From d2a6dae8ca26417a53943e196a7eca2ca175e4b1 Mon Sep 17 00:00:00 2001 From: Markus Bukowski Date: Sat, 15 Jan 2022 11:55:25 +0100 Subject: Moved adjust-mss from interface to ip section --- docs/_include/interface-adjust-mss.txt | 13 ------------- docs/_include/interface-ip.txt | 14 ++++++++++++++ 2 files changed, 14 insertions(+), 13 deletions(-) delete mode 100644 docs/_include/interface-adjust-mss.txt (limited to 'docs/_include') diff --git a/docs/_include/interface-adjust-mss.txt b/docs/_include/interface-adjust-mss.txt deleted file mode 100644 index 195682e7..00000000 --- a/docs/_include/interface-adjust-mss.txt +++ /dev/null @@ -1,13 +0,0 @@ -.. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} - {{ var5 }} {{ var6 }} adjust-mss - - As Internet wide PMTU discovery rarely works, we sometimes need to clamp our - TCP MSS value to a specific value. This is a field in the TCP options part of - a SYN packet. By setting the MSS value, you are telling the remote side - unequivocally 'do not try to send me packets bigger than this value'. - - .. note:: This command was introduced in VyOS 1.4 - it was previously called: - ``set firewall options interface adjust-mss `` - - .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in - 1452 bytes on a 1492 byte MTU. diff --git a/docs/_include/interface-ip.txt b/docs/_include/interface-ip.txt index abbed529..2c92c944 100644 --- a/docs/_include/interface-ip.txt +++ b/docs/_include/interface-ip.txt @@ -1,3 +1,17 @@ +.. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip adjust-mss + + As Internet wide PMTU discovery rarely works, we sometimes need to clamp our + TCP MSS value to a specific value. This is a field in the TCP options part of + a SYN packet. By setting the MSS value, you are telling the remote side + unequivocally 'do not try to send me packets bigger than this value'. + + .. note:: This command was introduced in VyOS 1.4 - it was previously called: + ``set firewall options interface adjust-mss `` + + .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in + 1452 bytes on a 1492 byte MTU. + .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} {{ var5 }} {{ var6 }} ip arp-cache-timeout -- cgit v1.2.3 From da72f4c39f015644515e0b598aea6f7e5a2a03a7 Mon Sep 17 00:00:00 2001 From: Markus Bukowski Date: Sat, 15 Jan 2022 12:35:55 +0100 Subject: Removed MSS from interface, added IP to pppoe --- docs/_include/interface-common.txt | 4 -- docs/configuration/interfaces/pppoe.rst | 70 +++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+), 4 deletions(-) (limited to 'docs/_include') diff --git a/docs/_include/interface-common.txt b/docs/_include/interface-common.txt index 4c6ebbe8..5a997482 100644 --- a/docs/_include/interface-common.txt +++ b/docs/_include/interface-common.txt @@ -22,10 +22,6 @@ :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: /_include/interface-adjust-mss.txt - :var0: {{ var0 }} - :var1: {{ var1 }} - .. cmdinclude:: /_include/interface-ip.txt :var0: {{ var0 }} :var1: {{ var1 }} diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index 41f22ed6..ae6a8cba 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -177,6 +177,41 @@ PPPoE options PPPoE connection must be established over a physical interface. Interfaces can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs. +.. cfgcmd:: set interfaces pppoe ip adjust-mss + + As Internet wide PMTU discovery rarely works, we sometimes need to clamp our + TCP MSS value to a specific value. This is a field in the TCP options part of + a SYN packet. By setting the MSS value, you are telling the remote side + unequivocally 'do not try to send me packets bigger than this value'. + + .. note:: This command was introduced in VyOS 1.4 - it was previously called: + ``set firewall options interface adjust-mss `` + + .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in + 1452 bytes on a 1492 byte MTU. + +.. cfgcmd:: set interfaces pppoe ip disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + +.. cfgcmd:: set interfaces pppoe ip source-validation + + Enable policy for source validation by reversed path, as specified in + :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict + mode to prevent IP spoofing from DDos attacks. If using asymmetric routing + or other complicated routing, then loose mode is recommended. + + - strict: Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. By default failed + packets are discarded. + + - loose: Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface the packet + check will fail. + + - disable: No source validation + IPv6 ---- @@ -189,6 +224,41 @@ IPv6 :var0: pppoe :var1: pppoe0 +.. cfgcmd:: set interfaces pppoe ipv6 adjust-mss + + As Internet wide PMTU discovery rarely works, we sometimes need to clamp our + TCP MSS value to a specific value. This is a field in the TCP options part of + a SYN packet. By setting the MSS value, you are telling the remote side + unequivocally 'do not try to send me packets bigger than this value'. + + .. note:: This command was introduced in VyOS 1.4 - it was previously called: + ``set firewall options interface adjust-mss `` + + .