From 0abea04850dfdaa0b56fc6dec94e5303300ba712 Mon Sep 17 00:00:00 2001 From: rebortg Date: Sun, 29 Nov 2020 21:18:33 +0100 Subject: arrange firewall --- docs/configuration/firewall/index.rst | 767 ++++++++++++++++++++++++++++++++++ 1 file changed, 767 insertions(+) create mode 100644 docs/configuration/firewall/index.rst (limited to 'docs/configuration/firewall') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst new file mode 100644 index 00000000..870e9a08 --- /dev/null +++ b/docs/configuration/firewall/index.rst @@ -0,0 +1,767 @@ +.. _firewall: + +Firewall +======== + +Overview +-------- + +VyOS makes use of Linux `netfilter `_ for packet +filtering. + +The firewall supports the creation of groups for ports, addresses, and +networks (implemented using netfilter ipset) and the option of interface +or zone based firewall policy. + +.. note:: **Important note on usage of terms:** + The firewall makes use of the terms `in`, `out`, and `local` + for firewall policy. Users experienced with netfilter often confuse + `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT` + chain from netfilter. This is not the case. These instead indicate + the use of the `FORWARD` chain and either the input or output + interface. The `INPUT` chain, which is used for local traffic to the + OS, is a reference to as `local` with respect to its input interface. + + +Global settings +--------------- + +Some firewall settings are global and have a affect on the whole system. + +.. cfgcmd:: set firewall all-ping [enable | disable] + + By default, when VyOS receives an ICMP echo request packet destined for + itself, it will answer with an ICMP echo reply, unless you avoid it + through its firewall. + + With the firewall you can set rules to accept, drop or reject ICMP in, + out or local traffic. You can also use the general **firewall all-ping** + command. This command affects only to LOCAL (packets destined for your + VyOS system), not to IN or OUT traffic. + + .. note:: **firewall all-ping** affects only to LOCAL and it always + behaves in the most restrictive way + + .. code-block:: none + + set firewall all-ping enable + + When the command above is set, VyOS will answer every ICMP echo request + addressed to itself, but that will only happen if no other rule is + applied dropping or rejecting local echo requests. In case of conflict, + VyOS will not answer ICMP echo requests. + + .. code-block:: none + + set firewall all-ping disable + + When the command above is set, VyOS will answer no ICMP echo request + addressed to itself at all, no matter where it comes from or whether + more specific rules are being applied to accept them. + +.. cfgcmd:: set firewall broadcast-ping [enable | disable] + + This setting enable or disable the response of icmp broadcast + messages. The following system parameter will be altered: + + * ``net.ipv4.icmp_echo_ignore_broadcasts`` + +.. cfgcmd:: set firewall ip-src-route [enable | disable] +.. cfgcmd:: set firewall ipv6-src-route [enable | disable] + + This setting handle if VyOS accept packets with a source route + option. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_source_route`` + * ``net.ipv6.conf.all.accept_source_route`` + +.. cfgcmd:: set firewall receive-redirects [enable | disable] +.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable] + + enable or disable of ICMPv4 or ICMPv6 redirect messages accepted + by VyOS. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_redirects`` + * ``net.ipv6.conf.all.accept_redirects`` + +.. cfgcmd:: set firewall send-redirects [enable | disable] + + enable or disable of ICMPv4 redirect messages send by VyOS + The following system parameter will be altered: + + * ``net.ipv4.conf.all.send_redirects`` + +.. cfgcmd:: set firewall log-martians [enable | disable] + + enable or disable the logging of martian IPv4 packets. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.log_martians`` + +.. cfgcmd:: set firewall source-validation [strict | loose | disable] + + Set the IPv4 source validation mode. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.rp_filter`` + +.. cfgcmd:: set firewall syn-cookies [enable | disable] + + Enable or Disable if VyOS use IPv4 TCP SYN Cookies. + The following system parameter will be altered: + + * ``net.ipv4.tcp_syncookies`` + +.. cfgcmd:: set firewall twa-hazards-protection [enable | disable] + + Enable or Disable VyOS to be :rfc:`1337` conform. + The following system parameter will be altered: + + * ``net.ipv4.tcp_rfc1337`` + +.. cfgcmd:: set firewall state-policy established action [accept | drop | + reject] + +.. cfgcmd:: set firewall state-policy established log enable + + Set the global setting for a astablished connections. + +.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject] + +.. cfgcmd:: set firewall state-policy invalid log enable + + Set the global setting for invalid packets. + +.. cfgcmd:: set firewall state-policy related action [accept | drop | reject] + +.. cfgcmd:: set firewall state-policy related log enable + + Set the global setting for related connections. + + +Groups +------ + +Firewall groups represent collections of IP addresses, networks, or +ports. Once created, a group can be referenced by firewall rules as +either a source or destination. Members can be added or removed from a +group without changes to, or the need to reload, individual firewall +rules. + +.. note:: Groups can also be referenced by NAT configuration. + +Groups need to have unique names. Even though some contain IPv4 +addresses and others contain IPv6 addresses, they still need to have +unique names, so you may want to append "-v4" or "-v6" to your group +names. + + +Address Groups +************** + +In a **address group** a single IP adresses or IP address ranges are +definded. + +.. cfgcmd:: set firewall group address-group address [address | + address range] +.. cfgcmd:: set firewall group ipv6-address-group address
+ + Define a IPv4 or a IPv6 address group + + .. code-block:: none + + set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 + set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 + set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 + +.. cfgcmd:: set firewall group address-group description +.. cfgcmd:: set firewall group ipv6-address-group description + + Provide a IPv4 or IPv6 address group description + + +Network Groups +************** + +While **network groups** accept IP networks in CIDR notation, specific +IP addresses can be added as a 32-bit prefix. If you foresee the need +to add a mix of addresses and networks, the network group is +recommended. + +.. cfgcmd:: set firewall group network-group network +.. cfgcmd:: set firewall group ipv6-network-group network + + Define a IPv4 or IPv6 Network group. + + .. code-block:: none + + set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 + set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 + set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 + +.. cfgcmd:: set firewall group network-group description +.. cfgcmd:: set firewall group ipv6-network-group description + + Provide a IPv4 or IPv6 network group description. + + +Port Groups +*********** + +A **port group** represents only port numbers, not the protocol. Port +groups can be referenced for either TCP or UDP. It is recommended that +TCP and UDP groups are created separately to avoid accidentally +filtering unnecessary ports. Ranges of ports can be specified by using +`-`. + +.. cfgcmd:: set firewall group port-group port + [portname | portnumber | startport-endport] + + Define a port group. A port name are any name defined in + /etc/services. e.g.: http + + .. code-block:: none + + set firewall group port-group PORT-TCP-SERVER1 port http + set firewall group port-group PORT-TCP-SERVER1 port 443 + set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 + +.. cfgcmd:: set firewall group port-group description + + Provide a port group description. + + +Rule-Sets +---------- + +A rule-set is a named collection of firewall rules that can be applied +to an interface or zone. Each rule is numbered, has an action to apply +if the rule is matched, and the ability to specify the criteria to +match. Data packets go through the rules from 1 - 9999, at the first match +the action of the rule will executed. + +.. cfgcmd:: set firewall name description +.. cfgcmd:: set firewall ipv6-name description + + Provide a rule-set description. + +.. cfgcmd:: set firewall name default-action [drop | reject | accept] +.. cfgcmd:: set firewall ipv6-name default-action [drop | reject | + accept] + + This set the default action of the rule-set if no rule matched a paket + criteria. + +.. cfgcmd:: set firewall name enable-default-log +.. cfgcmd:: set firewall ipv6-name enable-default-log + + Use this command to enable the logging of the default action. + +.. cfgcmd:: set firewall name rule <1-9999> action [drop | reject | + accept] +.. cfgcmd:: set firewall ipv6-name rule <1-9999> action [drop | reject | + accept] + + This required setting define the action of the current rule. + +.. cfgcmd:: set firewall name rule <1-9999> description +.. cfgcmd:: set firewall ipv6-name rule <1-9999> description + + Provide a description for each rule. + +.. cfgcmd:: set firewall name rule <1-9999> log [disable | enable] +.. cfgcmd:: set firewall ipv6-name rule <1-9999> log [disable | enable] + + Enable or disable logging for the matched packet. + +.. cfgcmd:: set firewall name rule <1-9999> disable +.. cfgcmd:: set firewall ipv6-name rule <1-9999> disable + + If you want to disable a rule but let it in the configuration. + +Matching criteria +***************** + +There are a lot of matching criteria gainst which the package can be tested. + + +.. cfgcmd:: set firewall name rule <1-9999> source address + [address | addressrange | CIDR] +.. cfgcmd:: set firewall name rule <1-9999> destination address + [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6-name rule <1-9999> source address + [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6-name rule <1-9999> destination address + [address | addressrange | CIDR] + + This is similiar to the network groups part, but here you are able to negate + the matching addresses. + + .. code-block:: none + + set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11 + # with a '!' the rule match everything except the specified subnet + set fitewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 + set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 + + +.. cfgcmd:: set firewall name rule <1-9999> source mac-address + +.. cfgcmd:: set firewall ipv6-name rule <1-9999> source mac-address + + + Only in the source criteria you can specify a mac-address + + .. code-block:: none + + set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33 + set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34 + +.. cfgcmd:: set firewall name rule <1-9999> source port + [1-65535 | portname | start-end] +.. cfgcmd:: set firewall name rule <1-9999> destination port + [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6-name rule <1-9999> source port + [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6-name rule <1-9999> destination port + [1-65535 | portname | start-end] + + A port can be set with a portnumber or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall name WAN-IN-v4 rule 10 source port '22' + set firewall name WAN-IN-v4 rule 11 source port '!http' + set firewall name WAN-IN-v4 rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using '!'. For example: + + .. code-block:: none + + set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338' + +.. cfgcmd:: set firewall name rule <1-9999> source group + address-group +.. cfgcmd:: set firewall name rule <1-9999> destination group + address-group +.. cfgcmd:: set firewall ipv6-name rule <1-9999> source group + address-group +.. cfgcmd:: set firewall ipv6-name rule <1-9999> destination group + address-group + + Use a specific address-group + +.. cfgcmd:: set firewall name rule <1-9999> source group + network-group +.. cfgcmd:: set firewall name rule <1-9999> destination group + network-group +.. cfgcmd:: set firewall ipv6-name rule <1-9999> source group + network-group +.. cfgcmd:: set firewall ipv6-name rule <1-9999> destination group + network-group + + Use a specific network-group + +.. cfgcmd:: set firewall name rule <1-9999> source group + port-group +.. cfgcmd:: set firewall name rule <1-9999> destination group + port-group +.. cfgcmd:: set firewall ipv6-name rule <1-9999> source group + port-group +.. cfgcmd:: set firewall ipv6-name rule <1-9999> destination group + port-group + + Use a specific port-group + +.. cfgcmd:: set firewall name rule <1-9999> protocol [ | + <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6-name rule <1-9999> protocol [ | + <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and upd + based pakets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall name WAN-IN-v4 rule 10 protocol tcp_udp + set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp + set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp + +.. cfgcmd:: set firewall name rule <1-9999> tcp flags +.. cfgcmd:: set firewall ipv6-name rule <1-9999> tcp flags + + Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, + ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma + separated. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK' + set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN' + set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST' + +.. cfgcmd:: set firewall name rule <1-9999> state [established | + invalid | new | related] [enable | disable ] +.. cfgcmd:: set firewall ipv6-name rule <1-9999> state [established | + invalid | new | related] [enable | disable ] + + Match against the state of a packet. + + +Applying a Rule-Set to an Interface +----------------------------------- + +A Rule-Set can be appliend to every inteface: + +* ``in``: Ruleset for forwarded packets on inbound interface +* ``out``: Ruleset for forwarded packets on outbound interface +* ``local``: Ruleset for packets destined for this router + +.. cfgcmd:: set interface ethernet firewall [in | out | local] + [name | ipv6-name] + + Here are some examples for applying a rule-set to an interface + + .. code-block:: none + + set interface ethernet eth1 vif 100 firewall in name LANv4-IN + set interface ethernet eth1 vif 100 firewall out name LANv4-OUT + set interface bonding bond0 firewall in name LANv4-IN + set interfaces openvpn vtun1 firewall in name Lanv4-IN + + .. note:: + As you can see in the example here, you can assign the same rule-set to + several interfaces. An interface can only have one rule-set per chain. + + +Zone-based Firewall Policy +-------------------------- + +As an alternative to applying policy to an interface directly, a +zone-based firewall can be created to simplify configuration when +multiple interfaces belong to the same security zone. Instead of +applying rulesets to interfaces, they are applied to source +zone-destination zone pairs. + +An basic introduction to zone-based firewalls can be found `here +`_, +and an example at :ref:`examples-zone-policy`. + +Define a Zone +************* + +To define a zone setup either one with interfaces or a local zone. + +.. cfgcmd:: set zone-policy zone interface + + Set a interfaces to a zone. A zone can have multiple interfaces. + But a interface can only be member in one zone. + +.. cfgcmd:: set zone-policy zone local-zone + + Define the Zone as a local zone. A local zone have no interfaces and + will be applied to the router itself. + +.. cfgcmd:: set zone-policy zone default-action [drop | reject] + + Change the default-action with this setting. + +.. cfgcmd:: set zone-policy zone description + + Set a meaningful description. + + +Applying a Rule-Set to a Zone +***************************** + +Before you are able to apply a rule-set to a zone you have to create the zones +first. + +.. cfgcmd:: set zone-policy zone from firewall name + +.. cfgcmd:: set zone-policy zone from firewall ipv6-name + + + You apply a rule-set always to a zone from a other zone, it is recommended + to create one rule-set for each zone pair. + + .. code-block:: none + + set zone-policy zone DMZ from LAN firewall name LANv4-to-DMZv4 + set zone-policy zone LAN from DMZ firewall name DMZv4-to-LANv4 + + +Operation-mode Firewall +----------------------- + +Rule-set overview +***************** + +.. opcmd:: show firewall + + This will show you a basic firewall overview + + .. code-block:: none + + vyos@vyos:~$ show firewall + + ------------------------ + Firewall Global Settings + ------------------------ + + Firewall state-policy for all IPv4 and Ipv6 traffic + + state action log + ----- ------ --- + invalid accept disabled + established accept disabled + related accept disabled + + ----------------------------- + Rulesets Information + ----------------------------- + -------------------------------------------------------------------------- + IPv4 Firewall "DMZv4-1-IN": + + Active on (eth0,IN) + + rule action proto packets bytes + ---- ------ ----- ------- ----- + 10 accept icmp 0 0 + condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled + + 10000 drop all 0 0 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled + + -------------------------------------------------------------------------- + IPv4 Firewall "DMZv4-1-OUT": + + Active on (eth0,OUT) + + rule action proto packets bytes + ---- ------ ----- ------- ----- + 10 accept tcp_udp 1 60 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /* + DMZv4-1-OUT-10 */LOG enabled + + 11 accept icmp 1 84 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled + + 10000 drop all 6 360 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled + + -------------------------------------------------------------------------- + IPv4 Firewall "LANv4-IN": + + Inactive - Not applied to any interfaces or zones. + + rule action proto packets bytes + ---- ------ ----- ------- ----- + 10 accept all 0 0 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */ + + 10000 drop all 0 0 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 + +.. opcmd:: show firewall summary + + This will show you a summary about rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + + ------------------------ + Firewall Global Settings + ------------------------ + + Firewall state-policy for all IPv4 and Ipv6 traffic + + state action log + ----- ------ --- + invalid accept disabled + related accept disabled + established accept disabled + + ------------------------ + Firewall Rulesets + ------------------------ + + IPv4 name: + + Rule-set name Description References + ------------- ----------- ---------- + DMZv4-1-OUT (eth0,OUT) + DMZv4-1-IN (eth0,IN) + + ------------------------ + Firewall Groups + ------------------------ + + Port Groups: + + Group name Description References + ---------- ----------- ---------- + DMZ-Ports DMZv4-1-OUT-10-destination + + Network Groups: + + Group name Description References + ---------- ----------- ---------- + LANv4 LANv4-IN-10-source, + DMZv4-1-OUT-10-source, + DMZv4-1-OUT-11-source + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +.. opcmd:: show firewall [name | ipv6name] rule <1-9999> + + This command will give an overview about a rule in a single rule-set + +.. opcmd:: show firewall group + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@vyos:~$ show firewall group DMZ-Ports + Name : DMZ-Ports + Type : port + References : none + Members : + 80 + 443 + 8080 + 8443 + + vyos@vyos:~$ show firewall group LANv4 + Name : LANv4 + Type : network + References : LANv4-IN-10-source + Members : + 10.10.0.0/16 + +.. opcmd:: show firewall [name | ipv6name] + + This command will give an overview about a single rule-set + +.. opcmd:: show firewall [name | ipv6name] statistics + + This will show you a rule-set statistic since the last boot. + +.. opcmd:: show firewall [name | ipv6name] rule <1-9999> + + This command will give an overview about a rule in a single rule-set + + +Zone-Policy Overview +******************** + +.. opcmd:: show zone-policy zone + + Use this command to get an overview about a zone + + .. code-block:: none + + vyos@vyos:~$ show zone-policy zone DMZ + ------------------- + Name: DMZ + + Interfaces: eth0 eth1 + + From Zone: + name firewall + ---- -------- + LAN DMZv4-1-OUT + + +Show Firewall log +***************** + +.. opcmd:: show log firewall [name | ipv6name] + + Show the logs of a specific Rule-Set + +.. note:: + At the moment it not possible to look at the whole firewall log with VyOS + operational commands. All logs will save to ``/var/logs/messages``. + For example: ``grep '10.10.0.10' /var/log/messages`` + + + +Example Partial Config +---------------------- + +.. code-block:: none + + firewall { + all-ping enable + broadcast-ping disable + config-trap disable + group { + network-group BAD-NETWORKS { + network 198.51.100.0/24 + network 203.0.113.0/24 + } + network-group GOOD-NETWORKS { + network 192.0.2.0/24 + } + port-group BAD-PORTS { + port 65535 + } + } + name FROM-INTERNET { + default-action accept + description "From the Internet" + rule 10 { + action accept + description "Authorized Networks" + protocol all + source { + group { + network-group GOOD-NETWORKS + } + } + } + rule 11 { + action drop + description "Bad Networks" + protocol all + source { + group { + network-group BAD-NETWORKS + } + } + } + rule 30 { + action drop + description "BAD PORTS" + destination { + group { + port-group BAD-PORTS + } + } + log enable + protocol all + } + } + } + interfaces { + ethernet eth1 { + address dhcp + description OUTSIDE + duplex auto + firewall { + in { + name FROM-INTERNET + } + } + } + } -- cgit v1.2.3 From e33e1268f944be445b5a771df0e97e913487512f Mon Sep 17 00:00:00 2001 From: rebortg Date: Mon, 30 Nov 2020 19:46:59 +0100 Subject: change include to absolute path --- docs/_ext/vyos.py | 9 ++++++-- docs/_include/interface-common-with-dhcp.txt | 8 +++---- docs/_include/interface-common-without-dhcp.txt | 4 ++-- docs/_include/interface-common.txt | 18 ++++++++-------- docs/_include/interface-dhcpv6-options.txt | 2 +- docs/_include/interface-vlan-8021ad.txt | 26 +++++++++++------------ docs/_include/interface-vlan-8021q.txt | 24 ++++++++++----------- docs/configuration/firewall/index.rst | 1 + docs/configuration/interfaces/bonding.rst | 4 ++-- docs/configuration/interfaces/bridge.rst | 4 ++-- docs/configuration/interfaces/dummy.rst | 8 +++---- docs/configuration/interfaces/ethernet.rst | 6 +++--- docs/configuration/interfaces/geneve.rst | 2 +- docs/configuration/interfaces/l2tpv3.rst | 4 ++-- docs/configuration/interfaces/loopback.rst | 4 ++-- docs/configuration/interfaces/macsec.rst | 2 +- docs/configuration/interfaces/openvpn.rst | 2 +- docs/configuration/interfaces/pppoe.rst | 8 +++---- docs/configuration/interfaces/pseudo-ethernet.rst | 4 ++-- docs/configuration/interfaces/tunnel.rst | 2 +- docs/configuration/interfaces/vxlan.rst | 2 +- docs/configuration/interfaces/wireless.rst | 6 +++--- docs/configuration/interfaces/wirelessmodem.rst | 6 +++--- docs/configuration/nat/nptv6.rst | 2 +- docs/configuration/policy/index.rst | 4 ++-- docs/contributing/debugging.rst | 2 +- docs/contributing/development.rst | 2 +- docs/contributing/documentation.rst | 2 +- docs/contributing/issues-features.rst | 2 +- docs/interfaces/advanced-index.rst | 23 -------------------- docs/interfaces/basic-index.rst | 12 ----------- docs/routing/bfd.rst | 2 +- docs/routing/ospf.rst | 2 +- docs/routing/rip.rst | 2 +- docs/services/conntrack.rst | 2 +- docs/services/ipoe-server.rst | 4 ++-- docs/services/pppoe-server.rst | 2 +- docs/system/lcd.rst | 2 +- docs/vpn/sstp.rst | 2 +- 39 files changed, 97 insertions(+), 126 deletions(-) delete mode 100644 docs/interfaces/advanced-index.rst delete mode 100644 docs/interfaces/basic-index.rst (limited to 'docs/configuration/firewall') diff --git a/docs/_ext/vyos.py b/docs/_ext/vyos.py index 89cc8ab7..4a974b46 100644 --- a/docs/_ext/vyos.py +++ b/docs/_ext/vyos.py @@ -3,7 +3,7 @@ import json import os from docutils import io, nodes, utils, statemachine from docutils.parsers.rst.roles import set_classes -from docutils.parsers.rst import Directive, directives +from docutils.parsers.rst import Directive, directives, states from sphinx.util.docutils import SphinxDirective @@ -173,7 +173,7 @@ class inlinecmd(nodes.inline): #self.literal_whitespace -= 1 -class CfgInclude(Directive): +class CfgInclude(SphinxDirective): required_arguments = 1 optional_arguments = 0 final_argument_whitespace = True @@ -189,10 +189,15 @@ class CfgInclude(Directive): 'var8': str, 'var9': str } + standard_include_path = os.path.join(os.path.dirname(states.__file__), + 'include') def run(self): ### Copy from include directive docutils """Include a file as part of the content of this reST file.""" + rel_filename, filename = self.env.relfn2path(self.arguments[0]) + self.arguments[0] = filename + self.env.note_included(filename) if not self.state.document.settings.file_insertion_enabled: raise self.warning('"%s" directive disabled.' % self.name) source = self.state_machine.input_lines.source( diff --git a/docs/_include/interface-common-with-dhcp.txt b/docs/_include/interface-common-with-dhcp.txt index 3e1394a3..1cacdd53 100644 --- a/docs/_include/interface-common-with-dhcp.txt +++ b/docs/_include/interface-common-with-dhcp.txt @@ -1,17 +1,17 @@ -.. cmdinclude:: ../_include/interface-address-with-dhcp.txt +.. cmdinclude:: /_include/interface-address-with-dhcp.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-common.txt +.. cmdinclude:: /_include/interface-common.txt :var0: {{ var0 }} :var1: {{ var1 }} **DHCP(v6)** -.. cmdinclude:: ../_include/interface-dhcp-options.txt +.. cmdinclude:: /_include/interface-dhcp-options.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-dhcpv6-options.txt +.. cmdinclude:: /_include/interface-dhcpv6-options.txt :var0: {{ var0 }} :var1: {{ var1 }} diff --git a/docs/_include/interface-common-without-dhcp.txt b/docs/_include/interface-common-without-dhcp.txt index d861f003..73d39dd0 100644 --- a/docs/_include/interface-common-without-dhcp.txt +++ b/docs/_include/interface-common-without-dhcp.txt @@ -1,7 +1,7 @@ -.. cmdinclude:: ../_include/interface-address.txt +.. cmdinclude:: /_include/interface-address.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-common.txt +.. cmdinclude:: /_include/interface-common.txt :var0: {{ var0 }} :var1: {{ var1 }} diff --git a/docs/_include/interface-common.txt b/docs/_include/interface-common.txt index de29356f..68c9c448 100644 --- a/docs/_include/interface-common.txt +++ b/docs/_include/interface-common.txt @@ -1,36 +1,36 @@ -.. cmdinclude:: ../_include/interface-description.txt +.. cmdinclude:: /_include/interface-description.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-disable.txt +.. cmdinclude:: /_include/interface-disable.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-disable-flow-control.txt +.. cmdinclude:: /_include/interface-disable-flow-control.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-disable-link-detect.txt +.. cmdinclude:: /_include/interface-disable-link-detect.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-mac.txt +.. cmdinclude:: /_include/interface-mac.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-mtu.txt +.. cmdinclude:: /_include/interface-mtu.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-ipv6-addr-autoconf.txt +.. cmdinclude:: /_include/interface-ipv6-addr-autoconf.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-ipv6-addr-eui64.txt +.. cmdinclude:: /_include/interface-ipv6-addr-eui64.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-vrf.txt +.. cmdinclude:: /_include/interface-vrf.txt :var0: {{ var0 }} :var1: {{ var1 }} diff --git a/docs/_include/interface-dhcpv6-options.txt b/docs/_include/interface-dhcpv6-options.txt index a54a7dce..a47d9f32 100644 --- a/docs/_include/interface-dhcpv6-options.txt +++ b/docs/_include/interface-dhcpv6-options.txt @@ -30,7 +30,7 @@ set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} dhcpv6-options temporary -.. cmdinclude:: ../_include/interface-dhcpv6-prefix-delegation.txt +.. cmdinclude:: /_include/interface-dhcpv6-prefix-delegation.