16 files changed, 397 insertions, 76 deletions

diff --git a/docs/automation/vyos-api.rst b/docs/automation/vyos-api.rst
index a9518a00..0955cca1 100644
--- a/docs/automation/vyos-api.rst
+++ b/docs/automation/vyos-api.rst
@@ -517,3 +517,34 @@ To Load a configuration file.
       "data": null,
       "error": null
    }
+
+To Merge a configuration file.
+
+.. code-block:: none
+
+   curl -k --location --request POST 'https://vyos/config-file' \
+   --form data='{"op": "merge", "file": "/config/test.config"}' \
+   --form key='MY-HTTPS-API-PLAINTEXT-KEY'
+
+   response:
+   {
+      "success": true,
+      "data": null,
+      "error": null
+   }
+
+In either of the last two cases, one can pass a string in the body of the
+request, for example:
+
+.. code-block:: none
+
+   curl -k --location --request POST 'https://vyos/config-file' \
+   --form data='{"op": "merge", "string": "interfaces {\nethernet eth1 {\naddress "192.168.2.137/24"\ndescription "test"\n}\n}\n"}' \
+   --form key='MY-HTTPS-API-PLAINTEXT-KEY'
+
+   response:
+   {
+      "success": true,
+      "data": null,
+      "error": null
+   }
diff --git a/docs/cli.rst b/docs/cli.rst
index 74e803dc..550494fa 100644
--- a/docs/cli.rst
+++ b/docs/cli.rst
@@ -116,6 +116,7 @@ impact on a particular users in the network.
    192.0.2.54.
 -  ``reset vpn ipsec site-to-site peer vpn.example.com`` — terminates
    IPsec tunnels to ``vpn.example.com``.
+-  ``reset session tty1`` — terminates the TTY user session ``tty1``
 
 restart
 '''''''
diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst
index 5882f6db..8d5ca3de 100644
--- a/docs/configuration/container/index.rst
+++ b/docs/configuration/container/index.rst
@@ -282,6 +282,20 @@ Container Registry
         set container registry 192.168.1.1:8080 insecure
 
 
+Log Configuration
+====================
+
+.. cfgcmd:: set container log-driver [k8s-file | journald]
+
+   Set the default log driver for containers.
+
+   - **k8s-file**: Logs to a plain text new line deliminated json file
+   - **journald**: Logs to the systems journal
+
+   Current default is k8s-file. Using journald will result in the logs
+   not showing up in the container log operation command but the global log command.
+
+
 ******************
 Operation Commands
 ******************
diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst
index 64221413..b1accca5 100644
--- a/docs/configuration/firewall/groups.rst
+++ b/docs/configuration/firewall/groups.rst
@@ -41,28 +41,33 @@ Remote Groups
 ==============
 
 A **remote-group** takes an argument of a URL hosting a linebreak-deliminated
-list of IPv4s addresses, CIDRs and ranges. VyOS will pull this list periodicity
+list of IPv4 and/or IPv6 addresses, CIDRs and ranges. VyOS will pull this list periodicity
 according to the frequency defined in the firewall **resolver-interval** and load
 matching entries into the group for use in rules. The list will be cached in
 persistent storage, so in cases of update failure rules will still function.
 
 .. cfgcmd:: set firewall group remote-group <name> url <http(s) url>
 
-   Define remote list of IPv4 addresses/ranges/CIDRs to fetch
+   Define remote list of IPv4 and/or IPv6 addresses/ranges/CIDRs to fetch
 
 .. cfgcmd:: set firewall group remote-group <name> description <text>
 
-    Set a description for a remote group
+   Set a description for a remote group
 
 The format of the remote list is very flexible. VyOS will attempt to parse the
 first word of each line as an entry, and will skip if it cannot find a valid
-match. Below is a list of acceptable matches that would be parsed correctly:
+match. Lines that begin with an alphanumeric character but do not match valid IPv4
+or IPv6 addresses, ranges, or CIDRs will be logged to the system log. Below is a
+list of acceptable matches that would be parsed correctly:
 
 .. code-block:: none
 
       127.0.0.1
       127.0.0.0/24
       127.0.0.1-127.0.0.254
+      2001:db8::1
+      2001:db8:cafe::/48
+      2001:db8:cafe::1-2001:db8:cafe::ffff
 
 Network Groups
 ==============
@@ -258,7 +263,7 @@ As any other firewall group, dynamic firewall groups can be used in firewall
 rules as matching options. For example:
 
 .. code-block:: none
-   
+
    set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO
    set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR
 
@@ -272,10 +277,10 @@ General example
 As said before, once firewall groups are created, they can be referenced
 either in firewall, nat, nat66 and/or policy-route rules.
 
