summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/configexamples/firewall.rst3
-rw-r--r--docs/configexamples/fwall-and-bridge.rst497
-rw-r--r--docs/configuration/firewall/bridge.rst60
-rw-r--r--docs/configuration/interfaces/macsec.rst48
-rw-r--r--docs/configuration/interfaces/wireless.rst229
-rw-r--r--docs/configuration/nat/nat66.rst12
-rw-r--r--docs/configuration/protocols/index.rst1
-rw-r--r--docs/configuration/protocols/openfabric.rst237
-rw-r--r--docs/configuration/system/option.rst24
-rw-r--r--docs/configuration/system/syslog.rst22
10 files changed, 1115 insertions, 18 deletions
diff --git a/docs/configexamples/firewall.rst b/docs/configexamples/firewall.rst
index e0a4ca55..a1ad7e19 100644
--- a/docs/configexamples/firewall.rst
+++ b/docs/configexamples/firewall.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2024-06-14
+:lastproofread: 2024-09-11
Firewall Examples
=================
@@ -9,4 +9,5 @@ This section contains examples of firewall configurations for various deployment
:maxdepth: 2
fwall-and-vrf
+ fwall-and-bridge
zone-policy
diff --git a/docs/configexamples/fwall-and-bridge.rst b/docs/configexamples/fwall-and-bridge.rst
new file mode 100644
index 00000000..32c53fa5
--- /dev/null
+++ b/docs/configexamples/fwall-and-bridge.rst
@@ -0,0 +1,497 @@
+:lastproofread: 2024-09-11
+
+Bridge and firewall example
+---------------------------
+
+Scenario and requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This example shows how to configure a VyOS router with bridge interfaces and
+firewall rules.
+
+Three non VLAN-aware bridges are going to be configured, and each one has its
+own requirements.
+
+* Bridge br0:
+ * Isolated layer 2 bridge.
+ * Accept only IPv6 communication whithin the bridge.
+
+* Bridge br1:
+ * Drop all DHCP discover packets.
+ * Accept all ARP packets.
+ * Within the bridge, accept only new IPv4 connections from host 10.1.1.102
+ * Drop all other IPv4 connections.
+ * Drop all IPv6 connections.
+ * Accept access to router itself.
+ * Allow connections to internet
+ * Drop connections to other LANs.
+
+* Bridge br2:
+ * Accept all DHCP discover packets.
+ * Accept only DHCP offers from valid server and|or trusted bridge port.
+ * Accept all ARP packets.
+ * Accept all IPv4 connections.
+ * Drop all IPv6 connections.
+ * Deny access to the router.
+ * Allow connections to internet.
+ * Allow connections to bridge br1.
+
+Configuration
+^^^^^^^^^^^^^
+
+Bridges and interfaces configuration
+""""""""""""""""""""""""""""""""""""
+
+First, we need to configure the interfaces and bridges:
+
+.. code-block:: none
+
+ # Brige br0
+ set interfaces bridge br0 description 'Isolated L2 bridge'
+ set interfaces bridge br0 member interface eth1
+ set interfaces bridge br0 member interface eth2
+ set interfaces ethernet eth1 description 'br0'
+ set interfaces ethernet eth2 description 'br0'
+
+ # Bridge br1:
+ set interfaces bridge br1 address '10.1.1.1/24'
+ set interfaces bridge br1 description 'L3 bridge br1'
+ set interfaces bridge br1 member interface eth3
+ set interfaces bridge br1 member interface eth4
+ set interfaces ethernet eth3 description 'br1'
+ set interfaces ethernet eth4 description 'br1'
+
+ # Bridge br2:
+ set interfaces bridge br2 address '10.2.2.1/24'
+ set interfaces bridge br2 description 'L3 bridge br2'
+ set interfaces bridge br2 member interface eth5
+ set interfaces bridge br2 member interface eth6
+ set interfaces bridge br2 member interface eth7
+ set interfaces ethernet eth5 description 'br2 - Host'
+ set interfaces ethernet eth6 description 'br2 - Trusted DHCP Server'
+ set interfaces ethernet eth7 description 'br2'
+
+Bridge firewall configuration
+"""""""""""""""""""""""""""""
+
+In this section, we are going to configure the firewall rules that will be used
+in bridge firewall, and will control the traffic within each bridge.
+
+We are going to use custom firewall rulesets, one for each bridge that will
+be used in ``prerouting``, and one for each bridge that will be used in the
+``forward`` chain.
+
+Also, we are going to use firewall interface groups in order to simplify the
+firewall configuration.