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: {{ var2 }} diff --git a/docs/_include/interface-vlan-8021ad.txt b/docs/_include/interface-vlan-8021ad.txt index a1e971be..12925ad4 100644 --- a/docs/_include/interface-vlan-8021ad.txt +++ b/docs/_include/interface-vlan-8021ad.txt @@ -1,4 +1,4 @@ -.. include:: ../_include/need_improvement.txt +.. include:: /_include/need_improvement.txt IEEE 802.1ad_ was an Ethernet networking standard informally known as QinQ as an amendment to IEEE standard 802.1q VLAN interfaces as described above. @@ -28,7 +28,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG (service tag with Ethernet Type = 0x88a8). -.. cmdinclude:: ../_include/interface-address-with-dhcp.txt +.. cmdinclude:: /_include/interface-address-with-dhcp.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -38,7 +38,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: ../_include/interface-description.txt +.. cmdinclude:: /_include/interface-description.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -48,7 +48,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: ../_include/interface-disable.txt +.. cmdinclude:: /_include/interface-disable.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -58,7 +58,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: ../_include/interface-disable-link-detect.txt +.. cmdinclude:: /_include/interface-disable-link-detect.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -68,7 +68,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: ../_include/interface-mac.txt +.. cmdinclude:: /_include/interface-mac.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -78,7 +78,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: ../_include/interface-mtu.txt +.. cmdinclude:: /_include/interface-mtu.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -88,7 +88,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: ../_include/interface-ipv6-addr-autoconf.txt +.. cmdinclude:: /_include/interface-ipv6-addr-autoconf.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -98,7 +98,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: ../_include/interface-ipv6-addr-eui64.txt +.. cmdinclude:: /_include/interface-ipv6-addr-eui64.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -108,7 +108,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: ../_include/interface-vrf.txt +.. cmdinclude:: /_include/interface-vrf.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -120,7 +120,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG **DHCP(v6)** -.. cmdinclude:: ../_include/interface-dhcp-options.txt +.. cmdinclude:: /_include/interface-dhcp-options.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -130,7 +130,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. cmdinclude:: ../_include/interface-dhcpv6-options.txt +.. cmdinclude:: /_include/interface-dhcpv6-options.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s @@ -140,4 +140,4 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: :var7: 20 -.. include:: ../common-references.rst +.. include:: /common-references.rst diff --git a/docs/_include/interface-vlan-8021q.txt b/docs/_include/interface-vlan-8021q.txt index 2c7e58f7..37f652f3 100644 --- a/docs/_include/interface-vlan-8021q.txt +++ b/docs/_include/interface-vlan-8021q.txt @@ -29,63 +29,63 @@ term used for this is ``vif``. .. note:: Only 802.1Q-tagged packets are accepted on Ethernet vifs. -.. cmdinclude:: ../_include/interface-address-with-dhcp.txt +.. cmdinclude:: /_include/interface-address-with-dhcp.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. cmdinclude:: ../_include/interface-description.txt +.. cmdinclude:: /_include/interface-description.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. cmdinclude:: ../_include/interface-disable.txt +.. cmdinclude:: /_include/interface-disable.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. cmdinclude:: ../_include/interface-disable-link-detect.txt +.. cmdinclude:: /_include/interface-disable-link-detect.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. cmdinclude:: ../_include/interface-mac.txt +.. cmdinclude:: /_include/interface-mac.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. cmdinclude:: ../_include/interface-mtu.txt +.. cmdinclude:: /_include/interface-mtu.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. cmdinclude:: ../_include/interface-ipv6-addr-autoconf.txt +.. cmdinclude:: /_include/interface-ipv6-addr-autoconf.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. cmdinclude:: ../_include/interface-ipv6-addr-eui64.txt +.. cmdinclude:: /_include/interface-ipv6-addr-eui64.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. cmdinclude:: ../_include/interface-vrf.txt +.. cmdinclude:: /_include/interface-vrf.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif @@ -94,18 +94,18 @@ term used for this is ``vif``. **DHCP(v6)** -.. cmdinclude:: ../_include/interface-dhcp-options.txt +.. cmdinclude:: /_include/interface-dhcp-options.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. cmdinclude:: ../_include/interface-dhcpv6-options.txt +.. cmdinclude:: /_include/interface-dhcpv6-options.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif :var3: :var4: 10 -.. include:: ../common-references.rst \ No newline at end of file +.. include:: /common-references.rst \ No newline at end of file diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 870e9a08..d9a3ebe3 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -3,6 +3,7 @@ Firewall ======== + Overview -------- diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst index 7faddd6f..8ec8f34d 100644 --- a/docs/configuration/interfaces/bonding.rst +++ b/docs/configuration/interfaces/bonding.rst @@ -17,7 +17,7 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-common-with-dhcp.txt +.. cmdinclude:: /_include/interface-common-with-dhcp.txt :var0: bond :var1: bond0 @@ -259,7 +259,7 @@ Bond options VLAN ==== -.. cmdinclude:: ../_include/interface-vlan-8021q.txt +.. cmdinclude:: /_include/interface-vlan-8021q.txt :var0: bond :var1: bond0 diff --git a/docs/configuration/interfaces/bridge.rst b/docs/configuration/interfaces/bridge.rst index dc94a761..766d2aa5 100644 --- a/docs/configuration/interfaces/bridge.rst +++ b/docs/configuration/interfaces/bridge.rst @@ -21,7 +21,7 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-common-with-dhcp.txt +.. cmdinclude:: /_include/interface-common-with-dhcp.txt :var0: bridge :var1: br0 @@ -116,7 +116,7 @@ links providing fault tolerance if an active link fails. VLAN ==== -.. cmdinclude:: ../_include/interface-vlan-8021q.txt +.. cmdinclude:: /_include/interface-vlan-8021q.txt :var0: bridge :var1: br0 diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst index c36d0024..c9845230 100644 --- a/docs/configuration/interfaces/dummy.rst +++ b/docs/configuration/interfaces/dummy.rst @@ -25,19 +25,19 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-address.txt +.. cmdinclude:: /_include/interface-address.txt :var0: dummy :var1: dum0 -.. cmdinclude:: ../_include/interface-description.txt +.. cmdinclude:: /_include/interface-description.txt :var0: dummy :var1: dum0 -.. cmdinclude:: ../_include/interface-disable.txt +.. cmdinclude:: /_include/interface-disable.txt :var0: dummy :var1: dum0 -.. cmdinclude:: ../_include/interface-vrf.txt +.. cmdinclude:: /_include/interface-vrf.txt :var0: dummy :var1: dum0 diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index f2ab3f67..9311c947 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -14,7 +14,7 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-common-with-dhcp.txt +.. cmdinclude:: /_include/interface-common-with-dhcp.txt :var0: ethernet :var1: eth0 @@ -72,14 +72,14 @@ VLAN Regular VLANs (802.1q) ---------------------- -.. cmdinclude:: ../_include/interface-vlan-8021q.txt +.. cmdinclude:: /_include/interface-vlan-8021q.txt :var0: ethernet :var1: eth0 QinQ (802.1ad) -------------- -.. cmdinclude:: ../_include/interface-vlan-8021ad.txt +.. cmdinclude:: /_include/interface-vlan-8021ad.txt :var0: ethernet :var1: eth0 diff --git a/docs/configuration/interfaces/geneve.rst b/docs/configuration/interfaces/geneve.rst index 47068687..9e00d621 100644 --- a/docs/configuration/interfaces/geneve.rst +++ b/docs/configuration/interfaces/geneve.rst @@ -39,7 +39,7 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-common-without-dhcp.txt +.. cmdinclude:: /_include/interface-common-without-dhcp.txt :var0: geneve :var1: gnv0 diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst index 4c9cbf9b..a4b7be36 100644 --- a/docs/configuration/interfaces/l2tpv3.rst +++ b/docs/configuration/interfaces/l2tpv3.rst @@ -1,4 +1,4 @@ -.. include:: ../_include/need_improvement.txt +.. include:: /_include/need_improvement.txt .. _l2tpv3-interface: @@ -31,7 +31,7 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-common-without-dhcp.txt +.. cmdinclude:: /_include/interface-common-without-dhcp.txt :var0: l2tpv3 :var1: l2tpeth0 diff --git a/docs/configuration/interfaces/loopback.rst b/docs/configuration/interfaces/loopback.rst index a6d659b5..f7386c62 100644 --- a/docs/configuration/interfaces/loopback.rst +++ b/docs/configuration/interfaces/loopback.rst @@ -26,11 +26,11 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-address.txt +.. cmdinclude:: /_include/interface-address.txt :var0: loopback :var1: lo -.. cmdinclude:: ../_include/interface-description.txt +.. cmdinclude:: /_include/interface-description.txt :var0: loopback :var1: lo diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst index ebc8f151..2bf643aa 100644 --- a/docs/configuration/interfaces/macsec.rst +++ b/docs/configuration/interfaces/macsec.rst @@ -20,7 +20,7 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-common-with-dhcp.txt +.. cmdinclude:: /_include/interface-common-with-dhcp.txt :var0: macsec :var1: macsec0 diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index c6934335..7646959c 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -581,4 +581,4 @@ The following commands let you reset OpenVPN. -.. include:: ../common-references.rst +.. include:: /common-references.rst diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index 313edd84..decfd348 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -59,15 +59,15 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-description.txt +.. cmdinclude:: /_include/interface-description.txt :var0: pppoe :var1: pppoe0 -.. cmdinclude:: ../_include/interface-disable.txt +.. cmdinclude:: /_include/interface-disable.txt :var0: pppoe :var1: pppoe0 -.. cmdinclude:: ../_include/interface-vrf.txt +.. cmdinclude:: /_include/interface-vrf.txt :var0: pppoe :var1: pppoe0 @@ -177,7 +177,7 @@ IPv6 Use this command to enable acquisition of IPv6 address using stateless autoconfig (SLAAC). -.. cmdinclude:: ../_include/interface-dhcpv6-prefix-delegation.txt +.. cmdinclude:: /_include/interface-dhcpv6-prefix-delegation.txt :var0: pppoe :var1: pppoe0 diff --git a/docs/configuration/interfaces/pseudo-ethernet.rst b/docs/configuration/interfaces/pseudo-ethernet.rst index c2baca39..0471d2e1 100644 --- a/docs/configuration/interfaces/pseudo-ethernet.rst +++ b/docs/configuration/interfaces/pseudo-ethernet.rst @@ -45,7 +45,7 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-common-with-dhcp.txt +.. cmdinclude:: /_include/interface-common-with-dhcp.txt :var0: pseudo-ethernet :var1: peth0 @@ -60,6 +60,6 @@ Pseudo Ethernet/MACVLAN options VLAN ==== -.. cmdinclude:: ../_include/interface-vlan-8021q.txt +.. cmdinclude:: /_include/interface-vlan-8021q.txt :var0: pseudo-ethernet :var1: peth0 diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst index 4b9da26b..7b1502f8 100644 --- a/docs/configuration/interfaces/tunnel.rst +++ b/docs/configuration/interfaces/tunnel.rst @@ -16,7 +16,7 @@ a closer look at the protocols and options currently supported by VyOS. Common interface configuration ------------------------------ -.. cmdinclude:: ../_include/interface-common-without-dhcp.txt +.. cmdinclude:: /_include/interface-common-without-dhcp.txt :var0: tunnel :var1: tun0 diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst index 40dc5400..95f8de35 100644 --- a/docs/configuration/interfaces/vxlan.rst +++ b/docs/configuration/interfaces/vxlan.rst @@ -39,7 +39,7 @@ Configuration Common interface configuration ------------------------------ -.. cmdinclude:: ../_include/interface-common-without-dhcp.txt +.. cmdinclude:: /_include/interface-common-without-dhcp.txt :var0: vxlan :var1: vxlan0 diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index 2de3b126..82f66cf4 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -30,7 +30,7 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-common-with-dhcp.txt +.. cmdinclude:: /_include/interface-common-with-dhcp.txt :var0: wireless :var1: wlan0 @@ -378,14 +378,14 @@ VLAN Regular VLANs (802.1q) ---------------------- -.. cmdinclude:: ../_include/interface-vlan-8021q.txt +.. cmdinclude:: /_include/interface-vlan-8021q.txt :var0: wireless :var1: wlan0 QinQ (802.1ad) -------------- -.. cmdinclude:: ../_include/interface-vlan-8021ad.txt +.. cmdinclude:: /_include/interface-vlan-8021ad.txt :var0: wireless :var1: wlan0 diff --git a/docs/configuration/interfaces/wirelessmodem.rst b/docs/configuration/interfaces/wirelessmodem.rst index f9dfa228..a65a47f4 100644 --- a/docs/configuration/interfaces/wirelessmodem.rst +++ b/docs/configuration/interfaces/wirelessmodem.rst @@ -15,15 +15,15 @@ Configuration Common interface configuration ============================== -.. cmdinclude:: ../_include/interface-description.txt +.. cmdinclude:: /_include/interface-description.txt :var0: wirelessmodem :var1: wlm0 -.. cmdinclude:: ../_include/interface-disable.txt +.. cmdinclude:: /_include/interface-disable.txt :var0: wirelessmodem :var1: wlm0 -.. cmdinclude:: ../_include/interface-vrf.txt +.. cmdinclude:: /_include/interface-vrf.txt :var0: wirelessmodem :var1: wlm0 diff --git a/docs/configuration/nat/nptv6.rst b/docs/configuration/nat/nptv6.rst index f4e08325..c09c8336 100644 --- a/docs/configuration/nat/nptv6.rst +++ b/docs/configuration/nat/nptv6.rst @@ -1,4 +1,4 @@ -.. include:: _include/need_improvement.txt +.. include:: /_include/need_improvement.txt .. _nptv6: diff --git a/docs/configuration/policy/index.rst b/docs/configuration/policy/index.rst index 4be494e5..557911d9 100644 --- a/docs/configuration/policy/index.rst +++ b/docs/configuration/policy/index.rst @@ -1,4 +1,4 @@ -.. include:: ../_include/need_improvement.txt +.. include:: /_include/need_improvement.txt ###### Policy @@ -65,7 +65,7 @@ neighbor. You now see the longer AS path. -.. include:: ../_include/need_improvement.txt +.. include:: /_include/need_improvement.txt .. _routing-pbr: diff --git a/docs/contributing/debugging.rst b/docs/contributing/debugging.rst index ac2e0510..fcd62c89 100644 --- a/docs/contributing/debugging.rst +++ b/docs/contributing/debugging.rst @@ -143,4 +143,4 @@ order of the scripts. .. _vyatta-cfg: https://github.com/vyos/vyatta-cfg .. _bootchart.conf: https://github.com/vyos/vyos-build/blob/current/data/live-build-config/includes.chroot/etc/systemd/bootchart.conf -.. include:: ../common-references.rst +.. include:: /common-references.rst diff --git a/docs/contributing/development.rst b/docs/contributing/development.rst index 86371845..0a7fecb5 100644 --- a/docs/contributing/development.rst +++ b/docs/contributing/development.rst @@ -711,4 +711,4 @@ http://dev.packages.vyos.net/repositories/. .. _`VLAN (VIF)`: https://github.com/vyos/vyos-1x/tree/current/interface-definitions/include/vif.xml.i .. _`MAC address`: https://github.com/vyos/vyos-1x/tree/current/interface-definitions/include/interface-mac.xml.i -.. include:: ../common-references.rst +.. include:: /common-references.rst diff --git a/docs/contributing/documentation.rst b/docs/contributing/documentation.rst index 9dd0c495..0276a7d2 100644 --- a/docs/contributing/documentation.rst +++ b/docs/contributing/documentation.rst @@ -325,4 +325,4 @@ predefined structure. .. _reStructuredTextDirectives: https://docutils.sourceforge.io/docs/ref/rst/directives.html .. _README.md: https://github.com/vyos/vyos-documentation/blob/master/README.md -.. include:: ../common-references.rst +.. include:: /common-references.rst diff --git a/docs/contributing/issues-features.rst b/docs/contributing/issues-features.rst index 60e49974..473d49d9 100644 --- a/docs/contributing/issues-features.rst +++ b/docs/contributing/issues-features.rst @@ -77,4 +77,4 @@ the left side under the specific project. .. _Slack: https://slack.vyos.io .. _Forum: https://forum.vyos.io -.. include:: ../common-references.rst +.. include:: /common-references.rst diff --git a/docs/interfaces/advanced-index.rst b/docs/interfaces/advanced-index.rst deleted file mode 100644 index 7b9bde1e..00000000 --- a/docs/interfaces/advanced-index.rst +++ /dev/null @@ -1,23 +0,0 @@ -.. _advanced_network-interfaces: - -################## -Network Interfaces -################## - -.. toctree:: - :maxdepth: 1 - - bond - bridge - dummy - ethernet - geneve - loopback - l2tpv3 - macsec - pppoe - pseudo-ethernet - tunnel - vxlan - wireless - wirelessmodem diff --git a/docs/interfaces/basic-index.rst b/docs/interfaces/basic-index.rst deleted file mode 100644 index 425792a2..00000000 --- a/docs/interfaces/basic-index.rst +++ /dev/null @@ -1,12 +0,0 @@ -.. _basic_network-interfaces: - -######################## -Basic Network Interfaces -######################## - -.. toctree:: - :maxdepth: 1 - - ethernet - loopback - pppoe diff --git a/docs/routing/bfd.rst b/docs/routing/bfd.rst index 1d494332..b8fdf489 100644 --- a/docs/routing/bfd.rst +++ b/docs/routing/bfd.rst @@ -1,4 +1,4 @@ -.. include:: ../_include/need_improvement.txt +.. include:: /_include/need_improvement.txt .. _routing-bfd: diff --git a/docs/routing/ospf.rst b/docs/routing/ospf.rst index fe05178b..19787b11 100644 --- a/docs/routing/ospf.rst +++ b/docs/routing/ospf.rst @@ -1,4 +1,4 @@ -.. include:: ../_include/need_improvement.txt +.. include:: /_include/need_improvement.txt .. _routing-ospf: diff --git a/docs/routing/rip.rst b/docs/routing/rip.rst index 68868e37..0d73ad34 100644 --- a/docs/routing/rip.rst +++ b/docs/routing/rip.rst @@ -1,4 +1,4 @@ -.. include:: ../_include/need_improvement.txt +.. include:: /_include/need_improvement.txt .. _rip: diff --git a/docs/services/conntrack.rst b/docs/services/conntrack.rst index c361d293..55cd088e 100644 --- a/docs/services/conntrack.rst +++ b/docs/services/conntrack.rst @@ -1,4 +1,4 @@ -.. include:: ../_include/need_improvement.txt +.. include:: /_include/need_improvement.txt Conntrack --------- diff --git a/docs/services/ipoe-server.rst b/docs/services/ipoe-server.rst index 3aedf966..279f0c6d 100644 --- a/docs/services/ipoe-server.rst +++ b/docs/services/ipoe-server.rst @@ -1,4 +1,4 @@ -.. include:: ../_include/need_improvement.txt +.. include:: /_include/need_improvement.txt .. _ipoe_server: @@ -146,4 +146,4 @@ The rate-limit is set in kbit/sec. -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------ ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | 500/500 | active | 00:00:05 | dccc870fd31349fb -.. include:: ../common-references.rst +.. include:: /common-references.rst diff --git a/docs/services/pppoe-server.rst b/docs/services/pppoe-server.rst index e710ba6a..4deb6c7e 100644 --- a/docs/services/pppoe-server.rst +++ b/docs/services/pppoe-server.rst @@ -394,4 +394,4 @@ a /56 subnet for the clients internal use. --------+----------+-------------+--------------------------+---------------------+-------------------+------------+--------+----------+----------+---------- ppp0 | test | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb | | active | 00:00:49 | 875 B | 2.1 KiB -.. include:: ../common-references.rst +.. include:: /common-references.rst diff --git a/docs/system/lcd.rst b/docs/system/lcd.rst index 441becf5..2509946e 100644 --- a/docs/system/lcd.rst +++ b/docs/system/lcd.rst @@ -41,5 +41,5 @@ Configuration .. note:: We can't support all displays from the beginning. If your display type is missing, please create a feature request via Phabricator_. -.. include:: ../common-references.rst +.. include:: /common-references.rst diff --git a/docs/vpn/sstp.rst b/docs/vpn/sstp.rst index e5567cb6..f5e4ad05 100644 --- a/docs/vpn/sstp.rst +++ b/docs/vpn/sstp.rst @@ -344,4 +344,4 @@ A connection attempt will be shown as: .. _sstpc: https://github.com/reliablehosting/sstp-client -.. include:: ../common-references.rst +.. include:: /common-references.rst -- cgit v1.2.3 From 8943fc9f877cbee3301a8261ddd27b4b1f15f174 Mon Sep 17 00:00:00 2001 From: rebortg Date: Mon, 30 Nov 2020 20:53:36 +0100 Subject: arrange services and protocols --- docs/automation/http-api.rst | 166 ------ docs/configuration/firewall/index.rst | 65 +++ docs/configuration/protocols/bfd.rst | 117 ++++ docs/configuration/protocols/bgp.rst | 335 +++++++++++ docs/configuration/protocols/igmp-proxy.rst | 2 + docs/configuration/protocols/igmp.rst | 244 ++++++++ docs/configuration/protocols/index.rst | 22 + docs/configuration/protocols/mpls.rst | 157 +++++ docs/configuration/protocols/ospf.rst | 70 +++ docs/configuration/protocols/ospfv3.rst | 71 +++ docs/configuration/protocols/pim.rst | 2 + docs/configuration/protocols/rip.rst | 37 ++ docs/configuration/protocols/ripng.rst | 3 + docs/configuration/protocols/rpki.rst | 113 ++++ docs/configuration/protocols/static.rst | 195 +++++++ docs/configuration/protocols/vrf.rst | 3 + docs/configuration/service/broadcast-relay.rst | 61 ++ docs/configuration/service/conntrack-sync.rst | 200 +++++++ docs/configuration/service/console-server.rst | 107 ++++ docs/configuration/service/dhcp-relay.rst | 2 + docs/configuration/service/dhcp-server.rst | 776 +++++++++++++++++++++++++ docs/configuration/service/dhcpv6-relay.rst | 2 + docs/configuration/service/dhcpv6-server.rst | 2 + docs/configuration/service/dns.rst | 313 ++++++++++ docs/configuration/service/https.rst | 166 ++++++ docs/configuration/service/index.rst | 29 + docs/configuration/service/ipoe-server.rst | 149 +++++ docs/configuration/service/lldp.rst | 141 +++++ docs/configuration/service/mdns.rst | 44 ++ docs/configuration/service/pppoe-advert.rst | 2 + docs/configuration/service/pppoe-server.rst | 397 +++++++++++++ docs/configuration/service/router-advert.rst | 89 +++ docs/configuration/service/salt-minion.rst | 2 + docs/configuration/service/snmp.rst | 266 +++++++++ docs/configuration/service/ssh.rst | 106 ++++ docs/configuration/service/tftp-server.rst | 54 ++ docs/configuration/service/webproxy.rst | 153 +++++ docs/operation/index.rst | 10 + docs/operation/ip-commands.rst | 258 ++++++++ docs/routing/arp.rst | 59 -- docs/routing/bfd.rst | 117 ---- docs/routing/bgp.rst | 335 ----------- docs/routing/index.rst | 22 - docs/routing/ip-commands.rst | 258 -------- docs/routing/mpls.rst | 157 ----- docs/routing/mss-clamp.rst | 63 -- docs/routing/multicast.rst | 244 -------- docs/routing/ospf.rst | 141 ----- docs/routing/rip.rst | 37 -- docs/routing/rpki.rst | 113 ---- docs/routing/static.rst | 134 ----- docs/services/conntrack.rst | 200 ------- docs/services/console-server.rst | 107 ---- docs/services/dhcp.rst | 776 ------------------------- docs/services/dns-forwarding.rst | 147 ----- docs/services/dynamic-dns.rst | 164 ------ docs/services/index.rst | 26 - docs/services/ipoe-server.rst | 149 ----- docs/services/lldp.rst | 141 ----- docs/services/mdns-repeater.rst | 44 -- docs/services/pppoe-server.rst | 397 ------------- docs/services/router-advert.rst | 89 --- docs/services/snmp.rst | 266 --------- docs/services/ssh.rst | 106 ---- docs/services/tftp.rst | 54 -- docs/services/udp-broadcast-relay.rst | 61 -- docs/services/webproxy.rst | 153 ----- 67 files changed, 4765 insertions(+), 4726 deletions(-) delete mode 100644 docs/automation/http-api.rst create mode 100644 docs/configuration/protocols/bfd.rst create mode 100644 docs/configuration/protocols/bgp.rst create mode 100644 docs/configuration/protocols/igmp-proxy.rst create mode 100644 docs/configuration/protocols/igmp.rst create mode 100644 docs/configuration/protocols/index.rst create mode 100644 docs/configuration/protocols/mpls.rst create mode 100644 docs/configuration/protocols/ospf.rst create mode 100644 docs/configuration/protocols/ospfv3.rst create mode 100644 docs/configuration/protocols/pim.rst create mode 100644 docs/configuration/protocols/rip.rst create mode 100644 docs/configuration/protocols/ripng.rst create mode 100644 docs/configuration/protocols/rpki.rst create mode 100644 docs/configuration/protocols/static.rst create mode 100644 docs/configuration/protocols/vrf.rst create mode 100644 docs/configuration/service/broadcast-relay.rst create mode 100644 docs/configuration/service/conntrack-sync.rst create mode 100644 docs/configuration/service/console-server.rst create mode 100644 docs/configuration/service/dhcp-relay.rst create mode 100644 docs/configuration/service/dhcp-server.rst create mode 100644 docs/configuration/service/dhcpv6-relay.rst create mode 100644 docs/configuration/service/dhcpv6-server.rst create mode 100644 docs/configuration/service/dns.rst create mode 100644 docs/configuration/service/https.rst create mode 100644 docs/configuration/service/index.rst create mode 100644 docs/configuration/service/ipoe-server.rst create mode 100644 docs/configuration/service/lldp.rst create mode 100644 docs/configuration/service/mdns.rst create mode 100644 docs/configuration/service/pppoe-advert.rst create mode 100644 docs/configuration/service/pppoe-server.rst create mode 100644 docs/configuration/service/router-advert.rst create mode 100644 docs/configuration/service/salt-minion.rst create mode 100644 docs/configuration/service/snmp.rst create mode 100644 docs/configuration/service/ssh.rst create mode 100644 docs/configuration/service/tftp-server.rst create mode 100644 docs/configuration/service/webproxy.rst create mode 100644 docs/operation/index.rst create mode 100644 docs/operation/ip-commands.rst delete mode 100644 docs/routing/arp.rst delete mode 100644 docs/routing/bfd.rst delete mode 100644 docs/routing/bgp.rst delete mode 100644 docs/routing/index.rst delete mode 100644 docs/routing/ip-commands.rst delete mode 100644 docs/routing/mpls.rst delete mode 100644 docs/routing/mss-clamp.rst delete mode 100644 docs/routing/multicast.rst delete mode 100644 docs/routing/ospf.rst delete mode 100644 docs/routing/rip.rst delete mode 100644 docs/routing/rpki.rst delete mode 100644 docs/routing/static.rst delete mode 100644 docs/services/conntrack.rst delete mode 100644 docs/services/console-server.rst delete mode 100644 docs/services/dhcp.rst delete mode 100644 docs/services/dns-forwarding.rst delete mode 100644 docs/services/dynamic-dns.rst delete mode 100644 docs/services/index.rst delete mode 100644 docs/services/ipoe-server.rst delete mode 100644 docs/services/lldp.rst delete mode 100644 docs/services/mdns-repeater.rst delete mode 100644 docs/services/pppoe-server.rst delete mode 100644 docs/services/router-advert.rst delete mode 100644 docs/services/snmp.rst delete mode 100644 docs/services/ssh.rst delete mode 100644 docs/services/tftp.rst delete mode 100644 docs/services/udp-broadcast-relay.rst delete mode 100644 docs/services/webproxy.rst (limited to 'docs/configuration/firewall') diff --git a/docs/automation/http-api.rst b/docs/automation/http-api.rst deleted file mode 100644 index 49f2dbd9..00000000 --- a/docs/automation/http-api.rst +++ /dev/null @@ -1,166 +0,0 @@ -.. _http-api: - -######## -HTTP-API -######## - -Enabling HTTP-API ------------------ - -VyOS HTTP API can be enabled through the ``set service https api`` command. - -.. code-block:: none - - set service https api debug - set service https api keys id MY-HTTP-API-ID key MY-HTTP-API-PLAINTEXT-KEY - -The local API process listens on localhost:8080, and nginx exposes it on all -virtual servers, by default. For the purpose of illustration below, we will -assume nginx is running at https://192.168.122.127. - -One can limit proxying to specific listen addresses/ports/server-names by -defining a ``service https virtual-host ``, and setting ``service https -api-restrict virtual-host ``. - -.. code-block:: none - - set service https virtual-host example listen-address 192.168.122.127 - set service https virtual-host example listen-port 44302 - set service https virtual-host example server-name example.net - - set service https api-restrict virtual-host example - -In this example, nginx will proxy only those requests to -192.168.122.127:44302 or example.net:44302 (assuming the DNS record is -viable). Omitting any of listen-address, listen-port, or server-name, will -leave appropriate defaults in the nginx