces.
- But a interface can only be member in one zone.
+ Set interfaces to a zone. A zone can have multiple interfaces.
+ But an interface can only be a member in one zone.
.. cfgcmd:: set zone-policy zone <name> local-zone
- Define the Zone as a local zone. A local zone have no interfaces and
+ Define the zone as a local zone. A local zone has no interfaces and
will be applied to the router itself.
.. cfgcmd:: set zone-policy zone <name> default-action [drop | reject]
@@ -486,14 +488,14 @@ Applying a Rule-Set to a Zone
=============================
Before you are able to apply a rule-set to a zone you have to create the zones
-first.
+first.
.. cfgcmd:: set zone-policy zone <name> from <name> firewall name
<rule-set>
.. cfgcmd:: set zone-policy zone <name> from <name> firewall ipv6-name
<rule-set>
- You apply a rule-set always to a zone from a other zone, it is recommended
+ You apply a rule-set always to a zone from an other zone, it is recommended
to create one rule-set for each zone pair.
.. code-block:: none
@@ -577,7 +579,7 @@ Rule-set overview
.. opcmd:: show firewall summary
- This will show you a summary about rule-sets and groups
+ This will show you a summary of rule-sets and groups
.. code-block:: none
@@ -630,7 +632,7 @@ Rule-set overview
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
- This command will give an overview about a rule in a single rule-set
+ This command will give an overview of a rule in a single rule-set
.. opcmd:: show firewall group <name>
@@ -658,7 +660,7 @@ Rule-set overview
.. opcmd:: show firewall [name | ipv6name] <name>
- This command will give an overview about a single rule-set
+ This command will give an overview of a single rule-set.
.. opcmd:: show firewall [name | ipv6name] <name> statistics
@@ -666,7 +668,7 @@ Rule-set overview
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
- This command will give an overview about a rule in a single rule-set
+ This command will give an overview of a rule in a single rule-set.
Zone-Policy Overview
@@ -674,7 +676,7 @@ Zone-Policy Overview
.. opcmd:: show zone-policy zone <name>
- Use this command to get an overview about a zone
+ Use this command to get an overview of a zone.
.. code-block:: none
@@ -695,7 +697,7 @@ Show Firewall log
.. opcmd:: show log firewall [name | ipv6name] <name>
- Show the logs of a specific Rule-Set
+ Show the logs of a specific Rule-Set.
.. note::
At the moment it not possible to look at the whole firewall log with VyOS
diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst
index c3a821c2..884e7065 100644
--- a/docs/configuration/highavailability/index.rst
+++ b/docs/configuration/highavailability/index.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
.. _high-availability:
High availability
@@ -113,7 +115,7 @@ In the following example, when VLAN9 transitions, VLAN20 will also transition:
.. warning:: All items in a sync group should be similarly configured.
- If one VRRP group is set to a different premption delay or priority,
+ If one VRRP group is set to a different preemption delay or priority,
it would result in an endless transition loop.
@@ -157,7 +159,7 @@ rfc3768-compatibility
RFC 3768 defines a virtual MAC address to each VRRP virtual router.
This virtual router MAC address will be used as the source in all periodic VRRP
-messages sent by the active node. When the rfc3768-compatibilty option is set,
+messages sent by the active node. When the rfc3768-compatibility option is set,
a new VRRP interface is created, to which the MAC address and the virtual IP
address is automatically assigned.
diff --git a/docs/configuration/index.rst b/docs/configuration/index.rst
index bce013cb..0fe481da 100644
--- a/docs/configuration/index.rst
+++ b/docs/configuration/index.rst
@@ -8,6 +8,7 @@ The following structure respresent the cli structure.
:maxdepth: 1
:includehidden:
+ container/index
firewall/index
highavailability/index
interfaces/index
@@ -20,4 +21,4 @@ The following structure respresent the cli structure.
trafficpolicy/index
vpn/index
vrf/index
- zonepolicy/index \ No newline at end of file
+ zonepolicy/index
diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst
index d19ecb59..13203d15 100644
--- a/docs/configuration/interfaces/bonding.rst
+++ b/docs/configuration/interfaces/bonding.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
.. _bond-interface:
#######################
@@ -47,7 +49,7 @@ Bond options
the :cfgcmd:`hash-policy` option, documented below.
.. note:: Not all transmit policies may be 802.3ad compliant, particularly
- in regards to the packet mis-ordering requirements of section 43.2.4
+ in regards to the packet misordering requirements of section 43.2.4
of the 802.3ad standard.
* ``active-backup`` - Active-backup policy: Only one slave in the bond is
@@ -133,9 +135,9 @@ Bond options
This option only affects 802.3ad mode.
- The default value is 0. This will cause carrier to be asserted (for 802.3ad
- mode) whenever there is an active aggregator, regardless of the number of
- available links in that aggregator.
+ The default value is 0. This will cause the carrier to be asserted
+ (for 802.3ad mode) whenever there is an active aggregator,
+ regardless of the number of available links in that aggregator.
.. note:: Because an aggregator cannot be active without at least one
available link, setting this option to 0 or to 1 has the exact same
@@ -222,7 +224,7 @@ Bond options
This algorithm is not fully 802.3ad compliant. A single TCP or UDP
conversation containing both fragmented and unfragmented packets will see
packets striped across two interfaces. This may result in out of order
- delivery. Most traffic types will not meet this criteria, as TCP rarely
+ delivery. Most traffic types will not meet these criteria, as TCP rarely
fragments traffic, and most UDP traffic is not involved in extended
conversations. Other implementations of 802.3ad may or may not tolerate
this noncompliance.
@@ -267,7 +269,7 @@ Bond options
be given for ARP monitoring to function.
The maximum number of targets that can be specified is 16. The default value
- is no IP addresses.
+ is no IP address.
Offloading
----------
@@ -498,9 +500,9 @@ Lets assume the following topology:
!
.. note:: When using EVE-NG to lab this environment ensure you are using e1000
- as the desired driver for your VyOS network interfaces. When using the regular
- virtio network driver no LACP PDUs will be sent by VyOS thus the port-channel
- will never become active!
+ as the desired driver for your VyOS network interfaces. When using the
+ regular virtio network driver no LACP PDUs will be sent by VyOS thus the
+ port-channel will never become active!
*********
Operation
diff --git a/docs/configuration/interfaces/bridge.rst b/docs/configuration/interfaces/bridge.rst
index 7f49f9a8..2374da4d 100644
--- a/docs/configuration/interfaces/bridge.rst
+++ b/docs/configuration/interfaces/bridge.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
.. _bridge-interface:
######
@@ -48,7 +50,7 @@ Member Interfaces
and a cost, that is used to decide which is the shortest path to
forward a packet. The lowest cost path is always used unless the
other path is down. If you have multiple bridges and interfaces then
- you may need to adjust the priorities to achieve optimium
+ you may need to adjust the priorities to achieve optimum
performance.