+
+So first, let's create the required firewall interface groups:
+
+.. code-block:: none
+
+ # Bridge br0 interface-group:
+ set firewall group interface-group br0-ifaces interface 'br0'
+ set firewall group interface-group br0-ifaces interface 'eth1'
+ set firewall group interface-group br0-ifaces interface 'eth2'
+
+ # Bridge br1 interface-group:
+ set firewall group interface-group br1-ifaces interface 'br1'
+ set firewall group interface-group br1-ifaces interface 'eth3'
+ set firewall group interface-group br1-ifaces interface 'eth4'
+
+ # Bridge br2 interface-group:
+ set firewall group interface-group br2-ifaces interface 'br2'
+ set firewall group interface-group br2-ifaces interface 'eth5'
+ set firewall group interface-group br2-ifaces interface 'eth6'
+ set firewall group interface-group br2-ifaces interface 'eth7'
+
+As said before, we are going to create custom firewall rulesets for each
+bridge, that will be used in the ``prerouting`` chain, in order to drop as much
+unwanted traffic as early as possible. So, custom rulesets used in
+``prerouting`` chain are going to be ``br0-pre``, ``br1-pre``, and ``br2-pre``:
+
+.. code-block:: none
+
+ # Prerouting - Catch all traffic for br0
+ set firewall bridge prerouting filter rule 10 action 'jump'
+ set firewall bridge prerouting filter rule 10 description 'br0 traffic'
+ set firewall bridge prerouting filter rule 10 inbound-interface group 'br0-ifaces'
+ set firewall bridge prerouting filter rule 10 jump-target 'br0-pre'
+
+ # Prerouting - Catch all traffic for br1
+ set firewall bridge prerouting filter rule 20 action 'jump'
+ set firewall bridge prerouting filter rule 20 description 'br1 traffic'
+ set firewall bridge prerouting filter rule 20 inbound-interface group 'br1-ifaces'
+ set firewall bridge prerouting filter rule 20 jump-target 'br1-pre'
+
+ # Prerouting - Catch all traffic for br2
+ set firewall bridge prerouting filter rule 30 action 'jump'
+ set firewall bridge prerouting filter rule 30 description 'br2 traffic'
+ set firewall bridge prerouting filter rule 30 inbound-interface group 'br2-ifaces'
+ set firewall bridge prerouting filter rule 30 jump-target 'br2-pre'
+
+And then create the custom rulesets:
+
+.. code-block:: none
+
+ ### br0 - br0-pre
+ # Requirements: accept only IPv6 communication within the bridge
+ set firewall bridge name br0-pre rule 10 description 'Accept IPv6 traffic'
+ set firewall bridge name br0-pre rule 10 action 'accept'
+ set firewall bridge name br0-pre rule 10 ethernet-type 'ipv6'
+ # And drop everything else
+ set firewall bridge name br0-pre default-action 'drop'
+
+ ### br1 - br1-pre
+ # Requirements: drop all DHCP discover packets
+ set firewall bridge name br1-pre rule 10 description 'Drop DHCP discover'
+ set firewall bridge name br1-pre rule 10 action 'drop'
+ set firewall bridge name br1-pre rule 10 protocol 'udp'
+ set firewall bridge name br1-pre rule 10 source port '68'
+ set firewall bridge name br1-pre rule 10 destination port '67'
+ set firewall bridge name br1-pre rule 10 destination mac-address 'ff:ff:ff:ff:ff:ff'
+ set firewall bridge name br1-pre rule 10 log
+ # Requirement: drop all IPv6 connections
+ set firewall bridge name br1-pre rule 20 description 'Drop IPv6 traffic'
+ set firewall bridge name br1-pre rule 20 action 'drop'
+ set firewall bridge name br1-pre rule 20 ethernet-type 'ipv6'
+ # Accept everything else so it can be parsed later
+ set firewall bridge name br1-pre default-action 'accept'
+
+ ### br2 - br2-pre
+ # Requirements: drop all IPv6 connections
+ set firewall bridge name br2-pre rule 10 description 'Drop IPv6 traffic'
+ set firewall bridge name br2-pre rule 10 action 'drop'
+ set firewall bridge name br2-pre rule 10 ethernet-type 'ipv6'
+ # Accept everything else so it can be parsed later
+ set firewall bridge name br2-pre default-action 'accept'
+
+Now, in the ``forward`` chain, we are going to define state policies, and
+custom rulesets for each bridge that would be used in the ``forward`` chain.
+These rulesets are ``br0-fwd``, ``br1-fwd``, and ``br2-fwd``:
+
+.. code-block:: none
+
+ # Forward - State policies if not defined globally
+ set firewall bridge forward filter rule 5 action 'accept'
+ set firewall bridge forward filter rule 5 state 'established'
+ set firewall bridge forward filter rule 5 state 'related'
+ set firewall bridge forward filter rule 10 action 'drop'
+ set firewall bridge forward filter rule 10 state 'invalid'
+
+ # Forward - Catch all traffic for br0
+ set firewall bridge forward filter rule 110 description 'br0 traffic'
+ set firewall bridge forward filter rule 110 action 'jump'
+ set firewall bridge forward filter rule 110 inbound-interface group 'br0-ifaces'
+ set firewall bridge forward filter rule 110 jump-target 'br0-fwd'
+
+ # Forward - Catch all traffic for br1
+ set firewall bridge forward filter rule 120 description 'br1 traffic'
+ set firewall bridge forward filter rule 120 action 'jump'
+ set firewall bridge forward filter rule 120 inbound-interface group 'br1-ifaces'
+ set firewall bridge forward filter rule 120 jump-target 'br1-fwd'
+
+ # Forward - Catch all traffic for br2
+ set firewall bridge forward filter rule 130 description 'br2 traffic'
+ set firewall bridge forward filter rule 130 action 'jump'
+ set firewall bridge forward filter rule 130 inbound-interface group 'br2-ifaces'
+ set firewall bridge forward filter rule 130 jump-target 'br2-fwd'
+
+ # Forward - Default action drop:
+ set firewall bridge forward filter default-action 'drop'
+
+And the content of the custom rulesets:
+
+.. code-block:: none
+
+ ### br0 - br0-fwd
+ # Accept everything that wasn't dropped in prerouting
+ set firewall bridge name br0-fwd default-action 'accept'
+
+ ### br1 - br1-fwd
+ # Requirement: Accept all ARP packets
+ set firewall bridge name br1-fwd rule 10 description 'Accept ARP'
+ set firewall bridge name br1-fwd rule 10 action 'accept'
+ set firewall bridge name br1-fwd rule 10 ethernet-type 'arp'
+ # Requirement: Accept only new IPv4 connections from host 10.1.1.102
+ set firewall bridge name br1-fwd rule 20 description 'Accept ipv4 from host'
+ set firewall bridge name br1-fwd rule 20 action 'accept'
+ set firewall bridge name br1-fwd rule 20 source address '10.1.1.102'
+ set firewall bridge name br1-fwd rule 20 state 'new'