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in + 1452 bytes on a 1492 byte MTU. + +.. cfgcmd:: set interfaces pppoe ipv6 disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + +.. cfgcmd:: set interfaces pppoe ipv6 source-validation + + Enable policy for source validation by reversed path, as specified in + :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict + mode to prevent IP spoofing from DDos attacks. If using asymmetric routing + or other complicated routing, then loose mode is recommended. + + - strict: Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. By default failed + packets are discarded. + + - loose: Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface the packet + check will fail. + + - disable: No source validation + ********* Operation ********* -- cgit v1.2.3 From fedeac219134567c245f161a1f3a5898ba1100b1 Mon Sep 17 00:00:00 2001 From: Markus Bukowski Date: Sat, 15 Jan 2022 13:01:27 +0100 Subject: Remove dedicated adjust-mss from 8021q --- docs/_include/interface-vlan-8021q.txt | 7 ------- 1 file changed, 7 deletions(-) (limited to 'docs/_include') diff --git a/docs/_include/interface-vlan-8021q.txt b/docs/_include/interface-vlan-8021q.txt index 7eb8d350..1a527590 100644 --- a/docs/_include/interface-vlan-8021q.txt +++ b/docs/_include/interface-vlan-8021q.txt @@ -73,13 +73,6 @@ term used for this is ``vif``. :var3: :var4: 10 -.. cmdinclude:: /_include/interface-adjust-mss.txt - :var0: {{ var0 }} - :var1: {{ var1 }} - :var2: vif - :var3: - :var4: 10 - .. cmdinclude:: /_include/interface-ip.txt :var0: {{ var0 }} :var1: {{ var1 }} -- cgit v1.2.3 From 08443de04ee2e0bcacceb70bc00190a097179d94 Mon Sep 17 00:00:00 2001 From: Markus Bukowski Date: Sat, 15 Jan 2022 13:01:57 +0100 Subject: Add clamp-mss-to-pmtu option and description --- docs/_include/interface-ip.txt | 5 ++++- docs/configuration/interfaces/pppoe.rst | 33 +++++++++++---------------------- 2 files changed, 15 insertions(+), 23 deletions(-) (limited to 'docs/_include') diff --git a/docs/_include/interface-ip.txt b/docs/_include/interface-ip.txt index 2c92c944..6045a7a8 100644 --- a/docs/_include/interface-ip.txt +++ b/docs/_include/interface-ip.txt @@ -1,5 +1,5 @@ .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} - {{ var5 }} {{ var6 }} ip adjust-mss + {{ var5 }} {{ var6 }} ip adjust-mss As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of @@ -12,6 +12,9 @@ .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU. + Instead of a numberical MSS value `clamp-mss-to-pmtu` can be used to + automatically set the proper value. + .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} {{ var5 }} {{ var6 }} ip arp-cache-timeout diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index ae6a8cba..a1537e80 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -177,7 +177,7 @@ PPPoE options PPPoE connection must be established over a physical interface. Interfaces can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs. -.. cfgcmd:: set interfaces pppoe ip adjust-mss +.. cfgcmd:: set interfaces pppoe ip adjust-mss As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of @@ -190,6 +190,9 @@ PPPoE options .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU. +Instead of a numberical MSS value `clamp-mss-to-pmtu` can be used to +automatically set the proper value. + .. cfgcmd:: set interfaces pppoe ip disable-forwarding Configure interface-specific Host/Router behaviour. If set, the interface will @@ -220,11 +223,7 @@ IPv6 Use this command to enable acquisition of IPv6 address using stateless autoconfig (SLAAC). -.. cmdinclude:: /_include/interface-dhcpv6-prefix-delegation.txt - :var0: pppoe - :var1: pppoe0 - -.. cfgcmd:: set interfaces pppoe ipv6 adjust-mss +.. cfgcmd:: set interfaces pppoe ipv6 adjust-mss As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of @@ -237,27 +236,17 @@ IPv6 .