@@ -71,7 +73,7 @@ Bridge Options
Bridge maximum aging `<time>` in seconds (default: 20).
- If a another bridge in the spanning tree does not send out a hello
+ If an another bridge in the spanning tree does not send out a hello
packet for a long period of time, it is assumed to be dead.
.. cfgcmd:: set interfaces bridge <interface> igmp querier
@@ -98,8 +100,8 @@ links providing fault tolerance if an active link fails.
Spanning Tree Protocol forwarding `<delay>` in seconds (default: 15).
- Forwarding delay time is the time spent in each of the Listening and
- Learning states before the Forwarding state is entered. This delay is
+ The forwarding delay time is the time spent in each of the listening and
+ learning states before the Forwarding state is entered. This delay is
so that when a new bridge comes onto a busy network it looks at some
traffic before participating.
@@ -183,7 +185,7 @@ Examples
Create a basic bridge
=====================
-Creating a bridge interface is very simple. In this example we will
+Creating a bridge interface is very simple. In this example, we will
have:
* A bridge named `br100`
diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst
index f5b72e0c..8440feca 100644
--- a/docs/configuration/interfaces/dummy.rst
+++ b/docs/configuration/interfaces/dummy.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
.. _dummy-interface:
#####
@@ -50,7 +52,7 @@ Operation
.. opcmd:: show interfaces dummy
- Show brief interface information.information
+ Show brief interface information.
.. code-block:: none
diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst
index 1d99019c..dcc9e529 100644
--- a/docs/configuration/interfaces/ethernet.rst
+++ b/docs/configuration/interfaces/ethernet.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
.. _ethernet-interface:
########
@@ -312,4 +314,3 @@ Operation
XDP_PASS 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414
XDP_TX 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414
XDP_REDIRECT 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414
-
diff --git a/docs/configuration/interfaces/geneve.rst b/docs/configuration/interfaces/geneve.rst
index 9e00d621..b13e2ece 100644
--- a/docs/configuration/interfaces/geneve.rst
+++ b/docs/configuration/interfaces/geneve.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
.. _geneve-interface:
######
diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst
index 3c75f482..23792203 100644
--- a/docs/configuration/interfaces/index.rst
+++ b/docs/configuration/interfaces/index.rst
@@ -16,12 +16,12 @@ Interfaces
loopback
macsec
openvpn
+ wireguard
pppoe
pseudo-ethernet
tunnel
vti
vxlan
- wireguard
wireless
wwan
diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst
index 8fe905a1..ca0ce2c9 100644
--- a/docs/configuration/interfaces/l2tpv3.rst
+++ b/docs/configuration/interfaces/l2tpv3.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
.. include:: /_include/need_improvement.txt
.. _l2tpv3-interface:
@@ -9,7 +11,7 @@ L2TPv3
Layer 2 Tunnelling Protocol Version 3 is an IETF standard related to L2TP that
can be used as an alternative protocol to :ref:`mpls` for encapsulation of
multiprotocol Layer 2 communications traffic over IP networks. Like L2TP,
-L2TPv3 provides a pseudo-wire service, but scaled to fit carrier requirements.
+L2TPv3 provides a pseudo-wire service but is scaled to fit carrier requirements.
L2TPv3 can be regarded as being to MPLS what IP is to ATM: a simplified version
of the same concept, with much of the same benefit achieved at a fraction of the
@@ -49,13 +51,13 @@ L2TPv3 options
Set the IP address of the local interface to be used for the tunnel.
- This address must be the address of a local interface. May be specified as an
- IPv4 address or an IPv6 address.
+ This address must be the address of a local interface. It may be specified as
+ an IPv4 address or an IPv6 address.
.. cfgcmd:: set interfaces l2tpv3 <interface> remote <address>
- Set the IP address of the remote peer. May be specified as an IPv4 address or
- an IPv6 address.
+ Set the IP address of the remote peer. It may be specified as
+ an IPv4 address or an IPv6 address.
.. cfgcmd:: set interfaces l2tpv3 <interface> session-id <id>
@@ -65,7 +67,7 @@ L2TPv3 options
.. cfgcmd:: set interfaces l2tpv3 <interface> peer-session-id <id>
- Set the peer session id, which is a 32-bit integer value assigned to the
+ Set the peer-session-id, which is a 32-bit integer value assigned to the
session by the peer. The value used must match the session_id value being
used at the peer.
@@ -100,7 +102,7 @@ Over IP
tunnel-id 200
}
-Inverse configuration has to be applied to the remote side.
+The inverse configuration has to be applied to the remote side.
Over UDP
========
diff --git a/docs/configuration/interfaces/loopback.rst b/docs/configuration/interfaces/loopback.rst
index 4d0c8fb6..ec2976b6 100644
--- a/docs/configuration/interfaces/loopback.rst
+++ b/docs/configuration/interfaces/loopback.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
.. _loopback-interface:
########
@@ -53,7 +55,7 @@ Operation
.. opcmd:: show interfaces loopback lo
- Show detailed information on given loopback interface `lo`.
+ Show detailed information on the given loopback interface `lo`.
.. code-block:: none
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 9a20c425..544bd4fc 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-07-05
+
.. _macsec-interface:
######
@@ -40,7 +42,7 @@ MACsec options
.. cfgcmd:: set interfaces macsec <interface> source-interface <physical-source>
A physical interface is required to connect this MACsec instance to. Traffic
- leaving this interfac will now be authenticated/encrypted.
+ leaving this interface will now be authenticated/encrypted.
Key Management
--------------
@@ -50,7 +52,7 @@ individual peers.
.. cfgcmd:: set interfaces macsec <interface> security mka cak <key>
- IEEE 802.1X/MACsec pre-shared key mode. This allows to configure MACsec with
+ IEEE 802.1X/MACsec pre-shared key mode. This allows configuring MACsec with
a pre-shared key using a (CAK,CKN) pair.
.. cfgcmd:: set interfaces macsec <interface> security mka ckn <key>
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index a30a0b81..877b5d60 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-07-05
+
.. _openvpn:
#######
@@ -95,7 +97,7 @@ Remote Configuration:
set interfaces openvpn vtun1 remote-address '10.255.1.1'
The configurations above will default to using 256-bit AES in GCM mode
-for encryption (if both sides supports NCP) and SHA-1 for HMAC authentication.
+for encryption (if both sides support NCP) and SHA-1 for HMAC authentication.