-Here is an example were multiple groups are created: 
+Here is an example were multiple groups are created:
 
    .. code-block:: none
-      
+
       set firewall group address-group SERVERS address 198.51.100.101
       set firewall group address-group SERVERS address 198.51.100.102
       set firewall group network-group TRUSTEDv4 network 192.0.2.0/30
@@ -290,7 +295,7 @@ Here is an example were multiple groups are created:
 And next, some configuration example where groups are used:
 
    .. code-block:: none
-      
+
       set firewall ipv4 output filter rule 10 action accept
       set firewall ipv4 output filter rule 10 outbound-interface group !LAN
       set firewall ipv4 forward filter rule 20 action accept
@@ -453,4 +458,4 @@ Here is an example of such command:
       PORT-SERVERS  port_group              route-PBR-201           443
                                             route-PBR-201           5000-5010
                                             nat-destination-101     http
-      vyos@vyos:~$
\ No newline at end of file
+      vyos@vyos:~$
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index 0e659247..836d29fc 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -65,60 +65,94 @@ Configuration
 As an alternative to applying policy to an interface directly, a zone-based
 firewall can be created to simplify configuration when multiple interfaces
 belong to the same security zone. Instead of applying rule-sets to interfaces,
-they are applied to source zone-destination zone pairs.
+they are applied to source-destination zone pairs.
 
 A basic introduction to zone-based firewalls can be found `here
 <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
 and an example at :ref:`examples-zone-policy`.
 
+The following steps are required to create a zone-based firewall:
+
+1. Define both the source and destination zones
+2. Define the rule-set
+3. Apply the rule-set to the zones
+
 Define a Zone
 =============
 
-To define a zone setup either one with interfaces or a local zone.
+To define a zone setup either one with interfaces or the local zone.
 
 .. cfgcmd:: set firewall zone <name> interface <interface>
 
-   Set interfaces to a zone. A zone can have multiple interfaces.
-   But an interface can only be a member in one zone.
+   Assign interfaces as a member of a zone.
+
+   .. note::
+
+      * An interface can only be a member of one zone.
+      * A zone can have multiple interfaces, with traffic between interfaces in
+        the same zone subject to the intra-zone-filtering policy (allowed by
+        default).
 
 .. cfgcmd:: set firewall zone <name> local-zone
 
-   Define the zone as a local zone. A local zone has no interfaces and
-   will be applied to the router itself.
+   Define the zone as the local zone, for traffic originating from and destined
+   to the router itself.
+
+   .. note::
+
+      * A local zone cannot have any member interfaces
+      * There cannot be multiple local zones
 
 .. cfgcmd:: set firewall zone <name> default-action [drop | reject]
 
-   Change the default-action with this setting.
+   Change the zone default-action, which applies to traffic destined to this
+   zone that doesn't match any of the source zone rulesets applied.
+
+.. cfgcmd:: set firewall zone <name> default-log
+
+   Enable logging of packets that hit this zone's default-action (disabled by
+   default).
 
 .. cfgcmd:: set firewall zone <name> description
 
    Set a meaningful description.
 
-Applying a Rule-Set to a Zone
+Defining a Rule-Set
 =============================
 
-Before you are able to apply a rule-set to a zone you have to create the zones
-first.
+Zone-based firewall rule-sets are for traffic from a *Source Zone* to a
+*Destination Zone*.
 
-It helps to think of the syntax as: (see below). The 'rule-set' should be
-written from the perspective of: *Source Zone*-to->*Destination Zone*
+The rule-sets are created as a custom firewall chain using the commands below
+(refer to the firewall IPv4/IPv6 sections for the full syntax):
 
-.. cfgcmd::  set firewall zone <Destination Zone> from <Source Zone>
-   firewall name <rule-set>
+* For :ref:`IPv4<configuration/firewall/ipv4:Firewall - IPv4 Rules>`:
+  ``set firewall ipv4 name <name> ...``
+* For :ref:`IPv6<configuration/firewall/ipv6:Firewall - IPv6 Rules>`:
+  ``set firewall ipv6 name <name> ...``
 
-.. cfgcmd::  set firewall zone <name> from <name> firewall name
-   <rule-set>
+It can be helpful to name the rule-sets in the format
+``<Sourze Zone>-<Destination Zone>-<v4 | v6>`` to make them easily identifiable.
 