+ # Drop everythin else within the bridge:
+ set firewall bridge name br1-fwd default-action 'drop'
+
+ ### br2 - br2-fwd
+ # Requirement: Accept all DHCP discover packets
+ set firewall bridge name br2-fwd rule 10 description 'Accept DHCP discover'
+ set firewall bridge name br2-fwd rule 10 action 'accept'
+ set firewall bridge name br2-fwd rule 10 protocol 'udp'
+ set firewall bridge name br2-fwd rule 10 source port '68'
+ set firewall bridge name br2-fwd rule 10 destination port '67'
+ set firewall bridge name br2-fwd rule 10 destination mac-address 'ff:ff:ff:ff:ff:ff'
+ # Requirement: Accept only DHCP offers from valid server on port eth6
+ set firewall bridge name br2-fwd rule 20 description 'Accept DHCP offers from trusted interface'
+ set firewall bridge name br2-fwd rule 20 action 'accept'
+ set firewall bridge name br2-fwd rule 20 protocol 'udp'
+ set firewall bridge name br2-fwd rule 20 source port '67'
+ set firewall bridge name br2-fwd rule 20 destination port '68'
+ set firewall bridge name br2-fwd rule 20 inbound-interface name 'eth6'
+ set firewall bridge name br2-fwd rule 22 description 'Drop all other DHCP offers'
+ set firewall bridge name br2-fwd rule 22 action 'drop'
+ set firewall bridge name br2-fwd rule 22 protocol 'udp'
+ set firewall bridge name br2-fwd rule 22 source port '67'
+ set firewall bridge name br2-fwd rule 22 destination port '68'
+ set firewall bridge name br2-fwd rule 22 log
+
+ # Accept all ARP packets
+ set firewall bridge name br2-fwd rule 30 description 'Accept ARP'
+ set firewall bridge name br2-fwd rule 30 action 'accept'
+ set firewall bridge name br2-fwd rule 30 ethernet-type 'arp'
+ # Accept all IPv4 connections
+ set firewall bridge name br2-fwd rule 40 description 'Accept ipv4'
+ set firewall bridge name br2-fwd rule 40 action 'accept'
+ set firewall bridge name br2-fwd rule 40 ethernet-type 'ipv4'
+ # Drop everything else
+ set firewall bridge name br2-fwd default-action 'drop'
+
+
+IP firewall configuration
+"""""""""""""""""""""""""
+
+Since some of the requirements listed above exceed the capabilities of the
+bridge firewall, we need to use the IP firewall to implement them.
+For bridge br1 and br2, we need to control the traffic that is going to the
+router itself, to other local networks, and to the Internet.
+
+As a reminder, here's a link to the :doc:`firewall documentation
+</configuration/firewall/index>`, where you can find more information about
+the packet flow for traffic that comes from bridge layer and should be analized
+by the IP firewall.
+
+Access to the router itself is controlled by the base chain ``input``, and
+rules to accomplish all the requirements are:
+
+.. code-block:: none
+
+ # First of all, if not using global state policies, we need to define them:
+ set firewall ipv4 input filter rule 10 state 'established'
+ set firewall ipv4 input filter rule 10 state 'related'
+ set firewall ipv4 input filter rule 10 action 'accept'
+ set firewall ipv4 input filter rule 20 state 'invalid'
+ set firewall ipv4 input filter rule 20 action 'drop'
+
+ # Input - br1 - Accept access to router itself
+ set firewall ipv4 input filter rule 110 description "Accept access from br1"
+ set firewall ipv4 input filter rule 110 action 'accept'
+ set firewall ipv4 input filter rule 110 inbound-interface group 'br1-ifaces'
+
+ # Input - br2 - Deny access to the router
+ set firewall ipv4 input filter rule 120 description "Deny access from br2"
+ set firewall ipv4 input filter rule 120 action 'drop'
+ set firewall ipv4 input filter rule 120 inbound-interface group 'br2-ifaces'
+
+And for traffic that is going to other local networks, and to he Internet, we
+need to use the base chain ``forward``. As in the bridge firewall, we are
+going to use custom rulesets for each bridge, that would be used in the
+``forward`` chain. Those rulesets are ``ip-br1-fwd`` and ``ip-br2-fwd``:
+
+.. code-block:: none
+
+ # First of all, if not using global state policies, we need to define them:
+ set firewall ipv4 forward filter rule 5 action 'accept'
+ set firewall ipv4 forward filter rule 5 state 'established'
+ set firewall ipv4 forward filter rule 5 state 'related'
+ set firewall ipv4 forward filter rule 10 action 'drop'
+ set firewall ipv4 forward filter rule 10 state 'invalid'
+
+ # Forward - Catch all traffic for br1
+ set firewall ipv4 forward filter rule 110 description 'br1 traffic'
+ set firewall ipv4 forward filter rule 110 action 'jump'
+ set firewall ipv4 forward filter rule 110 inbound-interface group 'br1-ifaces'
+ set firewall ipv4 forward filter rule 110 jump-target 'ip-br1-fwd'
+
+ # Forward - Catch all traffic for br2
+ set firewall ipv4 forward filter rule 120 description 'br2 traffic'
+ set firewall ipv4 forward filter rule 120 action 'jump'
+ set firewall ipv4 forward filter rule 120 inbound-interface group 'br2-ifaces'
+ set firewall ipv4 forward filter rule 120 jump-target 'ip-br2-fwd'
+
+ # Forward - Default action drop:
+ set firewall ipv4 forward filter default-action 'drop'
+
+And the content of the custom rulesets:
+
+.. code-block:: none
+
+ ### br1 - ip-br1-fwd
+ # Requirement: Allow connections to internet
+ set firewall ipv4 name ip-br1-fwd rule 10 description 'br1 - allow internet access'
+ set firewall ipv4 name ip-br1-fwd rule 10 action 'accept'
+ set firewall ipv4 name ip-br1-fwd rule 10 outbound-interface name 'eth0'
+ # Requirement: Drop all other connections
+ set firewall ipv4 name ip-br1-fwd default-action 'drop'
+
+ ### br2 - ip-br2-fwd
+ # Requirement: Allow connections to internet
+ set firewall ipv4 name ip-br2-fwd rule 10 description 'br2 - allow internet access'
+ set firewall ipv4 name ip-br2-fwd rule 10 action 'accept'
+ set firewall ipv4 name ip-br2-fwd rule 10 outbound-interface name 'eth0'
+ # Requirement: Allow connections to br1
+ set firewall ipv4 name ip-br2-fwd rule 20 description 'br2 - allow access to br1'
+ set firewall ipv4 name ip-br2-fwd rule 20 action 'accept'
+ set firewall ipv4 name ip-br2-fwd rule 20 outbound-interface group 'br1-ifaces'
+ # Requirement: Drop all other connections
+ set firewall ipv4 name ip-br2-fwd default-action 'drop'
+
+
+Validation
+^^^^^^^^^^
+
+While testing the configuration, we can check logs in order to ensure that
+we are accepting and/or blocking the correct traffic.