SHA-1 is considered weak, but other hashing algorithms are available, as are
encryption algorithms:
@@ -120,7 +122,7 @@ OpenVPN version < 2.4.0.
aes256gcm AES algorithm with 256-bit key GCM
This sets the accepted ciphers to use when version => 2.4.0 and NCP is
-enabled (which is default). Default NCP cipher for versions >= 2.4.0 is
+enabled (which is the default). Default NCP cipher for versions >= 2.4.0 is
aes256gcm. The first cipher in this list is what server pushes to clients.
.. code-block:: none
@@ -168,7 +170,7 @@ Remote Configuration:
set protocols static route 10.0.0.0/16 interface vtun1
Firewall policy can also be applied to the tunnel interface for `local`, `in`,
-and `out` directions and function identically to ethernet interfaces.
+and `out` directions and functions identically to ethernet interfaces.
If making use of multiple tunnels, OpenVPN must have a way to distinguish
between different tunnels aside from the pre-shared-key. This is either by
@@ -358,7 +360,7 @@ updates
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"
-The required config file may look like:
+The required config file may look like this:
.. code-block:: none
@@ -472,12 +474,12 @@ example:
Client
======
-VyOS can not only act as an OpenVPN site-to-site or Server for multiple clients.
+VyOS can not only act as an OpenVPN site-to-site or server for multiple clients.
You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client
connecting to a VyOS OpenVPN server or any other OpenVPN server.
Given the following example we have one VyOS router acting as OpenVPN server
-and another VyOS router acting as OpenVPN client. The Server also pushes a
+and another VyOS router acting as OpenVPN client. The server also pushes a
static client IP address to the OpenVPN client. Remember, clients are identified
using their CN attribute in the SSL certificate.
@@ -529,7 +531,7 @@ Client
Options
=======
-We do not have CLI nodes for every single OpenVPN options. If an option is
+We do not have CLI nodes for every single OpenVPN option. If an option is
missing, a feature request should be opened at Phabricator_ so all users can
benefit from it (see :ref:`issues_features`).
@@ -547,7 +549,7 @@ if you pass invalid options/syntax.
Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file.
-.. note:: Sometimes option lines in the generated OpenVPN configurarion require
+.. note:: Sometimes option lines in the generated OpenVPN configuration require
quotes. This is done through a hack on our config generator. You can pass
quotes using the ``&quot;`` statement.
@@ -583,11 +585,11 @@ The following commands let you reset OpenVPN.
.. opcmd:: reset openvpn client <text>
- Use this command to reset specified OpenVPN client.
+ Use this command to reset the specified OpenVPN client.
.. opcmd:: reset openvpn interface <interface>
- Uset this command to reset the OpenVPN process on a specific interface.
+ Use this command to reset the OpenVPN process on a specific interface.
diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst
index 64aca858..41f22ed6 100644
--- a/docs/configuration/interfaces/pppoe.rst
+++ b/docs/configuration/interfaces/pppoe.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-07-09
+
.. _pppoe-interface:
#####
@@ -19,7 +21,7 @@ Operating Modes
***************
VyOS supports setting up PPPoE in two different ways to a PPPoE internet
-connection. This is due to most ISPs provide a modem that is also a wireless
+connection. This is because most ISPs provide a modem that is also a wireless
router.
Home Users
@@ -45,7 +47,7 @@ your DSL Modem/Router switch into a Bridged Mode so it only acts as a DSL
Transceiver device to connect between the Ethernet link of your VyOS and the
phone cable. Once your DSL Transceiver is in Bridge Mode, you should get no
IP address from it. Please make sure you connect to the Ethernet Port 1 if
-your DSL Transeiver has a switch, as some of them only work this way.
+your DSL Transceiver has a switch, as some of them only work this way.
Once you have an Ethernet device connected, i.e. `eth0`, then you can
configure it to open the PPPoE session for you and your DSL Transceiver
@@ -101,7 +103,7 @@ PPPoE options
When set the interface is enabled for "dial-on-demand".
- Use this command to instruct the system to establish a PPPoE connections
+ Use this command to instruct the system to establish a PPPoE connection
automatically once traffic passes through the interface. A disabled on-demand
connection is established at boot time and remains up. If the link fails for
any reason, the link is brought back up immediately.
@@ -225,12 +227,12 @@ Connect/Disconnect
.. opcmd:: disconnect interface <interface>
Test disconnecting given connection-oriented interface. `<interface>` can be
- ``pppoe0`` as example.
+ ``pppoe0`` as the example.
.. opcmd:: connect interface <interface>
Test connecting given connection-oriented interface. `<interface>` can be
- ``pppoe0`` as example.
+ ``pppoe0`` as the example.
*******
Example
@@ -253,7 +255,7 @@ Requirements:
change the ``default-route`` option to ``force``. You could also install
a static route and set the ``default-route`` option to ``none``.
* With the ``name-server`` option set to ``none``, VyOS will ignore the
- nameservers your ISP sens you and thus you can fully rely on the ones you
+ nameservers your ISP sends you and thus you can fully rely on the ones you
have configured statically.
.. note:: Syntax has changed from VyOS 1.2 (crux) and it will be automatically
diff --git a/docs/configuration/interfaces/pseudo-ethernet.rst b/docs/configuration/interfaces/pseudo-ethernet.rst
index 06b7bd86..b2849772 100644
--- a/docs/configuration/interfaces/pseudo-ethernet.rst
+++ b/docs/configuration/interfaces/pseudo-ethernet.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-07-09
+
.. _pseudo-ethernet-interface:
#########################
@@ -36,7 +38,7 @@ Ethernet interfaces:
applies to:
- VMware machines using default settings
- Network switches with security settings allowing only a single MAC address
- - xDSL modems that try to lear the MAC address of the NIC
+ - xDSL modems that try to learn the MAC address of the NIC
*************
Configuration
diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst
index 7f7cd709..6a5fb171 100644
--- a/docs/configuration/interfaces/tunnel.rst
+++ b/docs/configuration/interfaces/tunnel.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-07-09
+
.. _tunnel-interface:
Tunnel
@@ -99,8 +101,8 @@ A full example of a Tunnelbroker.net config can be found at
Generic Routing Encapsulation (GRE)
-----------------------------------
-A GRE tunnel operates at layer 3 of the OSI model and is repsented by IP
-protocol 47.The main benefit of a GRE tunnel is that you are able to carry
+A GRE tunnel operates at layer 3 of the OSI model and is represented by IP
+protocol 47. The main benefit of a GRE tunnel is that you are able to carry
multiple protocols inside the same tunnel. GRE also supports multicast traffic
and supports routing protocols that leverage multicast to form neighbor
adjacencies.
@@ -112,12 +114,12 @@ over either IPv4 (gre) or IPv6 (ip6gre).
