14 files changed, 228 insertions, 44 deletions
diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst
index de91e54b..2e6b0061 100644
--- a/docs/configuration/firewall/general-legacy.rst
+++ b/docs/configuration/firewall/general-legacy.rst
@@ -1,6 +1,6 @@
 :lastproofread: 2021-06-29
 
-.. _firewall:
+.. _firewall-legacy:
 
 ###############
 Firewall-Legacy
@@ -8,7 +8,7 @@ Firewall-Legacy
 
 .. note:: **Important note:**
    This documentation is valid only for VyOS Sagitta prior to
-   1.4-rolling-YYYYMMDDHHmm
+   1.4-rolling-202308040557
 
 ********
 Overview
@@ -153,7 +153,7 @@ Groups
 ******
 
 Firewall groups represent collections of IP addresses, networks, ports,
-mac addresses or domains. Once created, a group can be referenced by 
+mac addresses or domains. Once created, a group can be referenced by
 firewall, nat and policy route rules as either a source or destination
 matcher. Members can be added or removed from a group without changes to,
 or the need to reload, individual firewall rules.
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index 3ef60263..0e172a24 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -78,10 +78,11 @@ Where, main key words and configuration paths that needs to be understood:
 
 .. note:: **Important note about default-actions:**
    If default action for any chain is not defined, then the default
-   action is set to **drop** for that chain.
+   action is set to **accept** for that chain. Only for custom chains,
+   the default action is set to **drop**.
 
 Custom firewall chains can be created, with commands
-``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In Order to use
+``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use
 such custom chain, a rule with **action jump**, and the appropiate **target**
 should be defined in a base chain.
 
@@ -1502,4 +1503,4 @@ Update geoip database
 
 .. opcmd:: update geoip
 
-   Command used to update GeoIP database and firewall sets.
-\ No newline at end of file
+   Command used to update GeoIP database and firewall sets.
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 94ae6ca5..567e48a0 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -3,7 +3,7 @@ Firewall
 ########
 
 Starting from VyOS 1.4-rolling-202308040557, a new firewall structure
-can be found on all vyos instalations. Documentation for most new firewall
+can be found on all vyos installations. Documentation for most new firewall
 cli can be found here:
 
 .. toctree::
@@ -12,7 +12,7 @@ cli can be found here:
 
    general
 
-Also, for those who haven't update to newer version, legacy documentation is
+Also, for those who haven't updated to newer version, legacy documentation is
 still present and valid for all sagitta version prior to VyOS
 1.4-rolling-202308040557:
 
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index 403de912..70ad7b65 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -6,13 +6,24 @@
 Zone Based Firewall
 ###################
 
-.. note:: **Important note:**
-   This documentation is valid only for VyOS Sagitta prior to
-   1.4-rolling-YYYYMMDDHHmm
+.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
+   structure can be found on all vyos instalations, and zone based firewall is
+   no longer supported. Documentation for most of the new firewall CLI can be
+   found in the `firewall
+   <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
+   chapter. The legacy firewall is still available for versions before
+   1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
+   chapter. The examples in this section use the legacy firewall configuration
+   commands, since this feature has been removed in earlier releases.
+
+.. note:: For latest releases, refer the `firewall 
+   <https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_ 
+   main page to configure zone based rules. New syntax was introduced here 
+   :vytask:`T5160`
 
 In zone-based policy, interfaces are assigned to zones, and inspection policy
 is applied to traffic moving between the zones and acted on according to
-firewall rules. A Zone is a group of interfaces that have similar functions or
+firewall rules. A zone is a group of interfaces that have similar functions or
 features. It establishes the security borders of a network. A zone defines a
 boundary where traffic is subjected to policy restrictions as it crosses to
 another region of a network.
@@ -40,7 +51,7 @@ firewall can be created to simplify configuration when multiple interfaces
 belong to the same security zone. Instead of applying rule-sets to interfaces,
 they are applied to source zone-destination zone pairs.
 
-An basic introduction to zone-based firewalls can be found `here
+A basic introduction to zone-based firewalls can be found `here
 <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
 and an example at :ref:`examples-zone-policy`.
 
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 60877d73..0c0c052b 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -44,6 +44,30 @@ MACsec options
   A physical interface is required to connect this MACsec instance to. Traffic
   leaving this interface will now be authenticated/encrypted.
 