-.. cfgcmd::  set firewall zone <name> from <name> firewall ipv6-name
-   <rule-set>
+Applying a Rule-Set to a Zone
+=============================
 
-   You apply a rule-set always to a zone from an other zone, it is recommended
-   to create one rule-set for each zone pair.
+Once a rule-set has been defined, it can then be applied to the source and
+destination zones. The configuration syntax is anchored on the destination
+zone, with each of the source zone rulesets listed against the destination.
 
-   .. code-block:: none
+.. cfgcmd::  set firewall zone <Destination Zone> from <Source Zone>
+   firewall name <ipv4-rule-set-name>
+
+.. cfgcmd::  set firewall zone <Destination Zone> from <Source Zone>
+   firewall ipv6-name <ipv6-rule-set-name>
+
+It is recommended to create two rule-sets for each source-destination zone pair.
 
-      set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
-      set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4
+.. code-block:: none
+
+   set firewall zone DMZ from LAN firewall name LAN-DMZ-v4
+   set firewall zone LAN from DMZ firewall name DMZ-LAN-v4
 
 **************
 Operation-mode
@@ -133,13 +167,12 @@ Operation-mode
       vyos@vyos:~$ show firewall zone-policy
       Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
       ------  ------------  -----------  ---------------  ---------------
-      LAN     eth1          WAN          WAN_to_LAN
+      LAN     eth1          WAN          WAN-LAN-v4
               eth2
-      LOCAL   LOCAL         LAN          LAN_to_LOCAL
-                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6
-      WAN     eth3          LAN          LAN_to_WAN
-              eth0          LOCAL        LOCAL_to_WAN
-      vyos@vyos:~$
+      LOCAL   LOCAL         LAN          LAN-LOCAL-v4
+                            WAN          WAN-LOCAL-v4     WAN-LOCAL-v6
+      WAN     eth3          LAN          LAN-WAN-v4
+              eth0          LOCAL        LOCAL-WAN-v4
 
 .. opcmd:: show firewall zone-policy zone <zone>
 
@@ -150,11 +183,11 @@ Operation-mode
       vyos@vyos:~$ show firewall zone-policy zone WAN
       Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
       ------  ------------  -----------  ---------------  ---------------
-      WAN     eth3          LAN          LAN_to_WAN
-              eth0          LOCAL        LOCAL_to_WAN
+      WAN     eth3          LAN          LAN-WAN-v4
+              eth0          LOCAL        LOCAL-WAN-v4
+
       vyos@vyos:~$ show firewall zone-policy zone LOCAL
       Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
       ------  ------------  -----------  ---------------  ---------------
-      LOCAL   LOCAL         LAN          LAN_to_LOCAL
-                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6
-      vyos@vyos:~$
+      LOCAL   LOCAL         LAN          LAN-LOCAL-v4
+                            WAN          WAN-LOCAL-v4     WAN-LOCAL-v6
diff --git a/docs/configuration/protocols/failover.rst b/docs/configuration/protocols/failover.rst
index 8088e104..651fc5c3 100644
--- a/docs/configuration/protocols/failover.rst
+++ b/docs/configuration/protocols/failover.rst
@@ -3,7 +3,7 @@ Failover
 ########
 
 Failover routes are manually configured routes, but they only install
-to the routing table if the health-check target is alive.
+to the routing table as kernel routes if the health-check target is alive.
 If the target is not alive the route is removed from the routing table
 until the target becomes available.
 
@@ -28,7 +28,12 @@ Failover Routes
 .. cfgcmd:: set protocols failover route <subnet> next-hop <address> check 
    type <protocol>
 
-   Defines protocols for checking ARP, ICMP, TCP
+   Defines protocols for checking ARP, ICMP, TCP.
+* ICMP probe sends 2 ICMP request packets with a response timeout of 1 second.
+  If one ICMP response is received, the health check is successful.
+* ARP probe sends 2 ARP requests with a response timeout of 1 second.
+  If one response is received, the health check is successful.
+* TCP probe checks whether the destination port is open.
 