Configuration
^^^^^^^^^^^^^
-A basic configuration requires a tunnel source (source-address), a tunnel destination
-(remote), an encapsulation type (gre), and an address (ipv4/ipv6).Below is a
-basic IPv4 only configuration example taken from a VyOS router and a Cisco IOS
-router. The main difference between these two configurations is that VyOS
-requires you explicitly configure the encapsulation type. The Cisco router
-defaults to gre ip otherwise it would have to be configured as well.
+A basic configuration requires a tunnel source (source-address), a tunnel
+destination (remote), an encapsulation type (gre), and an address (ipv4/ipv6).
+Below is a basic IPv4 only configuration example taken from a VyOS router and
+a Cisco IOS router. The main difference between these two configurations is
+that VyOS requires you explicitly configure the encapsulation type. The Cisco
+router defaults to GRE IP otherwise it would have to be configured as well.
**VyOS Router:**
@@ -224,7 +226,7 @@ GRE is a well defined standard that is common in most networks. While not
inherently difficult to configure there are a couple of things to keep in mind
to make sure the configuration performs as expected. A common cause for GRE
tunnels to fail to come up correctly include ACL or Firewall configurations
-that are discarding IP protocol 47 or blocking your source/desintation traffic.
+that are discarding IP protocol 47 or blocking your source/destination traffic.
**1. Confirm IP connectivity between tunnel source-address and remote:**
diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst
index ca25d21e..9b2f42a1 100644
--- a/docs/configuration/interfaces/vxlan.rst
+++ b/docs/configuration/interfaces/vxlan.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-07-09
+
.. _vxlan-interface:
#####
@@ -12,8 +14,8 @@ encapsulate OSI layer 2 Ethernet frames within layer 4 UDP datagrams, using
endpoints, which terminate VXLAN tunnels and may be either virtual or physical
switch ports, are known as :abbr:`VTEPs (VXLAN tunnel endpoints)`.
-VXLAN is an evolution of efforts to standardize on an overlay encapsulation
-protocol. It increases scalability up to 16 million logical networks and
+VXLAN is an evolution of efforts to standardize an overlay encapsulation
+protocol. It increases the scalability up to 16 million logical networks and
allows for layer 2 adjacency across IP networks. Multicast or unicast with
head-end replication (HER) is used to flood broadcast, unknown unicast,
and multicast (BUM) traffic.
@@ -100,10 +102,10 @@ the same broadcast domain.
Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3
as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and
sends it to its designated multicast-address via Spine1. When Spine1 receives
-this packet it forwards it to all other Leafs who has joined the same
+this packet it forwards it to all other leaves who has joined the same
multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards
it, while at the same time learning that PC4 is reachable behind Leaf2, because
-the encapsulated packet had Leaf2's IP-address set as source IP.
+the encapsulated packet had Leaf2's IP address set as source IP.
PC5 receives the ping echo, responds with an echo reply that Leaf3 receives and
this time forwards to Leaf2's unicast address directly because it learned the
@@ -111,13 +113,13 @@ location of PC4 above. When Leaf2 receives the echo reply from PC5 it sees that
it came from Leaf3 and so remembers that PC5 is reachable via Leaf3.
Thanks to this discovery, any subsequent traffic between PC4 and PC5 will not
-be using the multicast-address between the Leafs as they both know behind which
+be using the multicast-address between the leaves as they both know behind which
Leaf the PCs are connected. This saves traffic as less multicast packets sent
-reduces the load on the network, which improves scalability when more Leafs are
+reduces the load on the network, which improves scalability when more leaves are
added.
-For optimal scalability Multicast shouldn't be used at all, but instead use BGP
-to signal all connected devices between leafs. Unfortunately, VyOS does not yet
+For optimal scalability, Multicast shouldn't be used at all, but instead use BGP
+to signal all connected devices between leaves. Unfortunately, VyOS does not yet
support this.
Example
@@ -164,9 +166,9 @@ Topology:
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
-Multicast-routing is required for the leafs to forward traffic between each
+Multicast-routing is required for the leaves to forward traffic between each
other in a more scalable way. This also requires PIM to be enabled towards the
-Leafs so that the Spine can learn what multicast groups each Leaf expect
+leaves so that the Spine can learn what multicast groups each Leaf expects
traffic from.
**Leaf2 configuration:**
@@ -228,7 +230,7 @@ descriptions are placed under the command boxes:
set interfaces bridge br241 address '172.16.241.1/24'
This commands creates a bridge that is used to bind traffic on eth1 vlan 241
-with the vxlan241-interface. The IP-address is not required. It may however be
+with the vxlan241-interface. The IP address is not required. It may however be
used as a default gateway for each Leaf which allows devices on the vlan to
reach other subnets. This requires that the subnets are redistributed by OSPF
so that the Spine will learn how to reach it. To do this you need to change the
@@ -247,8 +249,8 @@ interfaces of the same bridge.
set interfaces vxlan vxlan241 group '239.0.0.241'
-The multicast-group used by all Leafs for this vlan extension. Has to be the
-same on all Leafs that has this interface.
+The multicast-group used by all leaves for this vlan extension. Has to be the
+same on all leaves that has this interface.
.. code-block:: none
@@ -269,7 +271,7 @@ multicast-address.
set interfaces vxlan vxlan241 port 12345
The destination port used for creating a VXLAN interface in Linux defaults to
-its pre-standard value of 8472 to preserve backwards compatibility. A
+its pre-standard value of 8472 to preserve backward compatibility. A
configuration directive to support a user-specified destination port to override
that behavior is available using the above command.
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index ddfbe620..bb2418b1 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -1,7 +1,5 @@
.. _wireguard:
-.. include:: /_include/need_improvement.txt
-
#########
WireGuard
#########
@@ -10,10 +8,24 @@ WireGuard is an extremely simple yet fast and modern VPN that utilizes
state-of-the-art cryptography. See https://www.wireguard.com for more
information.
+****************
+Site to Site VPN
+****************
+
+This diagram corresponds with the example site to site configuration below.
+
+.. figure:: /_static/images/wireguard_site2site_diagram.jpg
+
*************
Configuration
*************
+
+
+********
+Keypairs
+********
+
WireGuard requires the generation of a keypair, which includes a private
key to decrypt incoming traffic, and a public key for peer(s) to encrypt
traffic.
@@ -55,8 +67,9 @@ own keypairs.
vyos@vyos:~$ generate wireguard named-keypairs KP02
+***********************
Interface configuration
-=======================
+***********************
The next step is to configure your local side as well as the policy
based trusted destination addresses. If you only initiate a connection,
@@ -71,18 +84,31 @@ you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The
public key below is always the public key from your peer, not your local
one.
