16 files changed, 413 insertions, 55 deletions

diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst
index c23a6184..a19cd9db 100644
--- a/docs/configuration/container/index.rst
+++ b/docs/configuration/container/index.rst
@@ -93,6 +93,11 @@ Configuration
 
     Volume is either mounted as rw (read-write - default) or ro (read-only)
 
+.. cfgcmd:: set container name <name> uid <number>
+.. cfgcmd:: set container name <name> gid <number>
+
+    Set the User ID or Group ID of the container
+
 .. cfgcmd:: set container name <name> restart [no | on-failure | always]
 
    Set the restart behavior of the container.
diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst
index 496c0cf9..30876efc 100644
--- a/docs/configuration/protocols/bfd.rst
+++ b/docs/configuration/protocols/bfd.rst
@@ -56,6 +56,13 @@ Configure BFD
 
    Disable a BFD peer
 
+.. cfgcmd:: set protocols bfd peer <address> minimum-ttl <1-254>
+
+   For multi hop sessions only. Configure the minimum expected TTL for an
+   incoming BFD control packet.
+
+   This feature serves the purpose of thightening the packet validation
+   requirements to avoid receiving BFD control packets from other sessions.
 
 Enable BFD in BGP
 -----------------
diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst
index 737e98fa..85bb41ca 100644
--- a/docs/configuration/protocols/bgp.rst
+++ b/docs/configuration/protocols/bgp.rst
@@ -209,35 +209,35 @@ Defining Peers
 .. cfgcmd:: set protocols bgp neighbor <address|interface> local-role
    <role> [strict]
 
-   BGP roles are defined in RFC :rfc:`9234` and provide an easy way to 
-   add route leak prevention, detection and mitigation. The local Role 
-   value is negotiated with the new BGP Role capability which has a 
-   built-in check of the corresponding value. In case of a mismatch the 
+   BGP roles are defined in RFC :rfc:`9234` and provide an easy way to
+   add route leak prevention, detection and mitigation. The local Role
+   value is negotiated with the new BGP Role capability which has a
+   built-in check of the corresponding value. In case of a mismatch the
    new OPEN Roles Mismatch Notification <2, 11> would be sent.
    The correct Role pairs are:
-   
+
    Provider - Customer
 
    Peer - Peer
 
    RS-Server - RS-Client
 
-   If :cfgcmd:`strict` is set the BGP session won’t become established 
-   until the BGP neighbor sets local Role on its side. This 
+   If :cfgcmd:`strict` is set the BGP session won’t become established
+   until the BGP neighbor sets local Role on its side. This
    configuration parameter is defined in RFC :rfc:`9234` and is used to
    enforce the corresponding configuration at your counter-parts side.
-   
-   Routes that are sent from provider, rs-server, or the peer local-role 
-   (or if received by customer, rs-client, or the peer local-role) will 
+
+   Routes that are sent from provider, rs-server, or the peer local-role
+   (or if received by customer, rs-client, or the peer local-role) will
    be marked with a new Only to Customer (OTC) attribute.
-   
+
    Routes with this attribute can only be sent to your neighbor if your
    local-role is provider or rs-server. Routes with this attribute can
-   be received only if your local-role is customer or rs-client. 
-   
+   be received only if your local-role is customer or rs-client.
+
    In case of peer-peer relationship routes can be received only if OTC
    value is equal to your neighbor AS number.
-   
+
    All these rules with OTC will help to detect and mitigate route leaks
    and happen automatically if local-role is set.
 
@@ -584,6 +584,12 @@ General Configuration
 Common parameters
 ^^^^^^^^^^^^^^^^^
 
+.. cfgcmd:: set protocols bgp parameters allow-martian-nexthop
+
+   When a peer receives a martian nexthop as part of the NLRI for a route
+   permit the nexthop to be used as such, instead of rejecting and resetting
+   the connection.
+
 .. cfgcmd:: set protocols bgp parameters router-id <id>
 
    This command specifies the router-ID. If router ID is not specified it will
@@ -598,6 +604,12 @@ Common parameters
    Path (both AS number and AS path length), Origin code, MED, IGP
    metric. Also, the next hop address for each path must be different.
 