    Default is ``icmp``.
 
diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst
index 00f0b21c..502d1e1b 100644
--- a/docs/configuration/service/dhcp-server.rst
+++ b/docs/configuration/service/dhcp-server.rst
@@ -49,15 +49,15 @@ Configuration
    Inform client that the DNS server can be found at `<address>`.
 
    This is the configuration parameter for the entire shared network definition.
-   All subnets will inherit this configuration item if not specified locally. 
+   All subnets will inherit this configuration item if not specified locally.
    Multiple DNS servers can be defined.
 
-.. cfgcmd:: set service dhcp-server shared-network-name <name> option 
+.. cfgcmd:: set service dhcp-server shared-network-name <name> option
    vendor-option <option-name>
 
-   This configuration parameter lets you specify a vendor-option for the 
-   entire shared network definition. All subnets will inherit this 
-   configuration item if not specified locally. An example for Ubiquiti is 
+   This configuration parameter lets you specify a vendor-option for the
+   entire shared network definition. All subnets will inherit this
+   configuration item if not specified locally. An example for Ubiquiti is
    shown below:
 
 **Example:**
@@ -66,14 +66,14 @@ Pass address of Unifi controller at ``172.16.100.1`` to all clients of ``NET1``
 
 .. code-block:: none
 
-  set service dhcp-server shared-network-name 'NET1' option vendor-option  
+  set service dhcp-server shared-network-name 'NET1' option vendor-option
   ubiquiti '172.16.100.1'
 
 .. cfgcmd:: set service dhcp-server listen-address <address>
 
-   This configuration parameter lets the DHCP server to listen for DHCP 
-   requests sent to the specified address, it is only realistically useful for 
-   a server whose only clients are reached via unicasts, such as via DHCP relay 
+   This configuration parameter lets the DHCP server to listen for DHCP
+   requests sent to the specified address, it is only realistically useful for
+   a server whose only clients are reached via unicasts, such as via DHCP relay
    agents.
 
 Individual Client Subnet
@@ -148,24 +148,205 @@ Individual Client Subnet
    request where no full FQDN is passed. This option can be given multiple times
    if you need multiple search domains (DHCP Option 119).
 
-.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> 
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
    option vendor-option <option-name>
 
    This configuration parameter lets you specify a vendor-option for the
-   subnet specified within the shared network definition. An example for  
+   subnet specified within the shared network definition. An example for
    Ubiquiti is shown below:
 
 **Example:**
 
-Create ``172.18.201.0/24`` as a subnet within ``NET1`` and pass address of  
+Create ``172.18.201.0/24`` as a subnet within ``NET1`` and pass address of
 Unifi controller at ``172.16.100.1`` to clients of that subnet.
 
 .. code-block:: none
 
-  set service dhcp-server shared-network-name 'NET1' subnet 
+  set service dhcp-server shared-network-name 'NET1' subnet
   '172.18.201.0/24' option vendor-option ubiquiti '172.16.100.1'
 