+
+For example, while a host tries to get an IP address from a DHCP server in
+br1 all DHCP discover are dropped, and in br2, we can see that DHCP offers from
+untrusted servers are dropped:
+
+.. code-block:: none
+
+ vyos@bridge:~$ show log firewall bridge
+ Sep 17 14:22:35 kernel: [bri-NAM-br2-fwd-22-D]IN=eth7 OUT=eth5 MAC=50:00:00:09:00:00:50:00:00:04:00:00:08:00 SRC=10.2.2.199 DST=10.2.2.92 LEN=322 TOS=0x10 PREC=0x00 TTL=128 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=302
+ Sep 17 14:28:18 kernel: [bri-NAM-br1-pre-10-D]IN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:79:66:68:0c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=392 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=372
+ Sep 17 14:28:19 kernel: [bri-NAM-br1-pre-10-D]IN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:79:66:68:0c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=392 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=372
+
+
+And with operational mode commands, we can check rules matchers, actions, and
+counters.
+
+Bridge firewall rulset:
+
+.. code-block:: none
+
+ vyos@bri:~$ show firewall bridge
+ Rulesets bridge Information
+
+ ---------------------------------
+ bridge Firewall "forward filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------------------
+ 5 accept all 19 1916 ct state { established, related } accept
+ 10 drop all 0 0 ct state invalid
+ 110 jump all 2 208 iifname @I_br0-ifaces jump NAME_br0-fwd
+ 120 jump all 10 670 iifname @I_br1-ifaces jump NAME_br1-fwd
+ 130 jump all 12 3086 iifname @I_br2-ifaces jump NAME_br2-fwd
+ default drop all 0 0
+
+ ---------------------------------
+ bridge Firewall "name br0-fwd"
+
+ Rule Action Protocol Packets Bytes
+ ------- -------- ---------- --------- -------
+ default accept all 2 208
+
+ ---------------------------------
+ bridge Firewall "name br0-pre"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------
+ 10 accept all 18 1872 ether type ip6 accept
+ default drop all 9 1476
+
+ ---------------------------------
+ bridge Firewall "name br1-fwd"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------------------------
+ 10 accept all 5 250 ether type arp accept
+ 20 accept all 3 252 ct state new ip saddr 10.1.1.102 accept
+ default drop all 2 168
+
+ ---------------------------------
+ bridge Firewall "name br1-pre"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------------------------------------------------------------------------
+ 10 drop udp 3 1176 ether daddr ff:ff:ff:ff:ff:ff udp sport 68 udp dport 67 prefix "[bri-NAM-br1-pre-10-D]"
+ 20 drop all 0 0 ether type ip6
+ default accept all 58 4430
+
+ ---------------------------------
+ bridge Firewall "name br2-fwd"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ---------------------------------------------------------------
+ 10 accept udp 4 1312 ether daddr ff:ff:ff:ff:ff:ff udp sport 68 udp dport 67 accept
+ 20 accept udp 2 656 udp sport 67 udp dport 68 iifname "eth6" accept
+ 22 drop udp 1 322 udp sport 67 udp dport 68 prefix "[bri-NAM-br2-fwd-22-D]"
+ 30 accept all 2 92 ether type arp accept
+ 40 accept all 3 704 ether type ip accept
+ default drop all 0 0
+
+ ---------------------------------
+ bridge Firewall "name br2-pre"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- --------------
+ 10 drop all 7 728 ether type ip6
+ default accept all 77 7548
+
+ ---------------------------------
+ bridge Firewall "prerouting filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------------------------
+ 10 jump all 27 3348 iifname @I_br0-ifaces jump NAME_br0-pre
+ 20 jump all 61 5606 iifname @I_br1-ifaces jump NAME_br1-pre
+ 30 jump all 84 8276 iifname @I_br2-ifaces jump NAME_br2-pre
+ default drop all 0 0
+
+ vyos@bridge:~$
+
+IPv4 firewall rulset:
+
+.. code-block:: none
+
+ vyos@bridge:~$ show firewall ipv4
+ Rulesets ipv4 Information
+
+ ---------------------------------
+ ipv4 Firewall "forward filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -------------------------------------------
+ 5 accept all 76 6384 ct state { established, related } accept
+ 10 drop all 0 0 ct state invalid
+ 110 jump all 13 1092 iifname @I_br1-ifaces jump NAME_ip-br1-fwd
+ 120 jump all 3 252 iifname @I_br2-ifaces jump NAME_ip-br2-fwd
+ default drop all 0 0
+
+ ---------------------------------
+ ipv4 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------------------
+ 10 accept all 0 0 ct state { established, related } accept
+ 20 drop all 0 0 ct state invalid
+ 110 accept all 10 720 iifname @I_br1-ifaces accept
+ 120 drop all 26 2672 iifname @I_br2-ifaces
+ default accept all 3037 991621
+
+ ---------------------------------
+ ipv4 Firewall "name ip-br1-fwd"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------
+ 10 accept all 5 420 oifname "eth0" accept
+ default drop all 8 672
+
+ ---------------------------------
+ ipv4 Firewall "name ip-br2-fwd"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------
+ 10 accept all 1 84 oifname "eth0" accept
+ 20 accept all 2 168 oifname @I_br1-ifaces accept
+ default drop all 0 0
+
+ vyos@bridge:~$
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst
index 14b4e148..39956236 100644
--- a/docs/configuration/firewall/bridge.rst
+++ b/docs/configuration/firewall/bridge.rst
@@ -327,8 +327,64 @@ There are a lot of matching criteria against which the packet can be tested.