+Static Keys
+-----------
+Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each
+device wishing to use MACsec. Keys must be set statically on all devices for traffic
+to flow properly. Key rotation is dependent on the administrator updating all keys
+manually across connected devices. Static SAK mode can not be used with MKA.
+
+.. cfgcmd:: set interfaces macsec <interface> security static key <key>
+
+  Set the device's transmit (TX) key. This key must be a hex string that is 16-bytes 
+  (GCM-AES-128) or 32-bytes (GCM-AES-256).
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> mac <mac address>
+
+  Set the peer's MAC address
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> key <key>
+
+  Set the peer's key used to receive (RX) traffic
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> disable
+
+  Disable the peer configuration
+
 Key Management
 --------------
 
@@ -188,3 +212,28 @@ the unencrypted but authenticated content.
           0x0070:  3031 3233 3435 3637 87d5 eed3 3a39 d52b  01234567....:9.+
           0x0080:  a282 c842 5254 ef28                      ...BRT.(
 
+**R1 Static Key**
+
+.. code-block:: none
+
+  set interfaces macsec macsec1 address '192.0.2.1/24'
+  set interfaces macsec macsec1 address '2001:db8::1/64'
+  set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+  set interfaces macsec macsec1 security encrypt
+  set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+  set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02
+  set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+  set interfaces macsec macsec1 source-interface 'eth1'
+
+**R2 Static Key**
+
+.. code-block:: none
+
+  set interfaces macsec macsec1 address '192.0.2.2/24'
+  set interfaces macsec macsec1 address '2001:db8::2/64'
+  set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+  set interfaces macsec macsec1 security encrypt
+  set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+  set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
+  set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+  set interfaces macsec macsec1 source-interface 'eth1'
+\ No newline at end of file
diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst
index 86568686..2cb0b2f1 100644
--- a/docs/configuration/interfaces/vxlan.rst
+++ b/docs/configuration/interfaces/vxlan.rst
@@ -132,6 +132,36 @@ For optimal scalability, Multicast shouldn't be used at all, but instead use BGP
 to signal all connected devices between leaves. Unfortunately, VyOS does not yet
 support this.
 
+Single VXLAN device (SVD)
+=========================
+
+FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when
+working with the Linux kernel. In this new way, the mapping of a VLAN to a
+:abbr:`VNI (VXLAN Network Identifier (or VXLAN Segment ID))` is configured
+against a container VXLAN interface which is referred to as a
+:abbr:`SVD (Single VXLAN device)`.
+
+Multiple VLAN to VNI mappings can be configured against the same SVD. This
+allows for a significant scaling of the number of VNIs since a separate VXLAN
+interface is no longer required for each VNI.
+
+.. cfgcmd:: set interfaces vxlan <interface> vlan-to-vni <vlan> vni <vni>
+
+   Maps the VNI to the specified VLAN id. The VLAN can then be consumed by
+   a bridge.
+
+   Sample configuration of SVD with VLAN to VNI mappings is shown below.
+
+   .. code-block:: none
+
+    set interfaces bridge br0 member interface vxlan0
+    set interfaces vxlan vxlan0 external
+    set interfaces vxlan vxlan0 source-interface 'dum0'
+    set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010'
+    set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011'
+    set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030'
+    set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
+
 Example
 -------
 
@@ -252,7 +282,7 @@ advertised.
   set interfaces bridge br241 member interface 'eth1.241'
   set interfaces bridge br241 member interface 'vxlan241'
 
-Binds eth1.241 and vxlan241 to each other by making them both member 
+Binds eth1.241 and vxlan241 to each other by making them both member
 interfaces of the same bridge.
 
 .. code-block:: none
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index 5eb10fe8..d2916d9f 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -183,6 +183,10 @@ traffic.
   The command :opcmd:`show interfaces wireguard wg01 public-key` will then show the
   public key, which needs to be shared with the peer.
 
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+   :var0: wireguard
+   :var1: wg01
+
 **remote side - commands**
 
 .. code-block:: none
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index f45101b5..e853a1ec 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -122,6 +122,10 @@ Wireless options
   * ``station`` - Connects to another access point
   * ``monitor`` - Passively monitor all packets on the frequency/channel
 
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+   :var0: wireless
+   :var1: wlan0
+
 PPDU
 ----
 
@@ -304,6 +308,7 @@ default physical device (``phy0``) is used.
 
   set interfaces wireless wlan0 type station
   set interfaces wireless wlan0 address dhcp
+  set interfaces wireless wlan0 country-code de
   set interfaces wireless wlan0 ssid Test
   set interfaces wireless wlan0 security wpa passphrase '12345678'
 
