diff options
| -rw-r--r-- | CODEOWNERS | 2 | ||||
| -rw-r--r-- | docs/configuration/firewall/groups.rst | 27 | ||||
| -rw-r--r-- | docs/configuration/policy/route-map.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/protocols/ospf.rst | 13 | ||||
| -rw-r--r-- | docs/configuration/vrf/index.rst | 6 | ||||
| -rw-r--r-- | docs/contributing/build-vyos.rst | 2 | ||||
| -rw-r--r-- | docs/installation/secure-boot.rst | 20 |
7 files changed, 56 insertions, 18 deletions
@@ -1,2 +1,2 @@ -* @vyos/reviewers +# * @vyos/reviewers * @rebortg
\ No newline at end of file diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst index b7364154..64221413 100644 --- a/docs/configuration/firewall/groups.rst +++ b/docs/configuration/firewall/groups.rst @@ -37,6 +37,33 @@ In an **address group** a single IP address or IP address range is defined. Provide a IPv4 or IPv6 address group description +Remote Groups +============== + +A **remote-group** takes an argument of a URL hosting a linebreak-deliminated +list of IPv4s addresses, CIDRs and ranges. VyOS will pull this list periodicity +according to the frequency defined in the firewall **resolver-interval** and load +matching entries into the group for use in rules. The list will be cached in +persistent storage, so in cases of update failure rules will still function. + +.. cfgcmd:: set firewall group remote-group <name> url <http(s) url> + + Define remote list of IPv4 addresses/ranges/CIDRs to fetch + +.. cfgcmd:: set firewall group remote-group <name> description <text> + + Set a description for a remote group + +The format of the remote list is very flexible. VyOS will attempt to parse the +first word of each line as an entry, and will skip if it cannot find a valid +match. Below is a list of acceptable matches that would be parsed correctly: + +.. code-block:: none + + 127.0.0.1 + 127.0.0.0/24 + 127.0.0.1-127.0.0.254 + Network Groups ============== diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index 03cdb99b..a2313466 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -179,6 +179,10 @@ Route Map Match RPKI validation result. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match source-vrf <text> + + Source VRF to match. + .. cfgcmd:: set policy route-map <text> rule <1-65535> match tag <1-65535> Route tag to match. diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index 9891c77d..ac0ed160 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -1341,9 +1341,8 @@ A typical configuration using 2 nodes. show ipv6 ospfv3 redistribute -.. note:: You cannot easily redistribute IPv6 routes via OSPFv3 on a - WireGuard interface link. This requires you to configure link-local - addresses manually on the WireGuard interfaces, see :vytask:`T1483`. +Cost calculation wireguard interfaces is unreliable as ospfv3 uses the link speed to calculate the link cost. +You might therefore want to set the link cost to a fixed value on WireGuard tunnels. Example configuration for WireGuard interfaces: @@ -1351,30 +1350,26 @@ Example configuration for WireGuard interfaces: .. code-block:: none - set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64' - set interfaces wireguard wg01 address '192.168.0.1/24' set interfaces wireguard wg01 peer ospf02 allowed-ips '::/0' - set interfaces wireguard wg01 peer ospf02 allowed-ips '0.0.0.0/0' set interfaces wireguard wg01 peer ospf02 endpoint '10.1.1.101:12345' set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...=' set interfaces wireguard wg01 port '12345' set protocols ospfv3 parameters router-id 192.168.1.1 set protocols ospfv3 interface 'wg01' area 0.0.0.0 + set protocols ospfv3 interface 'wg01' cost 10 set protocols ospfv3 interface 'lo' area 0.0.0.0 **Node 2** .. code-block:: none - set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64' - set interfaces wireguard wg01 address '192.168.0.2/24' set interfaces wireguard wg01 peer ospf01 allowed-ips '::/0' - set interfaces wireguard wg01 peer ospf01 allowed-ips '0.0.0.0/0' set interfaces wireguard wg01 peer ospf01 endpoint '10.1.1.100:12345' set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...=' set interfaces wireguard wg01 port '12345' set protocols ospfv3 parameters router-id 192.168.1.2 set protocols ospfv3 interface 'wg01' area 0.0.0.0 + set protocols ospfv3 interface 'wg01' cost 10 set protocols ospfv3 interface 'lo' area 0.0.0.0 **Status** diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index e9115458..9082e8d4 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -505,6 +505,12 @@ address-family. derived and should not be specified explicitly for either the source or destination VRF’s. +.. cfgcmd:: set vrf name <name> protocols bgp address-family + <ipv4-unicast|ipv6-unicast> route-map vrf import + [route-map <name>] + + Specifies an optional route-map to be applied to routes imported from VRFs. + .. cfgcmd:: set vrf name <name> protocols bgp interface <interface> mpls forwarding diff --git a/docs/contributing/build-vyos.rst b/docs/contributing/build-vyos.rst index 623cba78..3226def6 100644 --- a/docs/contributing/build-vyos.rst +++ b/docs/contributing/build-vyos.rst @@ -702,7 +702,7 @@ needs. We first need to clone the repository from GitHub. .. code-block:: none - $ git clone https://github.com/vyos/vyos-1x + $ git clone --recurse-submodules https://github.com/vyos/vyos-1x Build ===== diff --git a/docs/installation/secure-boot.rst b/docs/installation/secure-boot.rst index 817ca663..b6685039 100644 --- a/docs/installation/secure-boot.rst +++ b/docs/installation/secure-boot.rst @@ -18,13 +18,19 @@ commands prior to your ISO image build: .. code-block:: bash cd vyos-build - openssl req -new -x509 -newkey rsa:4096 \ - -keyout data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.key \ - -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \ - -outform DER -days 36500 -subj "/CN=MyMOK/" -nodes - openssl x509 -inform der \ - -in data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \ - -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.pem + CA_DIR="data/certificates" + SHIM_CERT_NAME="vyos-dev-2025-shim" + VYOS_KERNEL_CERT_NAME="vyos-dev-2025-linux" + + openssl req -new -x509 -newkey rsa:4096 -keyout ${CA_DIR}/${SHIM_CERT_NAME}.key -out ${CA_DIR}/${SHIM_CERT_NAME}.der \ + -outform DER -days 36500 -subj "/CN=VyOS Networks Secure Boot CA/" -nodes + openssl x509 -inform der -in ${CA_DIR}/${SHIM_CERT_NAME}.der -out ${CA_DIR}/${SHIM_CERT_NAME}.pem + + openssl req -newkey rsa:4096 -sha256 -nodes -keyout ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.key \ + -out ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.csr -outform PEM -days 3650 \ + -subj "/CN=VyOS Networks Secure Boot Signer 2025 - linux/" + openssl x509 -req -in ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.csr -CA ${CA_DIR}/${SHIM_CERT_NAME}.pem \ + -CAkey ${CA_DIR}/${SHIM_CERT_NAME}.key -CAcreateserial -out ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.pem -days 3650 -sha256 ************ Installation |