 
+Dynamic DNS Update (RFC 2136)
+-----------------------------
+
+VyOS DHCP service supports RFC-2136 DDNS protocol. Based on DHCP lease change
+events, DHCP server generates DDNS update requests (defines as NameChangeRequests
+or NCRs) and posts them to a compliant DNS server, that will update its name
+database accordingly.
+
+VyOS built-in DNS Forwarder does not support DDNS, you will need an external DNS
+server with RFC-2136 DDNS support.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update
+
+   Enables DDNS globally.
+
+**Behavioral settings**
+
+These settings can be configured on the global level and overridden on the scope
+level, i.e. for individual shared networks or subnets. See examples below.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update send-updates [ enable
+   | disable ]
+
+   If set to ``enable`` on global level, updates for all scopes will be enabled,
+   except if explicitly set to ``disable`` on the scope level. If set to ``disable``,
+   updates will only be sent for scopes, where ``send-updates`` is explicity
+   set to ``enable``.
+
+   This model is followed for a few behavioral settings below: if the option is
+   not set, the setting is inherited from the parent scope. You can override the
+   parent scope setting by setting the option explicitly.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update override-no-update [ enable
+   | disable ]
+
+   VyOS will ignore client request not to update DNS records and send DDNS
+   update requests regardless.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update override-client-update [ enable
+   | disable ]
+
+   VyOS will override client DDNS request settings and always update both
+   forward and reverse DNS records.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update update-on-renew [ enable
+   | disable ]
+
+   Issue DDNS update requests on DHCP lease renew. In busy networks this may
+   generate a lot of traffic.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update conflict-resolution [ enable
+   | disable ]
+
+   Use RFC-4703 conflict resolution. This algorithm helps in situation when
+   multiple clients reserve same IP addresses or advertise identical hostnames.
+   Should be used in most situations.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update replace-client-name [ never
+   | always | when-present | when-not-present ]
+
+   * **never**: use the name sent by the client. If the client didn't provide any,
+     do not generate one. This is the default behavior
+
+   * **always**: always generate a name for the client
+
+   * **when-present**: replace the name the client sent with a generated one, if
+     the client didn't send any, do not generate one
+
+   * **when-not-present**: use the name sent by the client. If the client didn't
+     send any, generate one for the client
+
+   The names are generated using ``generated-prefix``, ``qualifying-suffix`` and the
+   client's IP address string.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update generated-prefix <prefix>
+
+   Prefix used in client name generation.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update qualifying-suffix <suffix>
+
+   DNS suffix used in client name generation.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update ttl-percent <0-100>
+
+   TTL of the DNS record as a percentage of the DHCP lease time.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update hostname-char-set
+   <character string>
+
+   Characters, that are considered invalid in the client name. They will be replaced
+   with ``hostname-char-replacement`` string.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update hostname-char-replacement
+   <character string>
+
+   Replacement string for the invalid characters defined by ``hostname-char-set``.
+
+**TSIG keys definition**
+
+This is the global list of TSIG keys for DDNS updates. They need to be specified by
+the name in the DNS domain definitions.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update tsig-key <key-name>
+   algorithm <algorithm>
+
+   Sets the algorithm for the TSIG key. Supported algorithms are ``hmac-md5``,
+   ``hmac-sha1``, ``hmac-sha224``, ``hmac-sha256``, ``hmac-sha384``, ``hmac-sha512``
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update tsig-key <key-name>
+   secret <key-secret>
+
+   base64-encoded TSIG key secret value
+
+**DNS domains definition**
+
+This is global configuration of DNS servers for the updatable forward and reverse
+DNS domains. For every domain multiple DNS servers can be specified.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update [forward|reverse]-domain
+   <domain-name> key-name <tsig-key-name>
+
+   TSIG key used for the domain.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update [forward|reverse]-domain
+   <domain-name> dns-server <number> address <ip-address>
+
+   IP address of the DNS server.
+
+.. cfgcmd:: set service dhcp-server dynamic-dns-update [forward|reverse]-domain
+   <domain-name> dns-server <number> port <port>
+
+   UDP port of the DNS server. ``53`` is the default.
+
+**Example:**
+
+Global configuration you will most likely want:
+
+.. code-block:: none
+
+  set service dhcp-server dynamic-dns-update send-updates enable
+  set service dhcp-server dynamic-dns-update conflict-resolution enable
+
+Override the above configuration for a shared network NET1:
+
+.. code-block:: none
+
+  set service dhcp-server shared-network-name 'NET1' dynamic-dns-update replace-client-name when-not-present
+  set service dhcp-server shared-network-name 'NET1' dynamic-dns-update generated-prefix ip
+  set service dhcp-server shared-network-name 'NET1' dynamic-dns-update qualifying-suffix mybigdomain.net
+
+And in a subnet within the same shared network:
+
+.. code-block:: none
+
+  set service dhcp-server shared-network-name 'NET1' subnet '172.18.201.0/24' dynamic-dns-update qualifying-suffix mydomain.net
+
+Configure TSIG keys:
+
+.. code-block:: none
+
+  set service dhcp-server dynamic-dns-update tsig-key mydomain-net algorithm hmac-sha256
+  set service dhcp-server dynamic-dns-update tsig-key mydomain-net secret eWF5YW15bGl0dGxla2V5IQ==
+  set service dhcp-server dynamic-dns-update tsig-key reverse-172-18-201 algorithm hmac-sha256
+  set service dhcp-server dynamic-dns-update tsig-key reverse-172-18-201 secret eWF5YW15YW5vdGhlcmxpdHRsZWtleSE=
+
+Configure DDNS domains:
+
+.. code-block:: none
+
+  set service dhcp-server dynamic-dns-update forward-domain mydomain.net key-name mydomain-net
+  set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 1 address '172.18.0.254'
+  set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 1 port 1053
+  set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 2 address '192.168.124.254'
+  set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 2 port 53
+  set service dhcp-server dynamic-dns-update forward-domain 201.18.172.in-addr.arpa key-name reverse-172-18-201
+  set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 1 address '172.18.0.254'
+  set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 1 port 1053
+  set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 2 address '192.168.124.254'
+  set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 2 port 53
+
+
 High Availability
 -----------------
 