@@ -315,6 +320,7 @@ Resulting in
     [...]
     wireless wlan0 {
       address dhcp
+      country-code de
       security {
         wpa {
           passphrase "12345678"
@@ -350,6 +356,7 @@ The WAP in this example has the following characteristics:
 .. code-block:: none
 
   set interfaces wireless wlan0 address '192.168.2.1/24'
+  set interfaces wireless wlan0 country-code de
   set interfaces wireless wlan0 type access-point
   set interfaces wireless wlan0 channel 1
   set interfaces wireless wlan0 mode n
@@ -367,6 +374,7 @@ Resulting in
     [...]
     wireless wlan0 {
           address 192.168.2.1/24
+          country-code de
           channel 1
           mode n
           security {
@@ -385,11 +393,6 @@ Resulting in
           type access-point
       }
   }
-  system {
-    [...]
-    wifi-regulatory-domain DE
-  }
-
 
 VLAN
 ====
diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst
index 9aeb581e..c660f8f4 100644
--- a/docs/configuration/nat/nat44.rst
+++ b/docs/configuration/nat/nat44.rst
@@ -740,14 +740,12 @@ external interface in the image above)
 
 .. code-block:: none
 
-  set vpn ipsec ike-group my-ike ikev2-reauth 'no'
   set vpn ipsec ike-group my-ike key-exchange 'ikev1'
   set vpn ipsec ike-group my-ike lifetime '7800'
   set vpn ipsec ike-group my-ike proposal 1 dh-group '14'
   set vpn ipsec ike-group my-ike proposal 1 encryption 'aes256'
   set vpn ipsec ike-group my-ike proposal 1 hash 'sha256'
 
-  set vpn ipsec esp-group my-esp compression 'disable'
   set vpn ipsec esp-group my-esp lifetime '3600'
   set vpn ipsec esp-group my-esp mode 'tunnel'
   set vpn ipsec esp-group my-esp pfs 'disable'
diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst
index 29dc230f..237608a1 100644
--- a/docs/configuration/protocols/index.rst
+++ b/docs/configuration/protocols/index.rst
@@ -16,6 +16,7 @@ Protocols
    mpls
    segment-routing
    ospf
+   pim6
    rip
    rpki
    static
diff --git a/docs/configuration/protocols/pim6.rst b/docs/configuration/protocols/pim6.rst
new file mode 100644
index 00000000..1d316cfb
--- /dev/null
+++ b/docs/configuration/protocols/pim6.rst
@@ -0,0 +1,94 @@
+.. _pim6:
+
+##############
+IPv6 Multicast
+##############
+
+VyOS facilitates IPv6 Multicast by supporting **PIMv6** and **MLD**.
+
+PIMv6 (Protocol Independent Multicast for IPv6) must be configured in every
+interface of every participating router. Every router must also have the
+location of the Rendevouz Point manually configured.
+Then, unidirectional shared trees rooted at the Rendevouz Point will
+automatically be built for multicast distribution.
+
+Traffic from multicast sources will go to the Rendezvous Point, and receivers
+will pull it from a shared tree using MLD (Multicast Listener Discovery).
+
+Multicast receivers will talk MLD to their local router, so, besides having
+PIMv6 configured in every router, MLD must also be configured in any router
+where there could be a multicast receiver locally connected.
+
+VyOS supports both MLD version 1 and version 2
+(which allows source-specific multicast).
+
+Basic commands
+==============
+These are the commands for a basic setup.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name>
+
+   Use this command to enable PIMv6 in the selected interface so that it
+   can communicate with PIMv6 neighbors. This command also enables MLD reports
+   and query on the interface unless :cfgcmd:`mld disable` is configured.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld disable
+
+   Disable MLD reports and query on the interface.
+
+
+Tuning commands
+===============
+You can also tune multicast with the following commands.
+
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld interval <seconds>
+
+   Use this command to configure in the selected interface the MLD
+   host query interval (1-65535) in seconds that PIM will use.
+   The default value is 125 seconds.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld join <multicast-address>
+
+   Use this command to allow the selected interface to join a multicast group.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld join <multicast-address> source <source-address>
+
+   Use this command to allow the selected interface to join a source-specific multicast
+   group.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld last-member-query-count <count>
+
+   Set the MLD last member query count. The default value is 2.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld last-member-query-interval <milliseconds>
+
+   Set the MLD last member query interval in milliseconds (100-6553500). The default value is 1000 milliseconds.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld max-response-time <milliseconds>
+
+   Set the MLD query response timeout in milliseconds (100-6553500). The default value is 10000 milliseconds.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld version <version-number>
+
+   Set the MLD version used on this interface. The default value is 2.
+
+*********************
+Configuration Example
+*********************
+
+To enable MLD reports and query on interfaces `eth0` and `eth1`:
+
+.. code-block:: none
+
+  set protocols pim6 interface eth0
+  set protocols pim6 interface eth1
+
+The following configuration explicitly joins multicast group `ff15::1234` on interface `eth1`
+and source-specific multicast group `ff15::5678` with source address `2001:db8::1` on interface
+`eth1`:
+
+.. code-block:: none
+
+  set protocols pim6 interface eth0 mld join ff15::1234
+  set protocols pim6 interface eth1 mld join ff15::5678 source 2001:db8::1
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index 6680d46a..a85e03b4 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -200,7 +200,6 @@ Hub
   set protocols nhrp tunnel tun100 redirect
   set protocols nhrp tunnel tun100 shortcut
 