-**local side**
+**local side - commands**
.. code-block:: none
- set interfaces wireguard wg01 address '10.1.0.1/24'
+ set interfaces wireguard wg01 address '10.1.0.1/30'
set interfaces wireguard wg01 description 'VPN-to-wg02'
- set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24'
- set interfaces wireguard wg01 peer to-wg02 address '192.168.0.142'
- set interfaces wireguard wg01 peer to-wg02 port '12345'
+ set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'
+ set interfaces wireguard wg01 peer to-wg02 address '<Site1 Pub IP>'
+ set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
- set interfaces wireguard wg01 port '12345'
- set protocols static route 10.2.0.0/24 interface wg01
+ set interfaces wireguard wg01 port '51820'
+ set protocols static route 192.168.2.0/24 interface wg01
+
+**local side - annotated commands**
+
+.. code-block:: none
+
+ set interfaces wireguard wg01 address '10.1.0.1/30' # Address of the wg01 tunnel interface.
+ set interfaces wireguard wg01 description 'VPN-to-wg02'
+ set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24' # Subnets that are allowed to travel over the tunnel
+ set interfaces wireguard wg01 peer to-wg02 address '<Site2 Pub IP>' # Public IP of the peer
+ set interfaces wireguard wg01 peer to-wg02 port '58120' # Port of the Peer
+ set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>' # Public Key of the Peer
+ set interfaces wireguard wg01 port '51820' # Port of own server
+ set protocols static route 192.168.2.0/24 interface wg01 # Static route to remote subnet
The last step is to define an interface route for 10.2.0.0/24 to get
through the WireGuard interface `wg01`. Multiple IPs or networks can be
@@ -90,7 +116,7 @@ defined and routed. The last check is allowed-ips which either prevents
or allows the traffic.
.. note:: You can not assign the same allowed-ips statement to multiple
- WireGuard peers. This a a design decission. For more information please
+ WireGuard peers. This a a design decision. For more information please
check the `WireGuard mailing list`_.
.. cfgcmd:: set interfaces wireguard <interface> private-key <name>
@@ -106,33 +132,70 @@ or allows the traffic.
public key, which needs to be shared with the peer.
-**remote side**
+**remote side - commands**
.. code-block:: none
- set interfaces wireguard wg01 address '10.2.0.1/24'
+ set interfaces wireguard wg01 address '10.1.0.2/30'
set interfaces wireguard wg01 description 'VPN-to-wg01'
- set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24'
- set interfaces wireguard wg01 peer to-wg02 address '192.168.0.124'
- set interfaces wireguard wg01 peer to-wg02 port '12345'
+ set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24'
+ set interfaces wireguard wg01 peer to-wg02 address '<Site1 Pub IP>'
+ set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
- set interfaces wireguard wg01 port '12345'
- set protocols static route 10.1.0.0/24 interface wg01
+ set interfaces wireguard wg01 port '51820'
+ set protocols static route 192.168.1.0/24 interface wg01
+
+**remote side - annotated commands**
+
+.. code-block:: none
+
+ set interfaces wireguard wg01 address '10.1.0.2/30' # Address of the wg01 tunnel interface.
+ set interfaces wireguard wg01 description 'VPN-to-wg01'
+ set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24' # Subnets that are allowed to travel over the tunnel
+ set interfaces wireguard wg01 peer to-wg02 address 'Site1 Pub IP' # Public IP address of the Peer
+ set interfaces wireguard wg01 peer to-wg02 port '51820' # Port of the Peer
+ set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>' # Public key of the Peer
+ set interfaces wireguard wg01 port '51820' # Port of own server
+ set protocols static route 192.168.1.0/24 interface wg01 # Static route to remote subnet
+
+*******************
+Firewall Exceptions
+*******************
-Assure that your firewall rules allow the traffic, in which case you
-have a working VPN using WireGuard.
+For the WireGuard traffic to pass through the WAN interface, you must create a firewall exception.
.. code-block:: none
- wg01# ping 10.2.0.1
- PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
- 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms
- 64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms
+ set firewall name OUTSIDE_LOCAL rule 10 action accept
+ set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
+ set firewall name OUTSIDE_LOCAL rule 10 state established enable
+ set firewall name OUTSIDE_LOCAL rule 10 state related enable
+ set firewall name OUTSIDE_LOCAL rule 20 action accept
+ set firewall name OUTSIDE_LOCAL rule 20 description WireGuard_IN
+ set firewall name OUTSIDE_LOCAL rule 20 destination port 51820
+ set firewall name OUTSIDE_LOCAL rule 20 log enable
+ set firewall name OUTSIDE_LOCAL rule 20 protocol udp
+ set firewall name OUTSIDE_LOCAL rule 20 source
- wg02# ping 10.1.0.1
- PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
- 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms
- 64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms
+You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local).
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
+
+Assure that your firewall rules allow the traffic, in which case you have a working VPN using WireGuard.
+
+.. code-block:: none
+
+ wg01# ping 192.168.1.1
+ PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
+ 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.16 ms
+ 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.77 ms
+
+ wg02# ping 192.168.2.1
+ PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
+ 64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=4.40 ms
+ 64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=1.02 ms
An additional layer of symmetric-key crypto can be used on top of the
asymmetric crypto. This is optional.
@@ -151,8 +214,10 @@ its content. Make sure you distribute the key in a safe manner,
wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
-Road Warrior Example
---------------------
+
+***********************************
+Remote Access "RoadWarrior" Example
+***********************************
With WireGuard, a Road Warrior VPN config is similar to a site-to-site
VPN. It just lacks the ``address`` and ``port`` statements.
@@ -182,7 +247,7 @@ the peers. This allows the peers to interact with one another.
}
The following is the config for the iPhone peer above. It's important to
-note that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic
+note that the ``AllowedIPs`` wildcard setting directs all IPv4 and IPv6 traffic
through the connection.
.. code-block:: none
@@ -198,9 +263,9 @@ through the connection.
Endpoint = 192.0.2.1:2224
PersistentKeepalive = 25
-
-This MacBook peer is doing split-tunneling, where only the subnets local
-to the server go over the connection.
+However, split-tunneling can be achieved by specifing the remote subnets.
+This ensures that only traffic destined for the remote site is sent over the tunnel.
+All other traffic is unaffected.
.. code-block:: none
@@ -222,6 +287,25 @@ Operational Commands
Status
======
+.. opcmd:: show interfaces wireguard wg0 summary
+
+ Show info about the Wireguard service.