+.. cfgcmd:: set protocols bgp parameters no-hard-administrative-reset
+
+   Do not send Hard Reset CEASE Notification for "Administrative Reset"
+   events. When set and Graceful Restart Notification capability is exchanged
+   between the peers, Graceful Restart procedures apply, and routes will be retained.
+
 .. cfgcmd:: set protocols bgp parameters log-neighbor-changes
 
    This command enable logging neighbor up/down changes and reset reason.
@@ -643,6 +655,16 @@ Common parameters
    compatibility with older versions of VyOS. With this option one can
    enable :rfc:`8212` functionality to operate.
 
+.. cfgcmd:: set protocols bgp parameters labeled-unicast <explicit-null |
+   ipv4-explicit-null | ipv6-explicit-null>
+
+   By default, locally advertised prefixes use the implicit-null label to
+   encode in the outgoing NLRI.
+
+   The following command uses the explicit-null label value for all the
+   BGP instances.
+
+
 Administrative Distance
 ^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst
index 9891c77d..43680520 100644
--- a/docs/configuration/protocols/ospf.rst
+++ b/docs/configuration/protocols/ospf.rst
@@ -161,7 +161,7 @@ Optional
    This command specifies all interfaces as passive by default. Because this
    command changes the configuration logic to a default passive; therefore,
    interfaces where router adjacencies are expected need to be configured
-   with the :cfgcmd:`passive-interface-exclude` command.
+   by setting the :cfgcmd:`passive disable` flag for the specific interface.
 
 .. cfgcmd:: set protocols ospf maximum-paths <1-64>
 
diff --git a/docs/configuration/protocols/rpki.rst b/docs/configuration/protocols/rpki.rst
index 294a91f8..d40bfb5c 100644
--- a/docs/configuration/protocols/rpki.rst
+++ b/docs/configuration/protocols/rpki.rst
@@ -30,8 +30,8 @@ in :rfc:`8210`.
   If you are new to these routing security technologies then there is an
   `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed
   very quickly. Their documentation explains everything from what RPKI is to
-  deploying it in production. It also has some 
-  `help and operational guidance`_ including "What can I do about my route 
+  deploying it in production. It also has some
+  `help and operational guidance`_ including "What can I do about my route
   having an Invalid state?"
 
 ***************
@@ -109,6 +109,20 @@ Configuration
 
   The default value is 300 seconds.
 
+.. cfgcmd:: set protocols rpki expire-interval <600-172800>
+
+  Set the number of seconds the router waits until the router
+  expires the cache.
+
+  The default value is 7200 seconds.
+
+.. cfgcmd:: set protocols rpki retry-interval <1-7200>
+
+  Set the number of seconds the router waits until retrying to connect
+  to the cache server.
+
+  The default value is 600 seconds.
+
 .. cfgcmd:: set protocols rpki cache <address> port <port>
 
   Defined the IPv4, IPv6 or FQDN and port number of the caching RPKI caching
@@ -136,10 +150,6 @@ the connection.
 
   SSH username to establish an SSH connection to the cache server.
 
-.. cfgcmd:: set protocols rpki cache <address> ssh known-hosts-file <filepath>
-
-  Local path that includes the known hosts file.
-
 .. cfgcmd:: set protocols rpki cache <address> ssh private-key-file <filepath>
 
   Local path that includes the private key file of the router.
@@ -148,7 +158,7 @@ the connection.
 
   Local path that includes the public key file of the router.
 
-.. note:: When using SSH, known-hosts-file, private-key-file and public-key-file
+.. note:: When using SSH, private-key-file and public-key-file
   are mandatory options.
 