@@ -645,7 +826,7 @@ used:
 
 
 .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
-   <prefix> prefix-delegation prefix <pd-prefix> excluded-prefix-length <length> 
+   <prefix> prefix-delegation prefix <pd-prefix> excluded-prefix-length <length>
 
    Define lenght of exclude prefix in `<pd-prefix>`.
 
diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst
index ef06bcd5..5d7acd5a 100644
--- a/docs/configuration/service/ipoe-server.rst
+++ b/docs/configuration/service/ipoe-server.rst
@@ -174,11 +174,12 @@ RADIUS advanced options
 
 .. cfgcmd:: set service ipoe-server authentication radius dynamic-author server <address>
 
-  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA). 
+  This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
 
 .. cfgcmd:: set service ipoe-server authentication radius dynamic-author port <port>
 
-  Port for Dynamic Authorization Extension server (DM/CoA)
+  UDP port for Dynamic Authorization Extension server (DM/CoA)
 
 .. cfgcmd:: set service ipoe-server authentication radius dynamic-author key <secret>
 
diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst
index 6d818c70..f763536a 100644
--- a/docs/configuration/service/pppoe-server.rst
+++ b/docs/configuration/service/pppoe-server.rst
@@ -144,12 +144,13 @@ RADIUS advanced options
 .. cfgcmd:: set service pppoe-server authentication radius
    dynamic-author server <address>
 
-  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA). 
+  This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
 
 .. cfgcmd:: set service pppoe-server authentication radius
    dynamic-author port <port>
 
-  Port for Dynamic Authorization Extension server (DM/CoA)
+  UDP port for Dynamic Authorization Extension server (DM/CoA)
 
 .. cfgcmd:: set service pppoe-server authentication radius dynamic-author
    key <secret>
@@ -681,4 +682,4 @@ a /56 subnet for the clients internal use.
 .. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/
    accel-pppd/radius/dict/dictionary.rfc6911
 .. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/
-   blob/master/accel-pppd/radius/dict/dictionary.accel
\ No newline at end of file
+   blob/master/accel-pppd/radius/dict/dictionary.accel
diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst
index 365017dd..cb9a6037 100644
--- a/docs/configuration/service/router-advert.rst
+++ b/docs/configuration/service/router-advert.rst
@@ -46,6 +46,7 @@ Configuration
    "Interval", "interval", "Min and max intervals between unsolicited multicast RAs"
    "DNSSL", "dnssl", "DNS search list to advertise"
    "Name Server", "name-server", "Advertise DNS server per https://tools.ietf.org/html/rfc6106"
+   "Auto Ignore Prefix", "auto-ignore", "Exclude a prefix from being advertised when the wildcard ::/64 prefix is used"
 
 .. start_vyoslinter
 
@@ -56,8 +57,8 @@ Advertising a Prefix
 .. cfgcmd:: set service router-advert interface <interface> prefix <prefix/mask>
 
    .. note:: You can also opt for using `::/64` as prefix for your :abbr:`RAs (Router
-    Advertisements)`. This will take the IPv6 GUA prefix assigned to the interface,
-    which comes in handy when using DHCPv6-PD.
+    Advertisements)`. This is a special wildcard prefix that will emit :abbr:`RAs (Router Advertisements)` for every prefix assigned to the interface.
+    This comes in handy when using dynamically obtained prefixes from DHCPv6-PD.
 