-  set vpn ipsec esp-group ESP-HUB compression 'disable'
   set vpn ipsec esp-group ESP-HUB lifetime '1800'
   set vpn ipsec esp-group ESP-HUB mode 'transport'
   set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
@@ -208,7 +207,6 @@ Hub
   set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
   set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
   set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
-  set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
   set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
   set vpn ipsec ike-group IKE-HUB lifetime '3600'
   set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
@@ -309,7 +307,6 @@ VyOS can also run in DMVPN spoke mode.
   set protocols nhrp tunnel tun100 redirect
   set protocols nhrp tunnel tun100 shortcut
 
-  set vpn ipsec esp-group ESP-HUB compression 'disable'
   set vpn ipsec esp-group ESP-HUB lifetime '1800'
   set vpn ipsec esp-group ESP-HUB mode 'transport'
   set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
@@ -318,7 +315,6 @@ VyOS can also run in DMVPN spoke mode.
   set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
   set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
   set vpn ipsec ike-group IKE-HUB close-action 'none'
-  set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
   set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
   set vpn ipsec ike-group IKE-HUB lifetime '3600'
   set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index 327f3abb..c91feea0 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -51,8 +51,6 @@ VyOS IKE group has the next options:
  
  * ``hold`` set action to hold;
  
- * ``clear`` set action to clear;
- 
  * ``restart`` set action to restart;
  
 * ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol 
@@ -73,11 +71,9 @@ VyOS IKE group has the next options:
  * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only
  
 * ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate 
-  the peer. In IKEv1, reauthentication is always done:
-  
- * ``yes`` enable remote host re-authentication during an IKE rekey;
- 
- * ``no`` disable remote host re-authenticaton during an IKE rekey;
+  the peer. In IKEv1, reauthentication is always done.
+  Setting this parameter enables remote host re-authentication during an IKE 
+  rekey.
  
 * ``key-exchange`` which protocol should be used to initialize the connection
   If not set both protocols are handled and connections will use IKEv2 when 
@@ -87,13 +83,10 @@ VyOS IKE group has the next options:
  
  * ``ikev2`` use IKEv2 for Key Exchange;
  
-* ``lifetime`` IKE lifetime in seconds <30-86400> (default 28800);
-
-* ``mobike`` enable MOBIKE Support. MOBIKE is only available for IKEv2:
+* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);
 
- * ``enable`` enable MOBIKE (default for IKEv2);
- 
- * ``disable`` disable MOBIKE;
+* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2
+  and enabled by default.
  
 * ``mode`` IKEv1 Phase 1 Mode Selection:
 
@@ -126,12 +119,8 @@ Multiple proposals can be specified in a single group.
 
 VyOS ESP group has the next options:
 
-* ``compression`` whether IPComp compression of content is proposed 
-  on the connection:
-
- * ``disable`` disable IPComp compression (default);
- 
- * ``enable`` enable IPComp compression;
+* ``compression``  Enables the  IPComp(IP Payload Compression) protocol which
+  allows compressing the content of IP packets.  
  
 * ``life-bytes`` ESP life in bytes <1024-26843545600000>. 
   Number of bytes transmitted over an IPsec SA before it expires;
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index 8834ad33..a51aca52 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -425,6 +425,14 @@ address-family.
    automatically assigned from a pool maintained.
 
 .. cfgcmd:: set vrf name <name> protocols bgp address-family
+            <ipv4-unicast|ipv6-unicast> label vpn allocation-mode per-nexthop
+
+   Select how labels are allocated in the given VRF. By default, the per-vrf 
+   mode is selected, and one label is used for all prefixes from the VRF. The 
+   per-nexthop will use a unique label for all prefixes that are reachable via 
+   the same nexthop.
+
+.. cfgcmd:: set vrf name <name> protocols bgp address-family
             <ipv4-unicast|ipv6-unicast> route-map vpn <import|export>
             [route-map <name>]