 *******
diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst
index 7624d309..e430dc73 100644
--- a/docs/configuration/service/dns.rst
+++ b/docs/configuration/service/dns.rst
@@ -156,6 +156,20 @@ avoid being tracked by the provider of your upstream DNS server.
    recursor does not like, it is throttled. Any servers matching the supplied
    netmasks will never be throttled.
 
+.. cfgcmd:: set service dns forwarding options ecs-add-for <address>
+
+   The requestor netmask for which the requestor IP Address should be used as the
+   EDNS Client Subnet for outgoing queries.
+
+.. cfgcmd:: set service dns forwarding options ecs-ipv4-bits <number>
+
+   Number of bits of client IPv4 address to pass when sending EDNS Client Subnet
+   address information.
+
+.. cfgcmd:: set service dns forwarding options edns-subnet-allow-list <address|domain>
+
+   The netmask or domain that EDNS Client Subnet should be enabled for in outgoing queries.
+
 Example
 =======
 
diff --git a/docs/configuration/service/ids.rst b/docs/configuration/service/ids.rst
new file mode 100644
index 00000000..3e508d50
--- /dev/null
+++ b/docs/configuration/service/ids.rst
@@ -0,0 +1,179 @@
+.. _ids:
+
+###############
+DDoS Protection
+###############
+
+**********
+FastNetMon
+**********
+
+FastNetMon is a high-performance DDoS detector/sensor built on top of multiple
+packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can
+detect hosts in the deployed network sending or receiving large volumes of
+traffic, packets/bytes/flows per second and perform a configurable action to
+handle that event, such as calling a custom script.
+
+VyOS includes the FastNetMon Community Edition.
+
+Configuration
+=============
+
+.. cfgcmd:: set service ids ddos-protection alert-script <text>
+
+    Configure alert script that will be executed when an attack is detected.
+
+.. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294>
+
+    Configure how long an IP (attacker) should be kept in blocked state.
+    Default value is 1900.
+
+.. cfgcmd:: set service ids ddos-protection direction [in | out]
+
+    Configure direction for processing traffic. 
+
+.. cfgcmd:: set service ids ddos-protection exclude-network <x.x.x.x/x>
+.. cfgcmd:: set service ids ddos-protection exlude-network <h:h:h:h:h:h:h:h/x>
+
+    Specify IPv4 and/or IPv6 networks which are going to be excluded.
+
+.. cfgcmd:: set service ids ddos-protection listen-interface <text>
+
+    Configure listen interface for mirroring traffic.
+
+.. cfgcmd:: set service ids ddos-protection mode [mirror | sflow]
+
+    Configure traffic capture mode.
+
+.. cfgcmd:: set service ids ddos-protection network <x.x.x.x/x>
+.. cfgcmd:: set service ids ddos-protection network <h:h:h:h:h:h:h:h/x>
+
+    Specify IPv4 and/or IPv6 networks that should be protected/monitored.
+
+.. cfgcmd:: set service ids ddos-protection sflow listen-address <x.x.x.x>
+
+    Configure local IPv4 address to listen for sflow.
+
+.. cfgcmd:: set service ids ddos-protection sflow port <1-65535>
+
+    Configure port number to be used for sflow conection. Default port is 6343.
+
+.. cfgcmd:: set service ids ddos-protection threshold general
+   [fps | mbps | pps] <0-4294967294>
+
+    Configure general threshold parameters.
+
+.. cfgcmd:: set service ids ddos-protection threshold icmp
+   [fps | mbps | pps] <0-4294967294>
+
+    Configure ICMP threshold parameters.
+
+.. cfgcmd:: set service ids ddos-protection threshold tcp
+   [fps | mbps | pps] <0-4294967294>
+
+    Configure TCP threshold parameters
+
+.. cfgcmd:: set service ids ddos-protection threshold udp
+   [fps | mbps | pps] <0-4294967294>
+
+    Configure UDP threshold parameters
+
+Example
+=======
+
+A configuration example can be found in this section.
+In this simplified scenario, main things to be considered are:
+
+    * Network to be protected: 192.0.2.0/24 (public IPs use by