 .. stop_vyoslinter
 
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index 4fa44d3e..c9969aa6 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -129,11 +129,34 @@ Configuration
   ``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``,
   ``rsa-sha2-512-cert-v01@openssh.com``
 
-.. cfgcmd:: set service ssh trusted-user-ca-key ca-certificate <ca_cert_name>
+.. cfgcmd:: set service ssh trusted-user-ca <name>
+
+  Specify the name of the OpenSSH key-pair that acts as certificate authority
+  and will be used to verify user certificates.
+
+  You can use it by adding the OpenSSH key-pair under the PKI subsystem.
+
+  Example:
+
+  .. code-block:: none
+
+    # Generate key-pair acting as CA
+    $ ssh-keygen -f vyos-ssh-ca.key
+
+    # Generate key for user: vyos_testca
+    $ ssh-keygen -f vyos_testca  -C "vyos_tesca@vyos.net"
+
+    # Sign public key from user vyos_testca and insert principal names: vyos, vyos_testca
+    # with a key lifetime of two weeks - after which the key is unusable
+    $ ssh-keygen -s vyos-ssh-ca.key -I vyos_testca@vyos.net -n vyos,vyos_testca -V +2w vyos_testca.pub
+
+    $ set system login user vyos_testca
+    $ set pki openssh test_ca public key AAAAB3N.....
+    $ set pki openssh test_ca public type ssh-rsa
+    $ set service ssh trusted-user-ca test_ca
+
+  You can now log into the system using: ``ssh -i vyos_testca vyos_testca@vyos.test.com``
 
-  Specify the name of the CA certificate that will be used to verify the user
-  certificates.
-  You can use it by adding the CA certificate with the PKI command.
 
 Dynamic-protection
 ==================
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index 3a7481eb..1c4e041d 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -34,6 +34,13 @@ Local
    Setup encrypted password for given username. This is useful for
    transferring a hashed password from system to system.
 
+.. cfgcmd:: set system login user <name> authentication principal <principal>
+
+   When using SSH certificate based authentication, define which principals are
+   alled to use this account.
+
+   If unset, the principal will be set to the login name of the user bz default.
+
 .. cfgcmd:: set system login user <name> disable
 
    Disable (lock) account. User will not be able to log in.
diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst
index b5ebaaee..a13e38a8 100644
--- a/docs/configuration/system/option.rst
+++ b/docs/configuration/system/option.rst
@@ -18,6 +18,16 @@ General
 
    Automatically reboot system on kernel panic after 60 seconds.
 
+.. cfgcmd:: set system option reboot-on-upgrade-failure <timeout>
+
+   Automatically reboot after `timeout` minutes into the previous running
+   image, that was used to perform the image upgrade.
+
+   Reboot `timeout` is configurable in minutes. This gives the user the change
+   to log into the system and perform some analysis before automatic rebooting.
+
+   Automatic reboot can be cancelled after login using: :opcmd:`reboot cancel`
+
 .. cfgcmd:: set system option startup-beep
 
     Play an audible beep to the system speaker when system is ready.
@@ -72,6 +82,11 @@ Kernel
 
     .. seealso:: https://docs.kernel.org/admin-guide/pm/amd-pstate.html
 
+.. cfgcmd:: set system option kernel quiet
+
+    Suppress most kernel messages during boot. This is useful for systems with
+    embedded serial console interfaces to speed up the boot process.
+
 ***********
 HTTP client
 ***********
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index d2215c1c..3fa34449 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -180,11 +180,12 @@ RADIUS advanced options
 
 .. cfgcmd:: set vpn l2tp remote-access authentication radius dynamic-author server <address>
 
-  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA). 
+  This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
 
 .. cfgcmd:: set vpn l2tp remote-access authentication radius dynamic-author port <port>
 
-  Port for Dynamic Authorization Extension server (DM/CoA)
+  UDP port for Dynamic Authorization Extension server (DM/CoA)
 
 .. cfgcmd:: set vpn l2tp remote-access authentication radius dynamic-author key <secret>
 
diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst
index 5220929f..194ec771 100644
--- a/docs/configuration/vpn/pptp.rst
+++ b/docs/configuration/vpn/pptp.rst
@@ -120,11 +120,12 @@ RADIUS advanced options
 
 .. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author server <address>
 
-  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA). 
+  This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
 
 .. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author port <port>
 
-  Port for Dynamic Authorization Extension server (DM/CoA)
+  UDP port for Dynamic Authorization Extension server (DM/CoA)
 
 .. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author key <secret>
 
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index e750cdcf..b65aecca 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -153,11 +153,12 @@ RADIUS advanced options
 
 .. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
 
-  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA).
+  This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
 
 .. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
 
-  Port for Dynamic Authorization Extension server (DM/CoA)
+  UDP port for Dynamic Authorization Extension server (DM/CoA)
 
 .. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>