Please refer to :doc:`IPv4</configuration/firewall/ipv4>` and
:doc:`IPv6</configuration/firewall/ipv6>` matching criteria for more details.
-Since bridges operates at layer 2, both matchers for IPv4 and IPv6 are
-supported in bridge firewall configuration. Same applies for firewall groups.
+Since bridges operats at layer 2, both matchers for IPv4 and IPv6 are
+supported in bridge firewall configuration. Same applies to firewall groups.
+
+Same specific matching criteria that can be used in bridge firewall are
+described in this section:
+
+.. cfgcmd:: set firewall bridge forward filter rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge input filter rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge output filter rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge name <name> rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+
+ Match based on the Ethernet type of the packet.
+
+.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+
+ Match based on the Ethernet type of the packet when it is VLAN tagged.
+
+.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan id
+ <0-4096>
+.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan id
+ <0-4096>
+.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan id
+ <0-4096>
+.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan id
+ <0-4096>
+.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan id
+ <0-4096>
+
+ Match based on VLAN identifier. Range is also supported.
+
+.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan priority
+ <0-7>
+.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan priority
+ <0-7>
+.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan priority
+ <0-7>
+.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan priority
+ <0-7>
+.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan priority
+ <0-7>
+
+ Match based on VLAN priority (Priority Code Point - PCP). Range is also
+ supported.
Use IP firewall
===============
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 0c0c052b..1ab7f361 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -236,4 +236,50 @@ the unencrypted but authenticated content.
set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
- set interfaces macsec macsec1 source-interface 'eth1' \ No newline at end of file
+ set interfaces macsec macsec1 source-interface 'eth1'
+
+***************
+MACsec over wan
+***************
+
+MACsec is an interesting alternative to existing tunneling solutions that
+protects layer 2 by performing integrity, origin authentication, and optionally
+encryption. The typical use case is to use MACsec between hosts and access
+switches, between two hosts, or between two switches. in this example below,
+we use VXLAN and MACsec to secure the tunnel.
+
+**R1 MACsec01**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.1/24'
+ set interfaces macsec macsec1 address '2001:db8::1/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02'
+ set interfaces macsec macsec1 source-interface 'vxlan1'
+ set interfaces vxlan vxlan1 mac '00:11:22:33:44:01'
+ set interfaces vxlan vxlan1 remote '10.1.3.3'
+ set interfaces vxlan vxlan1 source-address '172.16.100.1'
+ set interfaces vxlan vxlan1 vni '10'
+ set protocols static route 10.1.3.3/32 next-hop 172.16.100.2
+
+**R2 MACsec02**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.2/24'
+ set interfaces macsec macsec1 address '2001:db8::2/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01'
+ set interfaces macsec macsec1 source-interface 'vxlan1'
+ set interfaces vxlan vxlan1 mac '00:11:22:33:44:02'
+ set interfaces vxlan vxlan1 remote '10.1.2.2'
+ set interfaces vxlan vxlan1 source-address '172.16.100.2'
+ set interfaces vxlan vxlan1 vni '10'
+ set protocols static route 10.1.2.2/32 next-hop 172.16.100.1
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index 695866a0..e6a29f9a 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -60,8 +60,8 @@ Wireless options
.. cfgcmd:: set interfaces wireless <interface> channel <number>
- Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from
- 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173.
+ Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n/ax) channels range from
+ 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 177.
On 6GHz (802.11 ax) channels range from 1 to 233.
.. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid
@@ -116,7 +116,7 @@ Wireless options
* ``ac`` - 802.11ac - 1300 Mbits/sec
* ``ax`` - 802.11ax - exceeds 1GBit/sec
- .. note:: In VyOS, 802.11ax is only implemented for 6GHz as of yet.
+ .. note:: In VyOS, 802.11ax is only implemented for 2.4GHz and 6GHz.
.. cfgcmd:: set interfaces wireless <interface> physical-device <device>
@@ -164,6 +164,8 @@ PPDU
HT (High Throughput) capabilities (802.11n)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ Configuring HT mode options is required when using 802.11n or 802.11ax at 2.4GHz.
+
.. cfgcmd:: set interfaces wireless <interface> capabilities ht 40mhz-incapable
Device is incapable of 40 MHz, do not advertise. This sets ``[40-INTOLERANT]``
@@ -378,11 +380,30 @@ HE (High Efficiency) capabilities (802.11ax)
<number> must be one of:
- * ``131`` - 20 MHz channel width
- * ``132`` - 40 MHz channel width
- * ``133`` - 80 MHz channel width
- * ``134`` - 160 MHz channel width
- * ``135`` - 80+80 MHz channel width
+ * ``81`` - 20 MHz channel width (2.4GHz)
+ * ``83`` - 40 MHz channel width, secondary 20MHz channel above primary
+ channel (2.4GHz)
+ * ``84`` - 40 MHz channel width, secondary 20MHz channel below primary
+ channel (2.4GHz)
+ * ``131`` - 20 MHz channel width (6GHz)
+ * ``132`` - 40 MHz channel width (6GHz)
+ * ``133`` - 80 MHz channel width (6GHz)
+ * ``134`` - 160 MHz channel width (6GHz)
+ * ``135`` - 80+80 MHz channel width (6GHz)
+
+.. cfgcmd:: set interfaces wireless <interface>
+ capabilities he coding-scheme <number>
+
+ This setting configures Spacial Stream and Modulation Coding Scheme
+ settings for HE mode (HE-MCS). It is usually not needed to set this
+ explicitly, but it might help with some WiFi adapters.
+
+ <number> must be one of:
+
+ * ``0`` - HE-MCS 0-7
+ * ``1`` - HE-MCS 0-9
+ * ``2`` - HE-MCS 0-11
+ * ``3`` - HE-MCS is not supported
Wireless options (Station/Client)
=================================
@@ -693,16 +714,200 @@ Resulting in
type access-point
}
}
- system {
- [...]