+ Also shows the latest handshake.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show interfaces wireguard wg0 summary
+ interface: wg0
+ public key:
+ private key: (hidden)
+ listening port: 51820
+
+ peer: <peer pubkey>
+ endpoint: <peer public IP>
+ allowed ips: 10.69.69.2/32
+ latest handshake: 23 hours, 45 minutes, 26 seconds ago
+ transfer: 1.26 MiB received, 6.47 MiB sent
+
.. opcmd:: show interfaces wireguard
Get a list of all wireguard interfaces
@@ -252,8 +336,9 @@ Status
TX: bytes packets errors dropped carrier collisions
0 0 0 0 0 0
+***************
Encryption Keys
-===============
+***************
.. opcmd:: show wireguard keypair pubkey <name>
@@ -284,15 +369,16 @@ Encryption Keys
vyos@vyos:~$ delete wireguard keypair default
-Mobile "RoadWarrior" clients
-============================
+***********************************
+Remote Access "RoadWarrior" clients
+***********************************
Some users tend to connect their mobile devices using WireGuard to their VyOS
router. To ease deployment one can generate a "per mobile" configuration from
the VyOS CLI.
.. warning:: From a security perspective it is not recommended to let a third
- party create the private key for a secured connection. You should create the
+ party create and share the private key for a secured connection. You should create the
private portion on your own and only hand out the public key. Please keep this
in mind when using this convenience feature.
diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst
index a6f64aa4..943e8241 100644
--- a/docs/configuration/service/dhcp-server.rst
+++ b/docs/configuration/service/dhcp-server.rst
@@ -574,6 +574,7 @@ be created. The following example explains the process.
**Example:**
* IPv6 address ``2001:db8::101`` shall be statically mapped
+* IPv6 prefix ``2001:db8:0:101::/64`` shall be statically mapped
* Host specific mapping shall be named ``client1``
.. hint:: The identifier is the device's DUID: colon-separated hex list (as
@@ -585,6 +586,7 @@ be created. The following example explains the process.
.. code-block:: none
set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-address 2001:db8::101
+ set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-prefix 2001:db8:0:101::/64
set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff
The configuration will look as follows:
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index 6b09d40d..40ec62f5 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -156,3 +156,33 @@ Operation
Two new files ``/config/auth/id_rsa_rpki`` and
``/config/auth/id_rsa_rpki.pub``
will be created.
+
+.. opcmd:: generate public-key-commands name <username> path <location>
+
+ Generate the configuration mode commands to add a public key for
+ :ref:`ssh_key_based_authentication`.
+ ``<location>`` can be a local path or a URL pointing at a remote file.
+
+ Supported remote protocols are FTP, HTTP, HTTPS, SCP/SFTP and TFTP.
+
+ Example:
+
+ .. code-block:: none
+
+ alyssa@vyos:~$ generate public-key-commands name alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub
+ # To add this key as an embedded key, run the following commands:
+ configure
+ set system login user alyssa authentication public-keys alyssa@example.net key AAA...
+ set system login user alyssa authentication public-keys alyssa@example.net type ssh-rsa
+ commit
+ save
+ exit
+
+ ben@vyos:~$ generate public-key-command user ben path ~/.ssh/id_rsa.pub
+ # To add this key as an embedded key, run the following commands:
+ configure
+ set system login user ben authentication public-keys ben@vyos key AAA...
+ set system login user ben authentication public-keys ben@vyos type ssh-dss
+ commit
+ save
+ exit
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index 0492f4d1..09b6e68b 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -76,6 +76,10 @@ The third part is simply an identifier, and is for your own reference.
.. cfgcmd:: loadkey <username> <location>
+ **Deprecation notice:** ``loadkey`` has been deprecated in favour of
+ :opcmd:`generate public-key-commands` and will be removed in a future
+ version. See :ref:`ssh`.
+
SSH keys can not only be specified on the command-line but also loaded for
a given user with `<username>` from a file pointed to by `<location>.` Keys
can be either loaded from local filesystem or any given remote location
diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst
index abaca198..3cd9e50d 100644
--- a/docs/configuration/vpn/index.rst
+++ b/docs/configuration/vpn/index.rst
@@ -15,7 +15,6 @@ VPN
sstp
-
pages to sort
.. toctree::
@@ -23,4 +22,4 @@ pages to sort
:includehidden:
dmvpn
- site2site_ipsec \ No newline at end of file
+ site2site_ipsec
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index a65f0073..23bc5422 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -183,9 +183,133 @@ For VRF maintenance the following operational commands are in place.
.. opcmd:: traceroute vrf <name> [ipv4 | ipv6] <host>
Displays the route packets taken to a network host utilizing VRF instance
- identified by `<name>`. When using the IPv4 or IPv6 option, displays the
+ identified by `<name>`. When using the IPv4 or IPv6 option, displays the
route packets taken to the given hosts IP address family. This option is
useful when the host is specified as a hostname rather than an IP address.
+Example
+=======
+
+VRF route leaking
+-----------------
+
+The following example topology was build using EVE-NG.
+
+.. figure:: /_static/images/vrf-example-topology-01.png
+ :alt: VRF topology example
+
+ VRF route leaking
+
+* PC1 is in the ``default`` VRF and acting as e.g. a "fileserver"
+* PC2 is in VRF ``blue`` which is the development department
+* PC3 and PC4 are connected to a bridge device on router ``R1`` which is in VRF
+ ``red``. Say this is the HR department.
+* R1 is managed through an out-of-band network that resides in VRF ``mgmt``
+
+Configuration
+^^^^^^^^^^^^^
+
+ .. code-block:: none
+
+ set interfaces bridge br10 address '10.30.0.254/24'
+ set interfaces bridge br10 member interface eth3
+ set interfaces bridge br10 member interface eth4
+ set interfaces bridge br10 vrf 'red'
+
+ set interfaces ethernet eth0 address 'dhcp'
+ set interfaces ethernet eth0 vrf 'mgmt'
+ set interfaces ethernet eth1 address '10.0.0.254/24'
+ set interfaces ethernet eth2 address '10.20.0.254/24'
+ set interfaces ethernet eth2 vrf 'blue'
+
+ set protocols static route 10.20.0.0/24 interface eth2 vrf 'blue'
+ set protocols static route 10.30.0.0/24 interface br10 vrf 'red'
+
+ set service ssh disable-host-validation
+ set service ssh vrf 'mgmt'
+
+ set system name-servers-dhcp 'eth0'
+
+ set vrf name blue protocols static route 10.0.0.0/24 interface eth1 vrf 'default'
+ set vrf name blue table '3000'
+ set vrf name mgmt table '1000'
+ set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default'
+ set vrf name red table '2000'
+
+Operation
+^^^^^^^^^
+
+After committing the configuration we can verify all leaked routes are installed,
+and try to ICMP ping PC1 from PC3.