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU. +Instead of a numberical MSS value `clamp-mss-to-pmtu` can be used to +automatically set the proper value. + .. cfgcmd:: set interfaces pppoe ipv6 disable-forwarding Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface. -.. cfgcmd:: set interfaces pppoe ipv6 source-validation - - Enable policy for source validation by reversed path, as specified in - :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict - mode to prevent IP spoofing from DDos attacks. If using asymmetric routing - or other complicated routing, then loose mode is recommended. - - - strict: Each incoming packet is tested against the FIB and if the interface - is not the best reverse path the packet check will fail. By default failed - packets are discarded. - - - loose: Each incoming packet's source address is also tested against the FIB - and if the source address is not reachable via any interface the packet - check will fail. - - - disable: No source validation +.. cmdinclude:: /_include/interface-dhcpv6-prefix-delegation.txt + :var0: pppoe + :var1: pppoe0 ********* Operation -- cgit v1.2.3 From 2aac86f60f920ba364f95d70debfed4c8e3a3871 Mon Sep 17 00:00:00 2001 From: Markus Bukowski Date: Sat, 15 Jan 2022 13:03:06 +0100 Subject: Remove dedicated adjust-mss from 8021ad --- docs/_include/interface-vlan-8021ad.txt | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'docs/_include') diff --git a/docs/_include/interface-vlan-8021ad.txt b/docs/_include/interface-vlan-8021ad.txt index 0b37560f..0a1722dc 100644 --- a/docs/_include/interface-vlan-8021ad.txt +++ b/docs/_include/interface-vlan-8021ad.txt @@ -88,16 +88,6 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: /_include/interface-adjust-mss.txt - :var0: {{ var0 }} - :var1: {{ var1 }} - :var2: vif-s - :var3: - :var4: 1000 - :var5: vif-c - :var6: - :var7: 20 - .. cmdinclude:: /_include/interface-ip.txt :var0: {{ var0 }} :var1: {{ var1 }} -- cgit v1.2.3 From 60bb01311c86fc689f13ce21a8a431ff068e3737 Mon Sep 17 00:00:00 2001 From: Markus Bukowski Date: Sat, 15 Jan 2022 13:06:32 +0100 Subject: Fix typo in adjust-mss description --- docs/_include/interface-ip.txt | 2 +- docs/configuration/interfaces/pppoe.rst | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'docs/_include') diff --git a/docs/_include/interface-ip.txt b/docs/_include/interface-ip.txt index 6045a7a8..75441040 100644 --- a/docs/_include/interface-ip.txt +++ b/docs/_include/interface-ip.txt @@ -12,7 +12,7 @@ .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU. - Instead of a numberical MSS value `clamp-mss-to-pmtu` can be used to + Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to automatically set the proper value. .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index a1537e80..4a31efc5 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -190,8 +190,8 @@ PPPoE options .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU. -Instead of a numberical MSS value `clamp-mss-to-pmtu` can be used to -automatically set the proper value. + Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to + automatically set the proper value. .. cfgcmd:: set interfaces pppoe ip disable-forwarding @@ -235,9 +235,9 @@ IPv6 .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU. - -Instead of a numberical MSS value `clamp-mss-to-pmtu` can be used to -automatically set the proper value. + + Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to + automatically set the proper value. .. cfgcmd:: set interfaces pppoe ipv6 disable-forwarding -- cgit v1.2.3 From 83f983ceef5ff683ac25855d6dfae96a6af1d05d Mon Sep 17 00:00:00 2001 From: Markus Bukowski Date: Sat, 15 Jan 2022 13:09:43 +0100 Subject: Add clamp-mss-to-pmtu option and description ipv6 --- docs/_include/interface-ipv6.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'docs/_include') diff --git a/docs/_include/interface-ipv6.txt b/docs/_include/interface-ipv6.txt index d1ed8837..eb60b4e8 100644 --- a/docs/_include/interface-ipv6.txt +++ b/docs/_include/interface-ipv6.txt @@ -55,7 +55,7 @@ set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 disable-forwarding .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} - {{ var5 }} {{ var6 }} ipv6 adjust-mss + {{ var5 }} {{ var6 }} ipv6 adjust-mss As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of @@ -67,3 +67,6 @@ .. hint:: MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU. + + Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to + automatically set the proper value. -- cgit v1.2.3