directive. Multiple instances of -``service https api-restrict virtual-host`` may be set. - -Configuration mode requests ---------------------------- - -In our example, we are creating a dummy interface and assigning an address to it: - -.. code-block:: none - - curl -k -X POST -F data='{"op": "set", "path": ["interfaces", "dummy", "dum1", "address"], "value": "203.0.113.76/32"}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/configure - -The ``/configure`` endpoint takes a request serialized in JSON. The only HTTP method it uses is POST. Request data is passed in the ``data=`` field and the API key is passed in the ``key=`` field. Key identifiers from the config are purely informational and the application doesn't need to know them, they only appear in the server logs to avoid exposing keys in log files, you only need the key itself. - -Since internally there is no distinction between a path and a value, you can omit the value field and include the value in the path like it's done in the shell commands: - -.. code-block:: none - - curl -k -X POST -F data='{"op": "set", "path": ["interfaces", "dummy", "dum10", "address", "203.0.113.99/32"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/configure - -Separate value field make the semantics more clear though, and also makes it easier to create a command template once and update it with different values as needed. - -You can pass the ``set``, ``delete`` or ``comment`` command to it. The API will push the command to the session and commit. - -To retrieve a value: - -.. code-block:: none - - curl -k -X POST -F data='{"op": "returnValue", "path": ["interfaces", "dummy", "dum1", "address"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/retrieve - -Use ``returnValues`` for multi-valued nodes. - - -Show config -""""""""""" - -To retrieve the full config under a path: - -.. code-block:: none - - # curl -k -X POST -F data='{"op": "showConfig", "path": ["interfaces", "dummy"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/retrieve - -It will return: - -.. code-block:: none - - {"success": true, "data": {"dummy": {"dum1": {"address": "203.0.113.76/32"}}}, "error": null} - -Passing an empty path will return the full config: - -.. code-block:: none - - # curl -k -X POST -F data='{"op": "showConfig", "path": []}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/retrieve - - -Configuration management requests ---------------------------------- - -When saving or loading a configuration, the endpoint is ``/config-file`` and you can pass the ``save`` or ``load`` command. - -If you don't specify the file when saving, it saves to ``/config/config.boot``. Here's an example: - -.. code-block:: none - - # curl -k -X POST -F key=MY-HTTP-API-PLAINTEXT-KEY -Fdata='{"op": "save", "file": "/config/config.boot"}' https://192.168.122.127/config-file - -Image management requests -------------------------- - -One may ``add`` or ``delete`` a system image using the endpoint ``/image``. Here are the respective examples: - -``add`` from ``url``. Here we use the URL of the latest rolling release: - -.. code-block:: none - - # curl -k -X POST -F data='{"op": "add", "url": "https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso"}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/image - -``delete`` by image ``name``. For example: - -.. code-block:: none - - # curl -k -X POST -F data='{"op": "delete", "name": "1.3-rolling-202006070117"}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/image - -To list the available system images by name, one may use the operational mode request ``show`` discussed in the next section; in this setting it would be: - -.. code-block:: none - - # curl -k -X POST -F data='{"op": "show", "path": ["system", "image"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/show - -Operational mode requests -------------------------- - -It is possible to run ``show`` and ``generate`` commands: - - -Request: - -.. code-block:: none - - curl -k -X POST -F data='{"op": "generate", "path": ["wireguard", "default-keypair"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/generate - -Response: - -.. code-block:: none - - {"success": true, "data": "", "error": null} - -Request: - -.. code-block:: none - - curl -k -X POST -F data='{"op": "show", "path": ["wireguard", "keypairs", "pubkey", "default"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/show - -Response: - -.. code-block:: none - - {"success": true, "data": "=\n", "error": null} - -Request: - -.. code-block:: none - - curl -k -X POST -F data='{"op": "show", "path": ["ip", "route"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/show - -Response: - -.. code-block:: none - - {"success": true, "data": "Codes: K - kernel route, C - connected, S - static, R - RIP,\n O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,\n T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,\n F - PBR, f - OpenFabric,\n > - selected route, * - FIB route, q - queued route, r - rejected route\n\nS>* 0.0.0.0/0 [210/0] via 192.168.100.1, eth0, 01:41:05\nC>* 192.168.0.0/24 is directly connected, eth1, 01:41:09\nC>* 192.168.100.0/24 is directly connected, eth0, 01:41:05\nC>* 203.0.113.76/32 is directly connected, dum1, 01:38:40\n", "error": null} - diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index d9a3ebe3..2615774f 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -766,3 +766,68 @@ Example Partial Config } } } + + +.. _routing-mss-clamp: + +################ +TCP-MSS Clamping +################ + +As Internet wide PMTU discovery rarely works, we sometimes need to clamp +our TCP MSS value to a specific value. This is a field in the TCP +Options part of a SYN packet. By setting the MSS value, you are telling +the remote side unequivocally 'do not try to send me packets bigger than +this value'. + +Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS +value for IPv4 and IPv6. + + +.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting + in 1452 bytes on a 1492 byte MTU. + + +IPv4 +==== + +.. cfgcmd:: set firewall options interface adjust-mss + + Use this command to set the maximum segment size for IPv4 transit + packets on a specific interface (500-1460 bytes). + +Example +------- + +Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and +`1372` +for your WireGuard `wg02` tunnel. + +.. code-block:: none + + set firewall options interface pppoe0 adjust-mss '1452' + set firewall options interface wg02 adjust-mss '1372' + +IPv6 +==== + +.. cfgcmd:: set firewall options interface adjust-mss6 + + Use this command to set the maximum segment size for IPv6 transit + packets on a specific interface (1280-1492 bytes). + +Example +------- + +Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and +`wg02` interface. + +.. code-block:: none + + set firewall options interface pppoe0 adjust-mss6 '1280' + set firewall options interface wg02 adjust-mss6 '1280' + + + +.. hint:: When doing your byte calculations, you might find useful this + `Visual packet size calculator `_. diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst new file mode 100644 index 00000000..b8fdf489 --- /dev/null +++ b/docs/configuration/protocols/bfd.rst @@ -0,0 +1,117 @@ +.. include:: /_include/need_improvement.txt + +.. _routing-bfd: + +### +BFD +### + +:abbr:`BFD (Bidirectional Forwarding Detection)` is described and extended by +the following RFCs: :rfc:`5880`, :rfc:`5881` and :rfc:`5883`. + + +Configure BFD +============= + +.. cfgcmd:: set protocols bfd peer
+ + Set BFD peer IPv4 address or IPv6 address + +.. cfgcmd:: set protocols bfd peer
echo-mode + + Enables the echo transmission mode + +.. cfgcmd:: set protocols bfd peer
multihop + + Allow this BFD peer to not be directly connected + +.. cfgcmd:: set protocols bfd peer
source [address
| interface ] + + Bind listener to specifid interface/address, mandatory for IPv6 + +.. cfgcmd:: set protocols bfd peer
interval echo-interval <10-60000> + + The minimal echo receive transmission interval that this system is capable of handling + +.. cfgcmd:: set protocols bfd peer
interval multiplier <2-255> + + Remote transmission interval will be multiplied by this value + +.. cfgcmd:: set protocols bfd peer
interval [receive | transmit] <10-60000> + + Interval in milliseconds + +.. cfgcmd:: set protocols bfd peer
shutdown + + Disable a BFD peer + + +Enable BFD in BGP +----------------- + +.. cfgcmd:: set protocols bgp neighbor
bfd + + Enable BFD on a single BGP neighbor + +.. cfgcmd:: set protocols bgp peer-group bfd + + Enable BFD on a BGP peer group + + + +Enable BFD in OSPF +------------------ + +.. cfgcmd:: set interfaces ethernet ip ospf bfd + + Enable BFD for ospf on a interface + +.. cfgcmd:: set interfaces ethernet ipv6 ospfv3 bfd + + Enable BFD for ospfv3 on a interface + + + +Operational Commands +==================== + +.. opcmd:: show protocols bfd peer + + Show all BFD peers + + .. code-block:: none + + BFD Peers: + peer 198.51.100.33 vrf default interface eth4.100 + ID: 4182341893 + Remote ID: 12678929647 + Status: up + Uptime: 1 month(s), 16 hour(s), 29 minute(s), 38 second(s) + Diagnostics: ok + Remote diagnostics: ok + Local timers: + Receive interval: 300ms + Transmission interval: 300ms + Echo transmission interval: 50ms + Remote timers: + Receive interval: 300ms + Transmission interval: 300ms + Echo transmission interval: 0ms + + peer 198.51.100.55 vrf default interface eth4.101 + ID: 4618932327 + Remote ID: 3312345688 + Status: up + Uptime: 20 hour(s), 16 minute(s), 19 second(s) + Diagnostics: ok + Remote diagnostics: ok + Local timers: + Receive interval: 300ms + Transmission interval: 300ms + Echo transmission interval: 50ms + Remote timers: + Receive interval: 300ms + Transmission interval: 300ms + Echo transmission interval: 0ms + + diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst new file mode 100644 index 00000000..c576d836 --- /dev/null +++ b/docs/configuration/protocols/bgp.rst @@ -0,0 +1,335 @@ +.. _bgp: + +### +BGP +### + +:abbr:`BGP (Border Gateway Protocol)` is one of the Exterior Gateway Protocols +and the de facto standard interdomain routing protocol. The latest BGP version +is 4. BGP-4 is described in :rfc:`1771` and updated by :rfc:`4271`. :rfc:`2858` +adds multiprotocol support to BGP. + +VyOS makes use of :abbr:`FRR (Free Range Routing)` and we would like to thank +them for their effort! + +Basic Concepts +============== + +.. _bgp-autonomous-systems: + +Autonomous Systems +------------------ + +From :rfc:`1930`: + + An AS is a connected group of one or more IP prefixes run by one or more + network operators which has a SINGLE and CLEARLY DEFINED routing policy. + +Each AS has an identifying number associated with it called an :abbr:`ASN +(Autonomous System Number)`. This is a two octet value ranging in value from 1 +to 65535. The AS numbers 64512 through 65535 are defined as private AS numbers. +Private AS numbers must not be advertised on the global Internet. + +The :abbr:`ASN (Autonomous System Number)` is one of the essential elements of +BGP. BGP is a distance vector routing protocol, and the AS-Path framework +provides distance vector metric and loop detection to BGP. + +.. _bgp-address-families: + +Address Families +---------------- + +Multiprotocol extensions enable BGP to carry routing information for multiple +network layer protocols. BGP supports an Address Family Identifier (AFI) for +IPv4 and IPv6. + +.. _bgp-route-selection: + +Route Selection +--------------- + +The route selection process used by FRR's BGP implementation uses the following +decision criterion, starting at the top of the list and going towards the +bottom until one of the factors can be used. + +1. **Weight check** + + Prefer higher local weight routes to lower routes. + +2. **Local preference check** + + Prefer higher local preference routes to lower. + +3. **Local route check** + + Prefer local routes (statics, aggregates, redistributed) to received routes. + +4. **AS path length check** + + Prefer shortest hop-count AS_PATHs. + +5. **Origin check** + + Prefer the lowest origin type route. That is, prefer IGP origin routes to + EGP, to Incomplete routes. + +6. **MED check** + + Where routes with a MED were received from the same AS, prefer the route + with the lowest MED. + +7. **External check** + + Prefer the route received from an external, eBGP peer over routes received + from other types of peers. + +8. **IGP cost check** + + Prefer the route with the lower IGP cost. + +9. **Multi-path check** + + If multi-pathing is enabled, then check whether the routes not yet + distinguished in preference may be considered equal. If + :cfgcmd:`bgp bestpath as-path multipath-relax` is set, all such routes are + considered equal, otherwise routes received via iBGP with identical AS_PATHs + or routes received from eBGP neighbours in the same AS are considered equal. + +10. **Already-selected external check** + + Where both routes were received from eBGP peers, then prefer the route + which is already selected. Note that this check is not applied if + :cfgcmd:`bgp bestpath compare-routerid` is configured. This check can + prevent some cases of oscillation. + +11. **Router-ID check** + + Prefer the route with the lowest `router-ID`. If the route has an + `ORIGINATOR_ID` attribute, through iBGP reflection, then that router ID is + used, otherwise the `router-ID` of the peer the route was received from is + used. + +12. **Cluster-List length check** + + The route with the shortest cluster-list length is used. The cluster-list + reflects the iBGP reflection path the route has taken. + +13. **Peer address** + + Prefer the route received from the peer with the higher transport layer + address, as a last-resort tie-breaker. + +.. _bgp-capability-negotiation: + +Capability Negotiation +---------------------- + +When adding IPv6 routing information exchange feature to BGP. There were some +proposals. :abbr:`IETF (Internet Engineering Task Force)` +:abbr:`IDR (Inter Domain Routing)` adopted a proposal called Multiprotocol +Extension for BGP. The specification is described in :rfc:`2283`. The protocol +does not define new protocols. It defines new attributes to existing BGP. When +it is used exchanging IPv6 routing information it is called BGP-4+. When