+
+ .. code-block:: none
+
+ PCS> ping 10.0.0.1
+
+ 84 bytes from 10.0.0.1 icmp_seq=1 ttl=63 time=1.943 ms
+ 84 bytes from 10.0.0.1 icmp_seq=2 ttl=63 time=1.618 ms
+ 84 bytes from 10.0.0.1 icmp_seq=3 ttl=63 time=1.745 ms
+
+ .. code-block:: none
+
+ VPCS> show ip
+
+ NAME : VPCS[1]
+ IP/MASK : 10.30.0.1/24
+ GATEWAY : 10.30.0.254
+ DNS :
+ MAC : 00:50:79:66:68:0f
+
+VRF default routing table
+"""""""""""""""""""""""""
+
+ .. code-block:: none
+
+ vyos@R1:~$ show ip route
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
+ F - PBR, f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+
+ C>* 10.0.0.0/24 is directly connected, eth1, 00:07:44
+ S>* 10.20.0.0/24 [1/0] is directly connected, eth2 (vrf blue), weight 1, 00:07:38
+ S>* 10.30.0.0/24 [1/0] is directly connected, br10 (vrf red), weight 1, 00:07:38
+
+VRF red routing table
+"""""""""""""""""""""
+
+ .. code-block:: none
+
+ vyos@R1:~$ show ip route vrf red
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
+ F - PBR, f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+
+ VRF red:
+ K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 00:07:57
+ S>* 10.0.0.0/24 [1/0] is directly connected, eth1 (vrf default), weight 1, 00:07:40
+ C>* 10.30.0.0/24 is directly connected, br10, 00:07:54
+
+VRF blue routing table
+""""""""""""""""""""""
+
+ .. code-block:: none
+
+ vyos@R1:~$ show ip route vrf blue
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
+ F - PBR, f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+
+ VRF blue:
+ K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 00:08:00
+ S>* 10.0.0.0/24 [1/0] is directly connected, eth1 (vrf default), weight 1, 00:07:44
+ C>* 10.20.0.0/24 is directly connected, eth2, 00:07:53
+
+
.. include:: /_include/common-references.txt
diff --git a/docs/documentation.rst b/docs/documentation.rst
index e0d73155..6053acde 100644
--- a/docs/documentation.rst
+++ b/docs/documentation.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-25
+
.. _documentation:
#############
@@ -5,7 +7,7 @@ Documentation
#############
We encourage every VyOS user to help us improve our documentation as we have
-a deficit like most software projects. This not only be helps you when reading,
+a deficit like most software projects. This not only helps you when reading
but also everyone else.
If you are willing to contribute to our documentation this is the definite
@@ -18,7 +20,7 @@ guide how to do so.
Forking Workflow
================
-The Forking Workflow is fundamentally different than other popular Git
+The Forking Workflow is fundamentally different from other popular Git
workflows. Instead of using a single server-side repository to act as the
"central" codebase, it gives every developer their own server-side repository.
This means that each contributor has not one, but two Git repositories: a
@@ -42,7 +44,7 @@ access to the official codebase.
* Install the requirements ``$ pip install -r requirements.txt``
(or something similar)
-* Create new branch for your work, use a descriptive name of your work:
+* Create a new branch for your work, use a descriptive name of your work:
``$ git checkout -b <branch-name>``
* Make all your changes - please keep our commit rules in mind
@@ -54,7 +56,7 @@ access to the official codebase.
* Check your changes by locally building the documentation ``$ make html``.
Sphinx will build the html files in the ``docs/_build`` folder. We provide
- you with a Docker container for an easy to use user experience. Check the
+ you with a Docker container for an easy-to-use user experience. Check the
README.md_ file of this repository.
* View modified files by calling ``$ git status``. You will get an overview of
@@ -67,7 +69,7 @@ access to the official codebase.
* Commit your changes with the message, ``$ git commit -m "<commit message>"``
or use ``$ git commit -v`` to have your configured editor launched. You can
- type in a commit message. Again please make yourself comfortable with out
+ type in a commit message. Again please make yourself comfortable without
rules (:ref:`prepare_commit`).
* Push commits to your GitHub project: ``$ git push -u origin <branch-name>``
@@ -76,7 +78,7 @@ access to the official codebase.
see a banner suggesting to make a pull request. Fill out the form and
describe what you do.
-* Once pull resquests have been approved, you may want to locally update
+* Once pull requests have been approved, you may want to locally update
your forked repository too. First you'll have to add a second remote
called `upstream` which points to our main repository. ``$ git remote add
upstream https://github.com/vyos/vyos-documentation.git``
@@ -141,7 +143,7 @@ Cross-References
^^^^^^^^^^^^^^^^
A plugin will be used to generate a reference label for each headline.
-to reference a page or a section in the documentation use the
+To reference a page or a section in the documentation use the
``:ref:`` command.
For example, you want to reference the headline **VLAN** in the
@@ -150,7 +152,7 @@ the headline and the file path.
``:ref:`configuration/interfaces/ethernet:vlan``
-to use a alternative Hyperlink use it this way:
+to use an alternative hyperlink use it this way:
``:ref:`Check out VLAN<configuration/interfaces/ethernet:vlan>``
@@ -158,10 +160,10 @@ handle build errors
"""""""""""""""""""
The plugin will warn on build if a headline has a duplicate name in the
-same document. To prevent this warning you have to put a custom link on
+same document. To prevent this warning, you have to put a custom link on
top of the headline.
-.. code-block::
+.. code-block:: none
Section A
==========
@@ -186,10 +188,6 @@ top of the headline.
Lorem ipsum dolor sit amet, consetetur sadipscing elitr
-
-
-
-
Address space
^^^^^^^^^^^^^
@@ -221,10 +219,10 @@ renders the same line format from the source rst file.
Autolinter
^^^^^^^^^^
-Each GitHub Pull request is automatically linted to check the Address space and
+Each GitHub pull request is automatically linted to check the address space and
line length.
-Sometimes it is necessary to provide real IP Addresses like in the
+Sometimes it is necessary to provide real IP addresses like in the
:ref:`examples`. For this, please use the sphinx comment syntax
``.. stop_vyoslinter`` to stop the linter and ``.. start_vyoslinter`` to start.
@@ -242,19 +240,19 @@ cfgcmd
When documenting CLI commands, use the ``.. cfgcmd::`` directive
for all configuration mode commands. An explanation of the described command
should be added below this statement.
-Replace all variable contents with <value> or somthing similar.
+Replace all variable contents with <value> or something similar.
-With those custom commands it will be possible to render them in a more
+With those custom commands, it will be possible to render them in a more
descriptive way in the resulting HTML/PDF manual.