- wifi-regulatory-domain DE
- }
To get it to work as an access point with this configuration you will need
to set up a DHCP server to work with that network. You can - of course - also
bridge the Wireless interface with any configured bridge
(:ref:`bridge-interface`) on the system.
+WiFi-6(e) - 802.11ax
+====================
+
+The following examples will show valid configurations for WiFi-6 (2.4GHz)
+and WiFi-6e (6GHz) Access-Points with the following characteristics:
+
+* Network ID (SSID) ``test.ax``
+* WPA passphrase ``super-dooper-secure-passphrase``
+* Use 802.11ax protocol
+* Wireless channel ``11`` for 2.4GHz
+* Wireless channel ``5`` for 6GHz
+
+
+Example Configuration: WiFi-6 at 2.4GHz
+---------------------------------------
+
+You may expect real throughputs around 10MBytes/s or higher in crowded areas.
+
+.. code-block:: none
+
+ set system wireless country-code de
+ set interfaces wireless wlan0 capabilities he antenna-pattern-fixed
+ set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer
+ set interfaces wireless wlan0 capabilities he beamform single-user-beamformee
+ set interfaces wireless wlan0 capabilities he beamform single-user-beamformer
+ set interfaces wireless wlan0 capabilities he bss-color 13
+ set interfaces wireless wlan0 capabilities he channel-set-width 81
+ set interfaces wireless wlan0 capabilities ht 40mhz-incapable
+ set interfaces wireless wlan0 capabilities ht channel-set-width ht20
+ set interfaces wireless wlan0 capabilities ht channel-set-width ht40+
+ set interfaces wireless wlan0 capabilities ht channel-set-width ht40-
+ set interfaces wireless wlan0 capabilities ht short-gi 20
+ set interfaces wireless wlan0 capabilities ht short-gi 40
+ set interfaces wireless wlan0 capabilities ht stbc rx 2
+ set interfaces wireless wlan0 capabilities ht stbc tx
+ set interfaces wireless wlan0 channel 11
+ set interfaces wireless wlan0 description "802.11ax 2.4GHz"
+ set interfaces wireless wlan0 mode ax
+ set interfaces wireless wlan0 security wpa cipher CCMP
+ set interfaces wireless wlan0 security wpa cipher CCMP-256
+ set interfaces wireless wlan0 security wpa cipher GCMP-256
+ set interfaces wireless wlan0 security wpa cipher GCMP
+ set interfaces wireless wlan0 security wpa mode wpa2
+ set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase
+ set interfaces wireless wlan0 ssid test.ax
+ set interfaces wireless wlan0 type access-point
+ commit
+
+Resulting in
+
+.. code-block:: none
+
+ system {
+ wireless {
+ country-code de
+ }
+ }
+ interfaces {
+ [...]
+ wireless wlan0 {
+ capabilities {
+ he {
+ antenna-pattern-fixed
+ beamform {
+ multi-user-beamformer
+ single-user-beamformee
+ single-user-beamformer
+ }
+ bss-color 13
+ channel-set-width 81
+ }
+ ht {
+ 40mhz-incapable
+ channel-set-width ht20
+ channel-set-width ht40+
+ channel-set-width ht40-
+ short-gi 20
+ short-gi 40
+ stbc {
+ rx 2
+ tx
+ }
+ }
+ }
+ channel 11
+ description "802.11ax 2.4GHz"
+ hw-id [...]
+ mode ax
+ physical-device phy0
+ security {
+ wpa {
+ cipher CCMP
+ cipher CCMP-256
+ cipher GCMP-256
+ cipher GCMP
+ mode wpa2
+ passphrase super-dooper-secure-passphrase
+ }
+ }
+ ssid test.ax
+ type access-point
+ }
+ }
+
+Example Configuration: WiFi-6e at 6GHz
+--------------------------------------
+
+You may expect real throughputs around 50MBytes/s to 150MBytes/s,
+depending on obstructions by walls, water, metal or other materials
+with high electro-magnetic dampening at 6GHz. Best results are achieved
+with the AP being in the same room and in line-of-sight.
+
+.. code-block:: none
+
+ set system wireless country-code de
+ set interfaces wireless wlan0 capabilities he antenna-pattern-fixed
+ set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer
+ set interfaces wireless wlan0 capabilities he beamform single-user-beamformee
+ set interfaces wireless wlan0 capabilities he beamform single-user-beamformer
+ set interfaces wireless wlan0 capabilities he bss-color 13
+ set interfaces wireless wlan0 capabilities he channel-set-width 134
+ set interfaces wireless wlan0 capabilities he capabilities he center-channel-freq freq-1 15
+ set interfaces wireless wlan0 channel 5
+ set interfaces wireless wlan0 description "802.11ax 6GHz"
+ set interfaces wireless wlan0 mode ax
+ set interfaces wireless wlan0 security wpa cipher CCMP
+ set interfaces wireless wlan0 security wpa cipher CCMP-256
+ set interfaces wireless wlan0 security wpa cipher GCMP-256
+ set interfaces wireless wlan0 security wpa cipher GCMP
+ set interfaces wireless wlan0 security wpa mode wpa3
+ set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase
+ set interfaces wireless wlan0 mgmt-frame-protection required
+ set interfaces wireless wlan0 enable-bf-protection
+ set interfaces wireless wlan0 ssid test.ax
+ set interfaces wireless wlan0 type access-point
+ set interfaces wireless wlan0 stationary-ap
+ commit
+
+Resulting in
+
+.. code-block:: none
+
+ system {
+ wireless {
+ country-code de
+ }
+ }
+ interfaces {
+ [...]
+ wireless wlan0 {
+ capabilities {
+ he {
+ antenna-pattern-fixed
+ beamform {
+ multi-user-beamformer
+ single-user-beamformee
+ single-user-beamformer
+ }
+ bss-color 13
+ center-channel-freq {
+ freq-1 15
+ }
+ channel-set-width 134
+ }
+ }
+ channel 5
+ description "802.11ax 6GHz"
+ enable-bf-protection
+ hw-id [...]