it is +used for exchanging multicast routing information it is called MBGP. + +*bgpd* supports Multiprotocol Extension for BGP. So if a remote peer supports +the protocol, *bgpd* can exchange IPv6 and/or multicast routing information. + +Traditional BGP did not have the feature to detect a remote peer's +capabilities, e.g. whether it can handle prefix types other than IPv4 unicast +routes. This was a big problem using Multiprotocol Extension for BGP in an +operational network. :rfc:`2842` adopted a feature called Capability +Negotiation. *bgpd* use this Capability Negotiation to detect the remote peer's +capabilities. If a peer is only configured as an IPv4 unicast neighbor, *bgpd* +does not send these Capability Negotiation packets (at least not unless other +optional BGP features require capability negotiation). + +By default, FRR will bring up peering with minimal common capability for the +both sides. For example, if the local router has unicast and multicast +capabilities and the remote router only has unicast capability the local router +will establish the connection with unicast only capability. When there are no +common capabilities, FRR sends Unsupported Capability error and then resets the +connection. + +.. _bgp-router-configuration: + +BGP Router Configuration +======================== + +ASN and Router ID +----------------- + +.. cfgcmd:: set protocols bgp + + First of all you must configure BGP router with the :abbr:`ASN (Autonomous + System Number)`. The AS number is an identifier for the autonomous system. + The BGP protocol uses the AS number for detecting whether the BGP connection + is internal or external. + +.. cfgcmd:: set protocols bgp parameters router-id + + This command specifies the router-ID. If router ID is not specified it will + use the highest interface IP address. + +Route Selection +--------------- + +.. cfgcmd:: set protocols bgp parameters bestpath as-path confed + + This command specifies that the length of confederation path sets and + sequences should be taken into account during the BGP best path + decision process. + +.. cfgcmd:: set protocols bgp parameters bestpath as-path multipath-relax + + This command specifies that BGP decision process should consider paths + of equal AS_PATH length candidates for multipath computation. Without + the knob, the entire AS_PATH must match for multipath computation. + +.. cfgcmd:: set protocols bgp parameters bestpath as-path ignore + + Ignore AS_PATH length when selecting a route + +IPv4 +^^^^ + +A simple eBGP configuration: + +**Node 1:** + +.. code-block:: none + + set protocols bgp 65534 neighbor 192.168.0.2 ebgp-multihop '2' + set protocols bgp 65534 neighbor 192.168.0.2 remote-as '65535' + set protocols bgp 65534 neighbor 192.168.0.2 update-source '192.168.0.1' + set protocols bgp 65534 address-family ipv4-unicast network '172.16.0.0/16' + set protocols bgp 65534 parameters router-id '192.168.0.1' + +**Node 2:** + +.. code-block:: none + + set protocols bgp 65535 neighbor 192.168.0.1 ebgp-multihop '2' + set protocols bgp 65535 neighbor 192.168.0.1 remote-as '65534' + set protocols bgp 65535 neighbor 192.168.0.1 update-source '192.168.0.2' + set protocols bgp 65535 address-family ipv4-unicast network '172.17.0.0/16' + set protocols bgp 65535 parameters router-id '192.168.0.2' + + +Don't forget, the CIDR declared in the network statement MUST **exist in your +routing table (dynamic or static), the best way to make sure that is true is +creating a static route:** + +**Node 1:** + +.. code-block:: none + + set protocols static route 172.16.0.0/16 blackhole distance '254' + +**Node 2:** + +.. code-block:: none + + set protocols static route 172.17.0.0/16 blackhole distance '254' + + +IPv6 +^^^^ + +A simple BGP configuration via IPv6. + +**Node 1:** + +.. code-block:: none + + set protocols bgp 65534 neighbor 2001:db8::2 ebgp-multihop '2' + set protocols bgp 65534 neighbor 2001:db8::2 remote-as '65535' + set protocols bgp 65534 neighbor 2001:db8::2 update-source '2001:db8::1' + set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast + set protocols bgp 65534 address-family ipv6-unicast network '2001:db8:1::/48' + set protocols bgp 65534 parameters router-id '10.1.1.1' + +**Node 2:** + +.. code-block:: none + + set protocols bgp 65535 neighbor 2001:db8::1 ebgp-multihop '2' + set protocols bgp 65535 neighbor 2001:db8::1 remote-as '65534' + set protocols bgp 65535 neighbor 2001:db8::1 update-source '2001:db8::2' + set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast + set protocols bgp 65535 address-family ipv6-unicast network '2001:db8:2::/48' + set protocols bgp 65535 parameters router-id '10.1.1.2' + +Don't forget, the CIDR declared in the network statement **MUST exist in your +routing table (dynamic or static), the best way to make sure that is true is +creating a static route:** + +**Node 1:** + +.. code-block:: none + + set protocols static route6 2001:db8:1::/48 blackhole distance '254' + +**Node 2:** + +.. code-block:: none + + set protocols static route6 2001:db8:2::/48 blackhole distance '254' + +Route Filter +^^^^^^^^^^^^ + +Route filter can be applied using a route-map: + +**Node1:** + +.. code-block:: none + + set policy prefix-list AS65535-IN rule 10 action 'permit' + set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16' + set policy prefix-list AS65535-OUT rule 10 action 'deny' + set policy prefix-list AS65535-OUT rule 10 prefix '172.16.0.0/16' + set policy prefix-list6 AS65535-IN rule 10 action 'permit' + set policy prefix-list6 AS65535-IN rule 10 prefix '2001:db8:2::/48' + set policy prefix-list6 AS65535-OUT rule 10 action 'deny' + set policy prefix-list6 AS65535-OUT rule 10 prefix '2001:db8:2::/48' + set policy route-map AS65535-IN rule 10 action 'permit' + set policy route-map AS65535-IN rule 10 match ip address prefix-list 'AS65535-IN' + set policy route-map AS65535-IN rule 10 match ipv6 address prefix-list 'AS65535-IN' + set policy route-map AS65535-IN rule 20 action 'deny' + set policy route-map AS65535-OUT rule 10 action 'deny' + set policy route-map AS65535-OUT rule 10 match ip address prefix-list 'AS65535-OUT' + set policy route-map AS65535-OUT rule 10 match ipv6 address prefix-list 'AS65535-OUT' + set policy route-map AS65535-OUT rule 20 action 'permit' + set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map export 'AS65535-OUT' + set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map import 'AS65535-IN' + set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map export 'AS65535-OUT' + set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map import 'AS65535-IN' + +**Node2:** + +.. code-block:: none + + set policy prefix-list AS65534-IN rule 10 action 'permit' + set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16' + set policy prefix-list AS65534-OUT rule 10 action 'deny' + set policy prefix-list AS65534-OUT rule 10 prefix '172.17.0.0/16' + set policy prefix-list6 AS65534-IN rule 10 action 'permit' + set policy prefix-list6 AS65534-IN rule 10 prefix '2001:db8:1::/48' + set policy prefix-list6 AS65534-OUT rule 10 action 'deny' + set policy prefix-list6 AS65534-OUT rule 10 prefix '2001:db8:1::/48' + set policy route-map AS65534-IN rule 10 action 'permit' + set policy route-map AS65534-IN rule 10 match ip address prefix-list 'AS65534-IN' + set policy route-map AS65534-IN rule 10 match ipv6 address prefix-list 'AS65534-IN' + set policy route-map AS65534-IN rule 20 action 'deny' + set policy route-map AS65534-OUT rule 10 action 'deny' + set policy route-map AS65534-OUT rule 10 match ip address prefix-list 'AS65534-OUT' + set policy route-map AS65534-OUT rule 10 match ipv6 address prefix-list 'AS65534-OUT' + set policy route-map AS65534-OUT rule 20 action 'permit' + set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map export 'AS65534-OUT' + set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map import 'AS65534-IN' + set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map export 'AS65534-OUT' + set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map import 'AS65534-IN' + +We could expand on this and also deny link local and multicast in the rule 20 +action deny. diff --git a/docs/configuration/protocols/igmp-proxy.rst b/docs/configuration/protocols/igmp-proxy.rst new file mode 100644 index 00000000..cce5f948 --- /dev/null +++ b/docs/configuration/protocols/igmp-proxy.rst @@ -0,0 +1,2 @@ +igmp-proxy +########## \ No newline at end of file diff --git a/docs/configuration/protocols/igmp.rst b/docs/configuration/protocols/igmp.rst new file mode 100644 index 00000000..9104b0c9 --- /dev/null +++ b/docs/configuration/protocols/igmp.rst @@ -0,0 +1,244 @@ +.. _multicast: + +######### +Multicast +######### + +VyOS facilitates IP Multicast by supporting **PIM Sparse Mode**, +**IGMP** and **IGMP-Proxy**. + +************ +PIM and IGMP +************ + +PIM (Protocol Independent Multicast) must be configured in every +interface of every participating router. Every router must also have the +location of the Rendevouz Point manually configured. Then, +unidirectional shared trees rooted at the Rendevouz Point will +automatically be built for multicast distribution. + +Traffic from multicast sources will go to the Rendezvous Point, and +receivers will pull it from a shared tree using IGMP (Internet Group +Management Protocol). + +Multicast receivers will talk IGMP to their local router, so, besides +having PIM configured in every router, IGMP must also be configured in +any router where there could be a multicast receiver locally connected. + +VyOS supports both IGMP version 2 and version 3 (which allows +source-specific multicast). + + +Example +======= + +In the following example we can see a basic multicast setup: + +.. image:: /_static/images/multicast-basic.png + :width: 90% + :align: center + :alt: Network Topology Diagram + + + +**Router 1** + +.. code-block:: none + + set interfaces ethernet eth2 address '172.16.0.2/24' + set interfaces ethernet eth1 address '100.64.0.1/24' + set protocols ospf area 0 network '172.16.0.0/24' + set protocols ospf area 0 network '100.64.0.0/24' + set protocols igmp interface eth1 + set protocols pim interface eth1 + set protocols pim interface eth2 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' + +**Router 3** + +.. code-block:: none + + set interfaces dummy dum0 address '172.16.255.1/24' + set interfaces ethernet eth0 address '172.16.0.1/24' + set interfaces ethernet eth1 address '172.16.1.1/24' + set protocols ospf area 0 network '172.16.0.0/24' + set protocols ospf area 0 network '172.16.255.0/24' + set protocols ospf area 0 network '172.16.1.0/24' + set protocols pim interface dum0 + set protocols pim interface eth0 + set protocols pim interface eth1 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' + +**Router 2** + +.. code-block:: none + + set interfaces ethernet eth1 address '10.0.0.1/24' + set interfaces ethernet eth2 address '172.16.1.2/24' + set protocols ospf area 0 network '10.0.0.0/24' + set protocols ospf area 0 network '172.16.1.0/24' + set protocols pim interface eth1 + set protocols pim interface eth2 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' + + + + + +Basic commands +============== + +These are the commands for a basic setup. + +.. cfgcmd:: set protocols pim interface + + Use this command to enable PIM in the selected interface so that it + can communicate with PIM neighbors. + + +.. cfgcmd:: set protocols pim rp address
group + + Use this comand to manually configure a Rendevouz Point for PIM so + that join messages can be sent there. Set the Rendevouz Point address + and the matching prefix of group ranges covered. These values must + be shared with every router participating in the PIM network. + + +.. cfgcmd:: set protocols igmp interface eth1 + + Use this command to configure an interface with IGMP so that PIM can + receive IGMP reports and query on the selected interface. By defaul + IGMP version 3 will be used. + + + +Tuning commands +=============== + +You can also tune multicast with the following commands. + +.. cfgcmd:: set protocols pim interface dr-priority + + Use this PIM command in the selected interface to set the priority + (1-4294967295) you want to influence in the election of a node to + become the Designated Router for a LAN segment. The default priority + is 1, set a higher value to give the router more preference in the + DR election process. + + +.. cfgcmd:: set protocols pim int hello + + Use this command to configure the PIM hello interval in seconds + (1-180) for the selected interface. + + +.. cfgcmd:: set protocols pim rp keep-alive-timer + + Use this PIM command to modify the the time out value (31-60000 + seconds) for an `(S,G) `_ + flow. 31 seconds is chosen for a lower bound as some hardware + platforms cannot see data flowing in better than 30 second chunks. + + +.. cfgcmd:: set protocols igmp interface join source + + Use this command to allow the selected interface join a multicast + group defining the multicast address you want to join and the source + IP address too. + + +.. cfgcmd:: set protocols igmp interface + + Use this command to configure in the selected interface the IGMP + host query interval (1-1800) in seconds that PIM will use. + + +.. cfgcmd:: set protocols igmp interface + + Use this command to configure in the selected interface the IGMP + query response timeout value (10-250) in deciseconds. If a report is + not returned in the specified time, it will be asumed the `(S,G) or + (*,G) state `_ has + timed out. + + +.. cfgcmd:: set protocols igmp interface version + + Use this command to define in the selected interface whether you + choose IGMP version 2 or 3. The default value is 3. + + + +********** +IGMP Proxy +********** + +:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages +on behalf of a connected client. The configuration must define one, and only one +upstream interface, and one or more downstream interfaces. + +Configuration +============= + +.. cfgcmd:: set protocols igmp-proxy interface role + + * **upstream:** The upstream network interface is the outgoing interface + which is responsible for communicating to available multicast data sources. + There can only be one upstream