+      customers)
+
+    * **ban-time** and **threshold**: these values are kept very low in order
+      to easily identify and generate and attack.
+
+    * Direction: **in** and **out**. Protect public network from external
+      attacks, and identify internal attacks towards internet.
+
+    * Interface **eth0** used to connect to upstream.
+
+Since we are analyzing attacks to and from our internal network, two types
+of attacks can be identified, and differents actions are needed:
+
+    * External attack: an attack from the internet towards an internal IP
+      is identify. In this case, all connections towards such IP will be
+      blocked
+
+    * Internal attack: an attack from the internal network (generated by a
+      customer) towards the internet is identify. In this case, all connections
+      from this particular IP/Customer will be blocked.
+ 
+
+So, firewall configuration needed for this setup:
+
+.. code-block:: none
+
+    set firewall group address-group FNMS-DST-Block
+    set firewall group address-group FNMS-SRC-Block
+
+    set firewall ipv4 forward filter rule 10 action 'drop'
+    set firewall ipv4 forward filter rule 10 description 'FNMS - block destination'
+    set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block'
+
+    set firewall ipv4 forward filter rule 20 action 'drop'
+    set firewall ipv4 forward filter rule 20 description 'FNMS - Block source'
+    set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block'
+
+Then, FastNetMon configuration:
+
+.. code-block:: none
+
+    set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh'
+    set service ids ddos-protection ban-time '10'
+    set service ids ddos-protection direction 'in'
+    set service ids ddos-protection direction 'out'
+    set service ids ddos-protection listen-interface 'eth0'
+    set service ids ddos-protection mode 'mirror'
+    set service ids ddos-protection network '192.0.2.0/24'
+    set service ids ddos-protection threshold general pps '100'
+
+And content of the script:
+
+.. code-block:: none
+
+    #!/bin/bash
+
+    # alert-script is called twice.
+    # When an attack occurs, the program calls a bash script twice:
+    # 1st time when threshold exceed
+    # 2nd when we collect 100 packets for detailed audit of what happened.
+
+    # Do nothing if “attack_details” is passed as an argument
+    if [ "${4}" == "attack_details" ]; then
+        # Do nothing
+        exit
+    fi
+    # Arguments:
+    ip=$1
+    direction=$2
+    pps_rate=$3
+    action=$4 
+
+    logger -t FNMS "** Start - Running alert script **"
+
+    if [ "${direction}" == "incoming" ] ; then
+        group="FNMS-DST-Block"
+        origin="external"
+    else
+        group="FNMS-SRC-Block"
+        origin="internal"
+    fi
+
+    if [ "${action}" == "ban" ] ; then
+        logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address."
+        logger -t FNMS "Adding IP address ${ip} to firewall group ${group}."
+        sudo nft add element ip vyos_filter A_${group} { ${ip} }
+    else
+        logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}."
+        sudo nft delete element ip vyos_filter A_${group} { ${ip} }
+    fi
+    logger -t FNMS "** End - Running alert script **"
+    exit
diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst
index 1195348f..56ce55eb 100644
--- a/docs/configuration/service/index.rst
+++ b/docs/configuration/service/index.rst
@@ -13,7 +13,9 @@ Service
    dhcp-relay
    dhcp-server
    dns
+   eventhandler
    https
+   ids
    ipoe-server
    lldp
    mdns
@@ -26,4 +28,4 @@ Service
    ssh
    tftp-server
    webproxy
-   eventhandler
+   
diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst
index c219a063..ed4ade1a 100644
--- a/docs/configuration/service/ipoe-server.rst
+++ b/docs/configuration/service/ipoe-server.rst
@@ -72,8 +72,9 @@ IPv6 DNS addresses are optional.
 