+ mgmt-frame-protection required
+ mode ax
+ physical-device phy0
+ security {
+ wpa {
+ cipher CCMP
+ cipher CCMP-256
+ cipher GCMP-256
+ cipher GCMP
+ mode wpa3
+ passphrase super-dooper-secure-passphrase
+ }
+ }
+ ssid test.ax
+ stationary-ap
+ type access-point
+ }
+ }
+
.. _wireless-interface-intel-ax200:
Intel AX200
diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst
index 9345e708..42f63fc9 100644
--- a/docs/configuration/nat/nat66.rst
+++ b/docs/configuration/nat/nat66.rst
@@ -105,6 +105,18 @@ Example:
set nat66 destination rule 1 destination address 'fc00::/64'
set nat66 destination rule 1 translation address 'fc01::/64'
+For the destination, groups can also be used instead of an address.
+
+Example:
+
+.. code-block:: none
+
+ set firewall group ipv6-address-group ADR-INSIDE-v6 address fc00::1
+
+ set nat66 destination rule 1 inbound-interface name 'eth0'
+ set nat66 destination rule 1 destination group address-group ADR-INSIDE-v6
+ set nat66 destination rule 1 translation address 'fc01::/64'
+
Configuration Examples
======================
diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst
index ea217d3c..e7b1b27f 100644
--- a/docs/configuration/protocols/index.rst
+++ b/docs/configuration/protocols/index.rst
@@ -14,6 +14,7 @@ Protocols
isis
mpls
segment-routing
+ openfabric
ospf
pim
pim6
diff --git a/docs/configuration/protocols/openfabric.rst b/docs/configuration/protocols/openfabric.rst
new file mode 100644
index 00000000..aecb5181
--- /dev/null
+++ b/docs/configuration/protocols/openfabric.rst
@@ -0,0 +1,237 @@
+.. _openfabric:
+
+##########
+OpenFabric
+##########
+
+OpenFabric, specified in `draft-white-openfabric-06.txt
+<https://datatracker.ietf.org/doc/html/draft-white-openfabric-06>`_, is
+a routing protocol derived from IS-IS, providing link-state routing with
+efficient flooding for topologies like spine-leaf networks.
+
+OpenFabric a dual stack protocol.
+A single OpenFabric instance is able to perform routing for both IPv4 and IPv6.
+
+*******
+General
+*******
+
+Configuration
+=============
+
+Mandatory Settings
+------------------
+
+For OpenFabric to operate correctly, one must do the equivalent of a Router ID
+in Connectionless Network Service (CLNS). This Router ID is called the
+:abbr:`NET (Network Entity Title)`. The system identifier must be unique within
+the network
+
+.. cfgcmd:: set protocols openfabric net <network-entity-title>
+
+ This command sets network entity title (NET) provided in ISO format.
+
+ Here is an example :abbr:`NET (Network Entity Title)` value:
+
+ .. code-block:: none
+
+ 49.0001.1921.6800.1002.00
+
+ The CLNS address consists of the following parts:
+
+ * :abbr:`AFI (Address family authority identifier)` - ``49`` The AFI value
+ 49 is what OpenFabric uses for private addressing.
+
+ * Area identifier: ``0001`` OpenFabric area number (numerical area ``1``)
+
+ * System identifier: ``1921.6800.1002`` - for system identifiers we recommend
+ to use IP address or MAC address of the router itself. The way to construct
+ this is to keep all of the zeroes of the router IP address, and then change
+ the periods from being every three numbers to every four numbers. The
+ address that is listed here is ``192.168.1.2``, which if expanded will turn
+ into ``192.168.001.002``. Then all one has to do is move the dots to have
+ four numbers instead of three. This gives us ``1921.6800.1002``.
+
+ * :abbr:`NET (Network Entity Title)` selector: ``00`` Must always be 00. This
+ setting indicates "this system" or "local system."
+
+.. cfgcmd:: set protocols openfabric domain <name> interface <interface>
+ address-family <ipv4|ipv6>
+
+ This command enables OpenFabric instance with <NAME> on this interface, and
+ allows for adjacency to occur for address family (IPv4 or IPv6 or both).
+
+OpenFabric Global Configuration
+-------------------------------
+
+.. cfgcmd:: set protocols openfabric domain-password <plaintext-password|md5>
+ <password>
+
+ This command configures the authentication password for a routing domain,
+ as clear text or md5 one.
+
+.. cfgcmd:: set protocols openfabric domain <name> purge-originator
+
+ This command enables :rfc:`6232` purge originator identification.
+
+.. cfgcmd:: set protocols openfabric domain <name> set-overload-bit
+
+ This command sets overload bit to avoid any transit traffic through this
+ router.
+
+.. cfgcmd:: set protocols openfabric domain <name> log-adjacency-changes
+
+ Log changes in adjacency state.
+
+.. cfgcmd:: set protocols openfabric domain <name> fabric-tier <number>
+
+ This command sets a static tier number to advertise as location
+ in the fabric.
+
+
+Interface Configuration
+-----------------------
+
+.. cfgcmd:: set protocols openfabric interface <interface> hello-interval
+ <seconds>
+
+ This command sets hello interval in seconds on a given interface.
+ The range is 1 to 600. Hello packets are used to establish and maintain
+ adjacency between OpenFabric neighbors.
+
+.. cfgcmd:: set protocols openfabric domain <name> interface <interface>
+ hello-multiplier <number>
+
+ This command sets multiplier for hello holding time on a given
+ interface. The range is 2 to 100.
+
+.. cfgcmd:: set protocols openfabric domain <name> interface <interface>
+ metric <metric>
+
+ This command sets default metric for circuit.
+ The metric range is 1 to 16777215.
+
+.. cfgcmd:: set protocols openfabric interface <interface> passive
+
+ This command enables the passive mode for this interface.
+
+.. cfgcmd:: set protocols openfabric domain <name> interface <interface>
+ password plaintext-password <text>
+
+ This command sets the authentication password for the interface.