interface. + + * **downstream:** Downstream network interfaces are the distribution + interfaces to the destination networks, where multicast clients can join + groups and receive multicast data. One or more downstream interfaces must + be configured. + +.. cfgcmd:: set protocols igmp-proxy interface alt-subnet + + Defines alternate sources for multicasting and IGMP data. The network address + must be on the following format 'a.b.c.d/n'. By default the router will + accept data from sources on the same network as configured on an interface. + If the multicast source lies on a remote network, one must define from where + traffic should be accepted. + + This is especially useful for the upstream interface, since the source for + multicast traffic is often from a remote location. + + This option can be supplied multiple times. + +.. cfgcmd:: set protocols igmp-proxy disable-quickleave + + Disables quickleave mode. In this mode the daemon will not send a Leave IGMP + message upstream as soon as it receives a Leave message for any downstream + interface. The daemon will not ask for Membership reports on the downstream + interfaces, and if a report is received the group is not joined again + upstream. + + If it's vital that the daemon should act exactly as a real multicast client + on the upstream interface, this function should be enabled. + + Enabling this function increases the risk of bandwidth saturation. + +.. cfgcmd:: set protocols igmp-proxy disable + + Disable this service. + +Example +------- + +Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet +multicast which is in `eth0` WAN we need to configure igmp-proxy. + +.. code-block:: none + + set protocols igmp-proxy interface eth0 role upstream + set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 + set protocols igmp-proxy interface eth1 role downstream + +Operation +========= + +.. opcmd:: restart igmp-proxy + + Restart the IGMP proxy process. + + + diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst new file mode 100644 index 00000000..271b6056 --- /dev/null +++ b/docs/configuration/protocols/index.rst @@ -0,0 +1,22 @@ +######### +Protocols +######### + + +.. toctree:: + :maxdepth: 1 + :includehidden: + + bfd + bgp + igmp + igmp-proxy + mpls + ospf + ospfv3 + pim + rip + ripng + rpki + static + vrf diff --git a/docs/configuration/protocols/mpls.rst b/docs/configuration/protocols/mpls.rst new file mode 100644 index 00000000..82e99a17 --- /dev/null +++ b/docs/configuration/protocols/mpls.rst @@ -0,0 +1,157 @@ +.. _mpls: + +#################################### +MPLS (Multiprotocol Label Switching) +#################################### + +:abbr:`MPLS (Multi-Protocol Label Switching)` is a packet forwarding paradigm +which differs from regular IP forwarding. Instead of IP addresses being used to +make the decision on finding the exit interface, a router will instead use an +exact match on a 32 bit/4 byte header called the MPLS label. This label is +inserted between the ethernet (layer 2) header and the IP (layer 3) header. +One can statically or dynamically assign label allocations, but we will focus +on dynamic allocation of labels using some sort of label distribution protocol +(such as the aptly named Label Distribution Protocol / LDP, Resource Reservation +Protocol / RSVP, or Segment Routing through OSPF/ISIS). These protocols allow +for the creation of a unidirectional/unicast path called a labeled switched +path (initialized as LSP) throughout the network that operates very much like +a tunnel through the network. An easy way of thinking about how an MPLS LSP +actually forwards traffic throughout a network is to think of a GRE tunnel. +They are not the same in how they operate, but they are the same in how they +handle the tunneled packet. It would be good to think of MPLS as a tunneling +technology that can be used to transport many different types of packets, to +aid in traffic engineering by allowing one to specify paths throughout the +network (using RSVP or SR), and to generally allow for easier intra/inter +network transport of data packets. + +For more information on how MPLS label switching works, please go visit +`Wikipedia (MPLS)`_. + +.. note:: MPLS support in VyOS is not finished yet, and therefore its + functionality is limited. Currently there is no support for MPLS enabled VPN + services such as L3VPNs, L2VPNs, and mVPNs. RSVP support is also not present + as the underlying routing stack (FRR) does not implement it. Currently VyOS + can be configured as a label switched router (MPLS P router), in both + penultimate and ultimate hop popping operations. + +Label Distribution Protocol +=========================== + +The :abbr:`MPLS (Multi-Protocol Label Switching)` architecture does not assume +a single protocol to create MPLS paths. VyOS supports the Label Distribution +Protocol (LDP) as implemented by FRR, based on :rfc:`5036`. + +:abbr:`LDP (Label Distribution Protocol)` is a TCP based MPLS signaling protocol +that distributes labels creating MPLS label switched paths in a dynamic manner. +LDP is not a routing protocol, as it relies on other routing protocols for +forwarding decisions. LDP cannot bootstrap itself, and therefore relies on said +routing protocols for communication with other routers that use LDP. + +In order to allow for LDP on the local router to exchange label advertisements +with other routers, a TCP session will be established between automatically +discovered and statically assigned routers. LDP will try to establish a TCP +session to the **transport address** of other routers. Therefore for LDP to +function properly please make sure the transport address is shown in the +routing table and reachable to traffic at all times. + +It is highly recommended to use the same address for both the LDP router-id and +the discovery transport address, but for VyOS MPLS LDP to work both parameters +must be explicitly set in the configuration. + +Configuration Options +===================== + +.. cfgcmd:: set protocols mpls ldp interface + + Use this command to enable LDP, and enable MPLS processing on the interface you + define. + +.. cfgcmd:: set protocols mpls ldp router-id
+ + Use this command to configure the IP address used as the LDP router-id of the + local device. + +.. cfgcmd:: set protocols mpls ldp discovery transport-ipv4-address +.. cfgcmd:: set protocols mpls ldp discovery transport-ipv6-address + + Use this command to set the IPv4 or IPv6 transport-address used by LDP. + +.. cfgcmd:: set protocols mpls ldp neighbor password + + Use this command to configure authentication for LDP peers. Set the + IP address of the LDP peer and a password that should be shared in + order to become neighbors. + +.. cfgcmd:: set protocols mpls ldp discovery hello-interval +.. cfgcmd:: set protocols mpls ldp discovery hello-holdtime + + Use this command if you would like to set the discovery hello and hold time + parameters. + +.. cfgcmd:: set protocols mpls ldp discovery session-ipv4-holdtime +.. cfgcmd:: set protocols mpls ldp discovery session-ipv6-holdtime + + Use this command if you would like to set the TCP session hold time intervals. + +.. cfgcmd:: set protocols mpls ldp export ipv4 explicit-null +.. cfgcmd:: set protocols mpls ldp export ipv6 explicit-null + + Use this command if you would like for the router to advertise FECs with a label + of 0 for explicit null operations. + + +Sample configuration to setup LDP on VyOS +----------------------------------------- + +.. code-block:: none + + set protocols ospf area 0 network '192.168.255.252/32' <--- Routing for loopback + set protocols ospf area 0 network '192.168.0.5/32' <--- Routing for an interface connecting to the network + set protocols ospf parameters router-id '192.168.255.252' <--- Router ID setting for OSPF + set protocols mpls ldp discovery transport-ipv4-address '192.168.255.252' <--- Transport address for LDP for TCP sessions to connect to + set protocols mpls ldp interface 'eth1' <--- Enable MPLS and LDP for an interface connecting to network + set protocols mpls ldp interface 'lo' <--- Enable MPLS and LDP on loopback for future services connectivity + set protocols mpls ldp router-id '192.168.255.252' <--- Router ID setting for LDP + set interfaces ethernet eth1 address '192.168.0.5/31' <--- Interface IP for connecting to network + set interfaces loopback lo address '192.168.255.252/32' <--- Interface loopback IP for router ID and other uses + + +Operational Mode Commands +========================= + +When LDP is working, you will be able to see label information in the outcome +of ``show ip route``. Besides that information, there are also specific *show* +commands for LDP: + +Show +---- + +.. opcmd:: show mpls ldp binding + + Use this command to see the Label Information Base. + +.. opcmd:: show mpls ldp discovery + + Use this command to see discovery hello information + +.. opcmd:: show mpls ldp interface + + Use this command to see LDP interface information + +.. opcmd:: show mpls ldp neighbor + + Use this command to see LDP neighbor information + +.. opcmd:: show mpls ldp neighbor detail + + Use this command to see detailed LDP neighbor information + +Reset +----- + +.. opcmd:: reset mpls ldp neighbor + + Use this command to reset an LDP neighbor/TCP session that is established + + +.. _`Wikipedia (MPLS)`: https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst new file mode 100644 index 00000000..ff7c5e64 --- /dev/null +++ b/docs/configuration/protocols/ospf.rst @@ -0,0 +1,70 @@ +.. include:: /_include/need_improvement.txt + +.. _routing-ospf: + +#### +OSPF +#### + +:abbr:`OSPF (Open Shortest Path First)` is a routing protocol for Internet +Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls +into the group of interior gateway protocols (IGPs), operating within a single +autonomous system (AS). It is defined as OSPF Version 2 in :rfc:`2328` (1998) +for IPv4. Updates for IPv6 are specified as OSPF Version 3 in :rfc:`5340` +(2008). OSPF supports the :abbr:`CIDR (Classless Inter-Domain Routing)` +addressing model. + +OSPF is a widely used IGP in large enterprise networks. + +OSPFv2 (IPv4) +############# + +In order to have a VyOS system exchanging routes with OSPF neighbors, you will +at least need to configure an OSPF area and some network. + +.. code-block:: none + + set protocols ospf area 0 network 192.168.0.0/24 + +That is the minimum configuration you will need. +It is a good practice to define the router ID too. + +.. code-block:: none + + set protocols ospf parameters router-id 10.1.1.1 + + +Below you can see a typical configuration using 2 nodes, redistribute loopback +address and the node 1 sending the default route: + +**Node 1** + +.. code-block:: none + + set interfaces loopback lo address 10.1.1.1/32 + set protocols ospf area 0 network 192.168.0.0/24 + set protocols ospf default-information originate always + set protocols ospf default-information originate metric 10 + set protocols ospf default-information originate metric-type 2 + set protocols ospf log-adjacency-changes + set protocols ospf parameters router-id 10.1.1.1 + set protocols ospf redistribute connected metric-type 2 + set protocols ospf redistribute connected route-map CONNECT + + set policy route-map CONNECT rule 10 action permit + set policy route-map CONNECT rule 10 match interface lo + +**Node 2** + +.. code-block:: none + + set interfaces loopback lo address 10.2.2.2/32 + set protocols ospf area 0 network 192.168.0.0/24 + set protocols ospf log-adjacency-changes + set protocols ospf parameters router-id 10.2.2.2 + set protocols ospf redistribute connected metric-type 2 + set protocols ospf redistribute connected route-map CONNECT + + set policy route-map CONNECT rule 10 action permit + set policy route-map CONNECT rule 10 match interface lo + diff --git a/docs/configuration/protocols/ospfv3.rst b/docs/configuration/protocols/ospfv3.rst new file mode 100644 index 00000000..f0e28983 --- /dev/null +++ b/docs/configuration/protocols/ospfv3.rst @@ -0,0 +1,71 @@ +OSPFv3 (IPv6) +############# + +A typical configuration using 2 nodes. + +**Node 1:** + +.. code-block:: none + + set protocols ospfv3 area 0.0.0.0 interface eth1 + set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 + set protocols ospfv3 parameters router-id 192.168.1.1 + set protocols ospfv3 redistribute connected + +**Node 2:** + +.. code-block:: none + + set protocols ospfv3 area 0.0.0.0 interface eth1 + set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 + set protocols ospfv3 parameters router-id 192.168.2.1 + set protocols ospfv3 redistribute connected + +.. note:: You can not easily redistribute IPv6 routes via OSPFv3 on a WireGuard + interface link. This requires you to configure link-local addresses manually + on the WireGuard interfaces, see :vytask:`T1483`. + +Example configuration for WireGuard interfaces: + +**Node 1** + +.. code-block:: none + + set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64' + set interfaces wireguard wg01 address '192.168.0.1/24' + set interfaces wireguard wg01 peer ospf02 allowed-ips '::/0' + set interfaces wireguard wg01 peer ospf02 allowed-ips '0.0.0.0/0' + set interfaces wireguard wg01 peer ospf02 endpoint '10.1.1.101:12345' + set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...=' + set interfaces wireguard wg01 port '12345' + set protocols ospfv3 parameters router-id 192.168.1.1 + set protocols ospfv3 area 0.0.0.0 interface 'wg01' + set protocols ospfv3 area 0.0.0.0 interface 'lo' + +**Node 2** + +.. code-block:: none + + set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64' + set interfaces wireguard wg01 address '192.168.0.2/24' + set interfaces wireguard wg01 peer ospf01 allowed-ips '::/0' + set interfaces wireguard wg01 peer ospf01 allowed-ips '0.0.0.0/0' + set interfaces wireguard wg01 peer ospf01 endpoint '10.1.1.100:12345' + set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...