   set service ipoe-server authentication interface eth3 mac 08:00:27:2F:D8:06
   set service ipoe-server authentication mode 'local'
-  set service ipoe-server client-ipv6-pool delegate '2001:db8:1::/48' delegation-prefix '56'
-  set service ipoe-server client-ipv6-pool prefix '2001:db8::/48' mask '64'
+  set service ipoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:1::/48' delegation-prefix '56'
+  set service ipoe-server client-ipv6-pool IPv6-POOL prefix '2001:db8::/48' mask '64'
+  set service ipoe-server default-ipv6-pool IPv6-POOL
   set service ipoe-server name-server '2001:db8::'
   set service ipoe-server name-server '2001:db8:aaa::'
   set service ipoe-server name-server '2001:db8:bbb::'
@@ -171,8 +172,9 @@ Server configuration
     set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000'
     set service ipoe-server authentication mode 'local'
     
-    set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56'
-    set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64'
+    set service ipoe-server client-ipv6-pool IPv6-POOL delegate 2001:db8:ffff::/48 delegation-prefix '56'
+    set service ipoe-server client-ipv6-pool IPv6-POOL prefix 2001:db8:fffe::/48 mask '64'
+    set service ipoe-server default-ipv6-pool IPv6-POOL
     set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24'
     set service ipoe-server interface eth1.50 mode 'l2'
     set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24'
diff --git a/docs/configuration/service/ntp.rst b/docs/configuration/service/ntp.rst
index 08be047c..e7ee392b 100644
--- a/docs/configuration/service/ntp.rst
+++ b/docs/configuration/service/ntp.rst
@@ -81,4 +81,33 @@ Configuration
 
 .. cfgcmd:: set service ntp vrf <name>
 
-  Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
+   Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
+
+.. cfgcmd:: set service ntp leap-second [ignore|smear|system|timezone]
+
+   Define how to handle leaf-seonds.
+
+   * `ignore`: No correction is applied to the clock for the leap second. The
+     clock will be corrected later in normal operation when new measurements are
+     made and the estimated offset includes the one second error.
+
+   * `smear`: When smearing a leap second, the leap status is suppressed on the
+     server and the served time is corrected slowly by slewing instead of
+     stepping. The clients do not need any special configuration as they do not
+     know there is any leap second and they follow the server time which
+     eventually brings them back to UTC. Care must be taken to ensure they use
+     only NTP servers which smear the leap second in exactly the same way for
+     synchronisation.
+
+   * `system`: When inserting a leap second, the kernel steps the system clock
+     backwards by one second when the clock gets to 00:00:00 UTC. When deleting
+     a leap second, it steps forward by one second when the clock gets to
+     23:59:59 UTC.
+
+   * `timezone`: This directive specifies a timezone in the system timezone
+     database which chronyd can use to determine when will the next leap second
+     occur and what is the current offset between TAI and UTC. It will
+     periodically check if 23:59:59 and 23:59:60 are valid times in the
+     timezone. This normally works with the right/UTC timezone which is the
+     default
+
diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst
index a230d9fe..56fcb968 100644
--- a/docs/configuration/service/pppoe-server.rst
+++ b/docs/configuration/service/pppoe-server.rst
@@ -266,11 +266,11 @@ other servers. Last command says that this PPPoE server can serve only
 IPv6
 ----
 
-IPv6 client's prefix assignment
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+IPv6 client's prefix
+^^^^^^^^^^^^^^^^^^^^
 
-.. cfgcmd:: set service pppoe-server client-ipv6-pool prefix <address>
-   mask <number-of-bits>
+.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME>
+   prefix <address> mask <number-of-bits>
 
    Use this comand to set the IPv6 address pool from which a PPPoE
    client will get an IPv6 prefix of your defined length (mask) to
@@ -281,8 +281,8 @@ IPv6 client's prefix assignment
 IPv6 Prefix Delegation
 ^^^^^^^^^^^^^^^^^^^^^^
 
-.. cfgcmd:: set service pppoe-server client-ipv6-pool delegate <address>
-   delegation-prefix <number-of-bits>
+.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME>
+   delegate <address> delegation-prefix <number-of-bits>
 
    Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You
    will have to set your IPv6 pool and the length of the delegation
@@ -291,6 +291,14 @@ IPv6 Prefix Delegation
    delegation prefix can be set from 32 to 64 bit long.
 