.. code-block:: none
.. cfgcmd:: protocols static arp <ipaddress> hwaddr <macaddress>
- This will configure a static ARP entry always resolving `192.0.2.100` to
+ This will configure a static ARP entry, always resolving `192.0.2.100` to
`00:53:27:de:23:aa`.
-For a inline configuration level command, use ``:cfgcmd:``
+For an inline configuration level command, use ``:cfgcmd:``
.. code-block:: none
@@ -275,7 +273,7 @@ descriptive way in the resulting HTML/PDF manual.
Display all known ARP table entries spanning across all interfaces
-For a inline operational level command, use ``:opcmd:``
+For an inline operational level command, use ``:opcmd:``
.. code-block:: none
@@ -284,8 +282,8 @@ For a inline operational level command, use ``:opcmd:``
cmdinclude
""""""""""
-To minimize redundancy, there is a special include directive. It include a txt
-file and replace the ``{{ var0 }}`` - ``{{ var9 }}`` with the correct value
+To minimize redundancy, there is a special include directive. It includes a txt
+file and replace the ``{{ var0 }}`` - ``{{ var9 }}`` with the correct value.
.. code-block:: none
@@ -348,44 +346,44 @@ All RST files must follow the same TOC Level syntax and have to start with
Configuration mode pages
^^^^^^^^^^^^^^^^^^^^^^^^
-A configuration mode folder and article covers a specific level of a command.
-The exact level depends on the command. This should provide stability for URLs
-used in the forum or blogpost.
+The configuration mode folder and the articles cover the specific level of
+the commands. The exact level depends on the command. This should provide
+stability for URLs used in the forum or blogpost.
For example:
* ``set zone-policy`` is written in ``zone-policy/index.rst``
* ``set interfaces ethernet`` is written in ``interfaces/ethernet.rst``
-The article starts with a short intruducing about the command or the
-technologie. Please include some helpfull links or background informations.
+The article starts with a short introduction about the command or the
+technology. Please include some helpful links or background information.
An optional section follows. Some commands have requirements like compatible
hardware (e.g. Wifi) or some commands you have to set before. For
-example, it is recommended to set a route-map before configure BGP.
+example, it is recommended to set a route-map before configuring BGP.
-In the configuration part of the page, all possible confiuration options
+In the configuration part of the page, all possible configuration options
should be documented. Use ``.. cfgcmd::`` described above.
-Related Operation command must be documented in the next part of the article.
+Related operation command must be documented in the next part of the article.
Use ``::opcmd..`` for these commands.
-If there some troubleshooting guides releated to the commands. Explain it in the
+If there some troubleshooting guides related to the commands. Explain it in the
next optional part.
Operation mode pages
^^^^^^^^^^^^^^^^^^^^
-Operation mode commands that does not fit in a related configuraton mode command
+Operation mode commands that do not fit in a related configuration mode command
must be documented in this part of the documentation.
-General concepts for troubleshooting, and detailed process descriptions belong
+General concepts for troubleshooting and detailed process descriptions belong
here.
Anything else
^^^^^^^^^^^^^
-Anything else that is not a configuration or an operation command have no
+Anything else that is not a configuration or an operation command has no
predefined structure.
diff --git a/docs/installation/install.rst b/docs/installation/install.rst
index 0af61ea4..7b96511a 100644
--- a/docs/installation/install.rst
+++ b/docs/installation/install.rst
@@ -35,7 +35,7 @@ Building from source
----------------------
Non-subscribers can always get the LTS release by building it from source.
-Instruction can be found in the :ref:`build` section of this manual. VyOS
+Instructions can be found in the :ref:`build` section of this manual. VyOS
source code repository is available for everyone at
https://github.com/vyos/vyos-build.
@@ -58,7 +58,7 @@ https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
Download Verification
---------------------
-LTS images are signed by VyOS lead package-maintainer private key. With
+LTS images are signed by the VyOS lead package-maintainer private key. With
the official public key, the authenticity of the package can be
verified. :abbr:`GPG (GNU Privacy Guard)` is used for verification.
@@ -190,7 +190,7 @@ it in your hard drive. **With your downloaded VyOS .iso file you can
create a bootable USB drive that will let you boot into a fully
functional VyOS system**. Once you have tested it, you can either decide
to begin a :ref:`permanent_installation` in your hard drive or power
-your system off, remove the USB drive, and leave everythng as it was.
+your system off, remove the USB drive, and leave everything as it was.
If you have a GNU+Linux system, you can create your VyOS bootable USB
diff --git a/docs/operation/information.rst b/docs/operation/information.rst
index 8b5b54f5..ad235210 100644
--- a/docs/operation/information.rst
+++ b/docs/operation/information.rst
@@ -96,3 +96,60 @@ For additional details you can refer to https://phabricator.vyos.net/T2490.
usb0b2.4p1.1 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.4p1.2 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.4p1.3 Quad_RS232-HS Future Technology Devices International, Ltd
+
+.. _information_version:
+
+########
+Version
+########
+
+.. opcmd:: show version
+
+ Return the current running VyOS version and build information. This includes
+ also the name of the release train which is ``crux`` on VyOS 1.2, ``equuleus``
+ on VyOS 1.3 and ``sagitta`` on VyOS 1.4.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show version
+
+ Version: VyOS 1.4-rolling-202106270801
+ Release Train: sagitta
+
+ Built by: autobuild@vyos.net
+ Built on: Sun 27 Jun 2021 09:50 UTC
+ Build UUID: ab43e735-edcb-405a-9f51-f16a1b104e52
+ Build Commit ID: f544d75eab758f
+
+ Architecture: x86_64
+ Boot via: installed image
+ System type: KVM guest
+
+ Hardware vendor: QEMU
+ Hardware model: Standard PC (i440FX + PIIX, 1996)
+ Hardware S/N:
+ Hardware UUID: Unknown
+
+ Copyright: VyOS maintainers and contributors
+
+.. opcmd:: show version kernel
+
+ Return version number of the Linux Kernel used in this release.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show version kernel
+ 5.10.46-amd64-vyos
+
+.. opcmd:: show version frr
+
+ Return version number of FRR (Free Range Routing - https://frrouting.org/)
+ used in this release. This is the routing control plane and a successor to GNU
+ Zebra and Quagga.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show version frr
+ FRRouting 7.5.1-20210625-00-gf07d935a2 (vyos).
+ Copyright 1996-2005 Kunihiro Ishiguro, et al.
+
diff --git a/docs/troubleshooting/index.rst b/docs/troubleshooting/index.rst
index 1013dba6..902acf3a 100644
--- a/docs/troubleshooting/index.rst
+++ b/docs/troubleshooting/index.rst
@@ -36,6 +36,7 @@ section and are omitted from the output here):
bypass-route
count
deadline
+ do-not-fragment
flood
interface
interval