+
+.. cfgcmd:: set protocols openfabric domain <name> interface <interface>
+ csnp-interval <seconds>
+
+ This command sets Complete Sequence Number Packets (CSNP) interval in seconds.
+ The interval range is 1 to 600.
+
+.. cfgcmd:: set protocols openfabric domain <name> interface <interface>
+ psnp-interval <number>
+
+ This command sets Partial Sequence Number Packets (PSNP) interval in seconds.
+ The interval range is 1 to 120.
+
+Timers
+------
+
+.. cfgcmd:: set protocols openfabric domain <name> lsp-gen-interval <seconds>
+
+ This command sets minimum interval at which link-state packets (LSPs) are
+ generated. The interval range is 1 to 120.
+
+.. cfgcmd:: set protocols openfabric domain <name> lsp-refresh-interval <seconds>
+
+ This command sets LSP refresh interval in seconds. The interval range
+ is 1 to 65235.
+
+.. cfgcmd:: set protocols openfabric domain <name> max-lsp-lifetime <seconds>
+
+ This command sets LSP maximum LSP lifetime in seconds. The interval range
+ is 360 to 65535. LSPs remain in a database for 1200 seconds by default.
+ If they are not refreshed by that time, they are deleted. You can change
+ the LSP refresh interval or the LSP lifetime. The LSP refresh interval
+ should be less than the LSP lifetime or else LSPs will time out before
+ they are refreshed.
+
+.. cfgcmd:: set protocols openfabric domain <name> spf-interval <seconds>
+
+ This command sets minimum interval between consecutive shortest path first
+ (SPF) calculations in seconds.The interval range is 1 to 120.
+
+
+********
+Examples
+********
+
+Enable OpenFabric
+=================
+
+**Node 1:**
+
+.. code-block:: none
+
+ set interfaces loopback lo address '192.168.255.255/32'
+ set interfaces ethernet eth1 address '192.0.2.1/24'
+
+ set protocols openfabric domain VyOS interface eth1 address-family ipv4
+ set protocols openfabric domain VyOS interface lo address-family ipv4
+ set protocols openfabric net '49.0001.1921.6825.5255.00'
+
+**Node 2:**
+
+.. code-block:: none
+
+ set interfaces loopback lo address '192.168.255.254/32'
+ set interfaces ethernet eth1 address '192.0.2.2/24'
+
+ set protocols openfabric domain VyOS interface eth1 address-family ipv4
+ set protocols openfabric domain VyOS interface lo address-family ipv4
+ set protocols openfabric net '49.0001.1921.6825.5254.00'
+
+
+
+This gives us the following neighborships:
+
+.. code-block:: none
+
+ Node-1@vyos:~$ show openfabric neighbor
+ show openfabric neighbor
+ Area VyOS:
+ System Id Interface L State Holdtime SNPA
+ vyos eth1 2 Up 27 2020.2020.2020
+
+
+ Node-2@vyos:~$ show openfabric neighbor
+ show openfabric neighbor
+ Area VyOS:
+ System Id Interface L State Holdtime SNPA
+ vyos eth1 2 Up 30 2020.2020.2020
+
+Here's the IP routes that are populated:
+
+.. code-block:: none
+
+ Node-1@vyos:~$ show ip route openfabric
+ show ip route openfabric
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
+ f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+ t - trapped, o - offload failure
+
+ f 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 onlink, weight 1, 00:00:10
+ f>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1 onlink, weight 1, 00:00:10
+
+ Node-2@vyos:~$ show ip route openfabric
+ show ip route openfabric
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
+ f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+ t - trapped, o - offload failure
+
+ f 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 onlink, weight 1, 00:00:48
+ f>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1 onlink, weight 1, 00:00:48
diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst
index 44c66186..b5ebaaee 100644
--- a/docs/configuration/system/option.rst
+++ b/docs/configuration/system/option.rst
@@ -43,8 +43,6 @@ Kernel
.. cfgcmd:: set system option kernel disable-power-saving
- Disable CPU power saving mechanisms also known as C states.
-
This will add the following two options to the Kernel commandline:
* ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle
@@ -52,6 +50,28 @@ Kernel
.. note:: Setting will only become active with the next reboot!
+.. cfgcmd:: set system option kernel amd-pstate-driver <mode>
+
+ Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs.
+
+ The available modes are:
+
+ * ``active`` This is the low-level firmware control mode based on the profile
+ set and the system governor has no effect.
+ * ``passive`` The driver allows the system governor to manage CPU frequency
+ while providing available performance states.
+ * ``guided`` The driver allows to set desired performance levels and the firmware
+ selects a performance level in this range and fitting to the current workload.
+
+ This will add the following two options to the Kernel commandline:
+
+ * ``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale
+ * ``amd_pstate={mode}`` Sets the p-state mode
+
+ .. note:: Setting will only become active with the next reboot!
+
+ .. seealso:: https://docs.kernel.org/admin-guide/pm/amd-pstate.html
+
***********
HTTP client
***********
diff --git a/docs/configuration/system/syslog.rst b/docs/configuration/system/syslog.rst
index cc7ac676..44c290f4 100644
--- a/docs/configuration/system/syslog.rst
+++ b/docs/configuration/system/syslog.rst
@@ -17,6 +17,28 @@ Syslog supports logging to multiple targets, those targets could be a plain
file on your VyOS installation itself, a serial console or a remote syslog
server which is reached via :abbr:`IP (Internet Protocol)` UDP/TCP.
+Global
+------
+
+.. cfgcmd:: system syslog global marker interval <number>
+
+Interval (in seconds) for sending mark messages to the syslog input to
+indicate that the logging system is functioning.
+
+.. cfgcmd:: system syslog global preserve-fqdn
+
+If set, the domain part of the hostname is always sent,
+even within the same domain as the receiving system.
+
+.. cfgcmd:: system syslog global local-host-name <fqdn>
+
+Overwrites the local system host name used in syslogs.
+
+.. cfgcmd:: system rsyslog global facility <keyword> level <keyword>
+
+Filter syslog messages based on facility and level.
+
+
Console
-------
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 00:40:55 +0000