 
+IPv6 default client's pool assignment
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set service pppoe-server default-ipv6-pool <POOL-NAME>
+
+   Use this command to define default IPv6 address pool name.
+
+
 Maintenance mode
 ================
 
@@ -374,8 +382,9 @@ The example below covers a dual-stack configuration via pppoe-server.
   set service pppoe-server authentication mode 'local'
   set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24'
   set service pppoe-server default-pool 'IP-POOL'
-  set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56'
-  set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64'
+  set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
+  set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
+  set service pppoe-server default-ipv6-pool IPv6-POOL
   set service pppoe-server ppp-options ipv6 allow
   set service pppoe-server name-server '10.1.1.1'
   set service pppoe-server name-server '2001:db8:4860::8888'
diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst
index c9c9bfb1..4a1c3bd3 100644
--- a/docs/configuration/system/option.rst
+++ b/docs/configuration/system/option.rst
@@ -22,6 +22,14 @@ General
 
     Play an audible beep to the system speaker when system is ready.
 
+Kernel
+======
+
+.. cfgcmd:: set system option kernel disable-mitigations
+
+    Disable all optional CPU mitigations. This improves system performance,
+    but it may also expose users to several CPU vulnerabilities.
+
 ***********
 HTTP client
 ***********
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index 31d4adc3..f0c6c723 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -49,9 +49,9 @@ VyOS IKE group has the next options:
 
  * ``none`` set action to none (default);
  
- * ``hold`` set action to hold;
+ * ``trap`` installs a trap policy for the CHILD_SA;
  
- * ``restart`` set action to restart;
+ * ``start`` tries to immediately re-create the CHILD_SA;
  
 * ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol 
   (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty 
@@ -60,11 +60,13 @@ VyOS IKE group has the next options:
   
  * ``action`` keep-alive failure action:
  
-  * ``hold`` set action to hold (default)
+  * ``trap``  installs a trap policy, which will catch matching traffic
+    and tries to re-negotiate the tunnel on-demand;
   
-  * ``clear`` set action to clear;
+  * ``clear`` closes the CHILD_SA and does not take further action (default);
   
-  * ``restart`` set action to restart;
+  * ``restart`` immediately tries to re-negotiate the CHILD_SA
+    under a fresh IKE_SA;
   
  * ``interval`` keep-alive interval in seconds <2-86400> (default 30);
  
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index 8e9bf0eb..f0724588 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -98,7 +98,7 @@ Below is an example to configure a LNS:
   set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
   set vpn l2tp remote-access default-pool 'L2TP-POOL'
   set vpn l2tp remote-access lns shared-secret 'secret'
-  set vpn l2tp remote-access ccp-disable
+  set vpn l2tp remote-access ppp-options disable-ccp
   set vpn l2tp remote-access authentication mode local
   set vpn l2tp remote-access authentication local-users username test password 'test'
 
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 23df1b76..78cadfb5 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -317,7 +317,7 @@ Imagine the following topology
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
   set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@@ -357,7 +357,7 @@ Imagine the following topology
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
   set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@@ -397,18 +397,18 @@ Key Parameters:
   routes installed in the default table 220 for site-to-site ipsec.
   It is mostly used with VTI configuration.
 
-* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
+* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
   notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
   are periodically sent in order to check the liveliness of the IPsec peer. The
-  values clear, hold, and restart all activate DPD and determine the action to
+  values clear, trap, and restart all activate DPD and determine the action to
   perform on a timeout.
   With ``clear`` the connection is closed with no further actions taken.
-  ``hold`` installs a trap policy, which will catch matching traffic and tries
+  ``trap`` installs a trap policy, which will catch matching traffic and tries
   to re-negotiate the connection on demand.
   ``restart`` will immediately trigger an attempt to re-negotiate the
   connection.
 
-* ``close-action = none | clear | hold | restart`` - defines the action to take
+* ``close-action = none | clear | trap | start`` - defines the action to take
   if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
   values). A closeaction should not be used if the peer uses reauthentication or
   uniqueids.
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index fa2b96c8..e3f0d32d 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -132,7 +132,8 @@ Configuration
    Use this command to define default address pool name.
 
 
-.. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits>
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
+   mask <number-of-bits>
 
   Use this comand to set the IPv6 address pool from which an SSTP client
   will get an IPv6 prefix of your defined length (mask) to terminate the
@@ -140,8 +141,8 @@ Configuration
   bit long, the default value is 64.
 
 
-.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix
-   <number-of-bits>
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
+   delegation-prefix <number-of-bits>
 
   Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
   SSTP. You will have to set your IPv6 pool and the length of the
@@ -150,6 +151,11 @@ Configuration
   delegation prefix can be set from 32 to 64 bit long.
 
 
+.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
+
+   Use this command to define default IPv6 address pool name.
+
+
 .. cfgcmd:: set vpn sstp name-server <address>
 
   Connected client should use `<address>` as their DNS server. This
@@ -173,35 +179,98 @@ SSL Certificates
 PPP Settings
 ------------
 
+.. cfgcmd:: set vpn sstp ppp-options disable-ccp
+
+  Disable Compression Control Protocol (CCP).
+  CCP is enabled by default.
+
+.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
+
+  Specifies number of interfaces to keep in cache. It means that don’t
+  destroy interface after corresponding session is destroyed, instead
+  place it to cache and use it later for new sessions repeatedly.
+  This should reduce kernel-level interface creation/deletion rate lack.
+  Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
+
+  Specifies IPv4 negotiation preference.
+
+  * **require** - Require IPv4 negotiation
+  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv4 only if client requests (Default value)
+  * **deny** - Do not negotiate IPv4
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny>
+
+  Specifies IPv6 negotiation preference.
+
+  * **require** - Require IPv6 negotiation
+  * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv6 only if client requests
+  * **deny** - Do not negotiate IPv6 (default value)
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
+
+  Accept peer interface identifier. By default is not defined.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies fixed or random interface identifier for IPv6.
+  By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies peer interface identifier for IPv6. By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+  * **ipv4-addr** - Calculate interface identifier from IPv4 address.
+  * **calling-sid** - Calculate interface identifier from calling-station-id.
+
 .. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
 
   Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
-  value `<number>`, the session will be reset.
+  value `<number>`, the session will be reset. Default value is **3**.
 
 .. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
 
   If this option is specified and is greater than 0, then the PPP module will
   send LCP pings of the echo request every `<interval>` seconds.
+  Default value is **30**.
 
 .. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
 
   Specifies timeout in seconds to wait for any peer activity. If this option
   specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
-  is not used.
+  is not used. Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options min-mtu <number>
+
+  Defines minimum acceptable MTU. If client will try to negotiate less then
+  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+  Default value is **100**.
 
 .. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
 
-  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
+  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
   preference.
 
   * **require** - ask client for mppe, if it rejects drop connection
-  * **prefer** - ask client for mppe, if it rejects don't fail
+  * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
   * **deny** - deny mppe
 
   Default behavior - don't ask client for mppe, but allow it if client wants.
   Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
   attribute.
 
+.. cfgcmd:: set vpn sstp ppp-options mru <number>
+
+  Defines preferred MRU. By default is not defined.
+
 
 RADIUS
 ------