=' + set interfaces wireguard wg01 port '12345' + set protocols ospfv3 parameters router-id 192.168.1.2 + set protocols ospfv3 area 0.0.0.0 interface 'wg01' + set protocols ospfv3 area 0.0.0.0 interface 'lo' + +**Status** + +.. code-block:: none + + vyos@ospf01:~$ sh ipv6 ospfv3 neighbor + Neighbor ID Pri DeadTime State/IfState Duration I/F[State] + 192.168.0.2 1 00:00:37 Full/PointToPoint 00:18:03 wg01[PointToPoint] + + vyos@ospf02# run sh ipv6 ospfv3 neighbor + Neighbor ID Pri DeadTime State/IfState Duration I/F[State] + 192.168.0.1 1 00:00:39 Full/PointToPoint 00:19:44 wg01[PointToPoint] + diff --git a/docs/configuration/protocols/pim.rst b/docs/configuration/protocols/pim.rst new file mode 100644 index 00000000..1dd373d8 --- /dev/null +++ b/docs/configuration/protocols/pim.rst @@ -0,0 +1,2 @@ +PIM +### \ No newline at end of file diff --git a/docs/configuration/protocols/rip.rst b/docs/configuration/protocols/rip.rst new file mode 100644 index 00000000..0d73ad34 --- /dev/null +++ b/docs/configuration/protocols/rip.rst @@ -0,0 +1,37 @@ +.. include:: /_include/need_improvement.txt + +.. _rip: + +### +RIP +### + +:abbr:`RIP (Routing Information Protocol)` is a widely deployed interior gateway +protocol. RIP was developed in the 1970s at Xerox Labs as part of the XNS +routing protocol. RIP is a distance-vector protocol and is based on the +Bellman-Ford algorithms. As a distance-vector protocol, RIP router send updates +to its neighbors periodically, thus allowing the convergence to a known +topology. In each update, the distance to any given network will be broadcast +to its neighboring router. + +Supported versions of RIP are: +* RIPv1 as described in :rfc:`1058` +* RIPv2 as described in :rfc:`2453` + +Simple RIP configuration using 2 nodes and redistributing connected interfaces. + +**Node 1:** + +.. code-block:: none + + set interfaces loopback address 10.1.1.1/32 + set protocols rip network 192.168.0.0/24 + set protocols rip redistribute connected + +**Node 2:** + +.. code-block:: none + + set interfaces loopback address 10.2.2.2/32 + set protocols rip network 192.168.0.0/24 + set protocols rip redistribute connected diff --git a/docs/configuration/protocols/ripng.rst b/docs/configuration/protocols/ripng.rst new file mode 100644 index 00000000..dec6bddf --- /dev/null +++ b/docs/configuration/protocols/ripng.rst @@ -0,0 +1,3 @@ +##### +RIPng +##### \ No newline at end of file diff --git a/docs/configuration/protocols/rpki.rst b/docs/configuration/protocols/rpki.rst new file mode 100644 index 00000000..9813b1b6 --- /dev/null +++ b/docs/configuration/protocols/rpki.rst @@ -0,0 +1,113 @@ +.. _rpki: + +#### +RPKI +#### + +.. pull-quote:: + + There are two types of Network Admins who deal with BGP, those who have + created an international incident and/or outage, and those who are lying + + -- `tweet by EvilMog`_, 2020-02-21 + +:abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI +(Public Key Infrastructure)` designed to secure the Internet routing +infrastructure. It associates BGP route announcements with the correct +originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then +use to check each route against the corresponding :abbr:`ROA (Route Origin +Authorisation)` for validity. RPKI is described in :rfc:`6480`. + +A BGP-speaking router like VyOS can retrieve ROA information from RPKI +"Relying Party software" (often just called an "RPKI server" or "RPKI +validator") by using :abbr:`RTR (RPKI to Router)` protocol. There are several +open source implementations to choose from, such as NLNetLabs' Routinator_ +(written in Rust), Cloudflare's GoRTR_ and OctoRPKI_ (written in Go), and +RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described +in :rfc:`8210`. + +.. tip:: + If you are new to these routing security technologies then there is an + `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed + very quickly. Their documentation explains everything from what RPKI is to + deploying it in production (albeit with a focus on using NLnet Labs' + tools). It also has some `help and operational guidance`_ including + "What can I do about my route having an Invalid state?" + +First you will need to deploy an RPKI validator for your routers to use. The +RIPE NCC helpfully provide `some instructions`_ to get you started with +several different options. Once your server is running you can start +validating announcements. + +Imported prefixes during the validation may have values: + + valid + The prefix and ASN that originated it match a signed ROA. These are + probably trustworthy route announcements. + + invalid + The prefix or prefix length and ASN that originated it doesn't + match any existing ROA. This could be the result of a prefix hijack, or + merely a misconfiguration, but should probably be treated as + untrustworthy route announcements. + + notfound + No ROA exists which covers that prefix. Unfortunately this is the case + for about 80% of the IPv4 prefixes which were announced to the :abbr:`DFZ + (default-free zone)` at the start of 2020 (see more detail in + NLnet Labs' `RPKI analytics`_). + +.. note:: + If you are responsible for the global addresses assigned to your + network, please make sure that your prefixes have ROAs associated with them + to avoid being `notfound` by RPKI. For most ASNs this will involve + publishing ROAs via your :abbr:`RIR (Regional Internet Registry)` (RIPE + NCC, APNIC, ARIN, LACNIC or AFRINIC), and is something you are encouraged + to do whenever you plan to announce addresses into the DFZ. + + Particularly large networks may wish to run their own RPKI certificate + authority and publication server instead of publishing ROAs via their RIR. + This is a subject far beyond the scope of VyOS' documentation. Consider + reading about Krill_ if this is a rabbit hole you need or especially want + to dive down. + +We can build route-maps for import based on these states. Here is a simple +RPKI configuration, where `routinator` is the RPKI-validating "cache" +server with ip `192.0.2.1`: + +.. code-block:: none + + set protocols rpki cache routinator address '192.0.2.1' + set protocols rpki cache routinator port '3323' + +Here is an example route-map to apply to routes learned at import. In this +filter we reject prefixes with the state `invalid`, and set a higher +`local-preference` if the prefix is RPKI `valid` rather than merely +`notfound`. + +.. code-block:: none + + set policy route-map ROUTES-IN rule 10 action 'permit' + set policy route-map ROUTES-IN rule 10 match rpki 'valid' + set policy route-map ROUTES-IN rule 10 set local-preference '300' + set policy route-map ROUTES-IN rule 20 action 'permit' + set policy route-map ROUTES-IN rule 20 match rpki 'notfound' + set policy route-map ROUTES-IN rule 20 set local-preference '125' + set policy route-map ROUTES-IN rule 30 action 'deny' + set policy route-map ROUTES-IN rule 30 match rpki 'invalid' + +Once your routers are configured to reject RPKI-invalid prefixes, you can +test whether the configuration is working correctly using the `RIPE Labs RPKI +Test`_ experimental tool. + +.. _tweet by EvilMog: https://twitter.com/Evil_Mog/status/1230924170508169216 +.. _Routinator: https://www.nlnetlabs.nl/projects/rpki/routinator/ +.. _GoRTR: https://github.com/cloudflare/gortr +.. _OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki +.. _Validator: https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources +.. _some instructions: https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an-rpki-validator +.. _Krill: https://www.nlnetlabs.nl/projects/rpki/krill/ +.. _RPKI analytics: https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/ +.. _RIPE Labs RPKI Test: https://sg-pub.ripe.net/jasper/rpki-web-test/ +.. _excellent guide to RPKI: https://rpki.readthedocs.io/ +.. _help and operational guidance: https://rpki.readthedocs.io/en/latest/about/help.html diff --git a/docs/configuration/protocols/static.rst b/docs/configuration/protocols/static.rst new file mode 100644 index 00000000..fbde8228 --- /dev/null +++ b/docs/configuration/protocols/static.rst @@ -0,0 +1,195 @@ +.. _static-routing: + +###### +Static +###### + +Static routes are manually configured routes, which, in general, cannot be +updated dynamically from information VyOS learns about the network topology from +other routing protocols. However, if a link fails, the router will remove +routes, including static routes, from the :abbr:`RIPB (Routing Information +Base)` that used this interface to reach the next hop. In general, static +routes should only be used for very simple network topologies, or to override +the behavior of a dynamic routing protocol for a small number of routes. The +collection of all routes the router has learned from its configuration or from +its dynamic routing protocols is stored in the RIB. Unicast routes are directly +used to determine the forwarding table used for unicast packet forwarding. + +Static Routes +############# + +.. cfgcmd:: set protocols static route next-hop
+ + Configure next-hop `
` for an IPv4 static route. Multiple static + routes can be created. + +.. cfgcmd:: set protocols static route next-hop
disable + + Disable this IPv4 static route entry. + +.. cfgcmd:: set protocols static route next-hop
distance + + Defines next-hop distance for this route, routes with smaller administrative + distance are elected prior those with a higher distance. + + Range is 1 to 255, default is 1. + + .. note:: Routes with a distance of 255 are effectively disabled and not + installed into the kernel. + +.. cfgcmd:: set protocols static route6 next-hop
+ + Configure next-hop `
` for an IPv6 static route. Multiple static + routes can be created. + +.. cfgcmd:: set protocols static route6 next-hop
disable + + Disable this IPv6 static route entry. + +.. cfgcmd:: set protocols static route6 next-hop
distance + + Defines next-hop distance for this route, routes with smaller administrative + distance are elected prior those with a higher distance. + + Range is 1 to 255, default is 1. + + .. note:: Routes with a distance of 255 are effectively disabled and not + installed into the kernel. + + +Interface Routes +================ + +.. cfgcmd:: set protocols static interface-route next-hop-interface + + Allows you to configure the next-hop interface for an interface-based IPv4 + static route. `` will be the next-hop interface where trafic is + routed for the given ``. + +.. cfgcmd:: set protocols static interface-route next-hop-interface disable + + Disables interface-based IPv4 static route. + +.. cfgcmd:: set protocols static interface-route next-hop-interface distance + + Defines next-hop distance for this route, routes with smaller administrative + distance are elected prior those with a higher distance. + + Range is 1 to 255, default is 1. + +.. cfgcmd:: set protocols static interface-route6 next-hop-interface + + Allows you to configure the next-hop interface for an interface-based IPv6 + static route. `` will be the next-hop interface where trafic is + routed for the given ``. + +.. cfgcmd:: set protocols static interface-route6 next-hop-interface disable + + Disables interface-based IPv6 static route. + +.. cfgcmd:: set protocols static interface-route6 next-hop-interface distance + + Defines next-hop distance for this route, routes with smaller administrative + distance are elected prior those with a higher distance. + + Range is 1 to 255, default is 1. + + +Blackhole +========= + +.. cfgcmd:: set protocols static route blackhole + + Use this command to configure a "black-hole" route on the router. A + black-hole route is a route for which the system silently discard packets + that are matched. This prevents networks leaking out public interfaces, but + it does not prevent them from being used as a more specific route inside your + network. + +.. cfgcmd:: set protocols static route blackhole distance + + Defines blackhole distance for this route, routes with smaller administrative + distance are elected prior those with a higher distance. + +.. cfgcmd:: set protocols static route6 blackhole + + Use this command to configure a "black-hole" route on the router. A + black-hole route is a route for which the system silently discard packets + that are matched. This prevents networks leaking out public interfaces, but + it does not prevent them from being used as a more specific route inside your + network. + +.. cfgcmd:: set protocols static route6 blackhole distance + + Defines blackhole distance for this route, routes with smaller administrative + distance are elected prior those with a higher distance. + + +Alternate Routing Tables +======================== + +TBD + +Alternate routing tables are used with policy based routing of by utilizing +:ref:`vrf`. + + +.. _routing-arp: + +### +ARP +### + +:abbr:`ARP (Address Resolution Protocol)` is a communication protocol used for +discovering the link layer address, such as a MAC address, associated with a +given internet layer address, typically an IPv4 address. This mapping is a +critical function in the Internet protocol suite. ARP was defined in 1982 by +:rfc:`826` which is Internet Standard STD 37. + +In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is +provided by the Neighbor Discovery Protocol (NDP). + +To manipulate or display ARP_ table entries, the following commands are +implemented. + +Configure +========= + +.. cfgcmd:: set protocols static arp
hwaddr + + This will configure a static ARP entry always resolving `
` to + ``. + + Example: + + .. code-block:: none + + set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa + +Operation +========= + +.. opcmd:: show protocols static arp + + Display all known ARP table entries spanning across all interfaces + +.. code-block:: none + + vyos@vyos:~$ show protocols static arp + Address HWtype HWaddress Flags Mask Iface + 10.1.1.1 ether 00:53:00:de:23:2e C eth1 + 10.1.1.100 ether 00:53:00:de:23:aa CM eth1 + + +.. opcmd:: show protocols static arp interface eth1 + + Display all known ARP table entries on a given interface only (`eth1`): + +.. code-block:: none + + vyos@vyos:~$ show protocols static arp interface eth1 + Address HWtype HWaddress Flags Mask Iface + 10.1.1.1 ether 00:53:00:de:23:2e C eth1 + 10.1.1.100 ether 00:53:00:de:23:aa CM eth1 + +.. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol diff --git a/docs/configuration/protocols/vrf.rst b/docs/configuration/protocols/vrf.rst new file mode 100644 index 00000000..e7609a77 --- /dev/null +++ b/docs/configuration/protocols/vrf.rst @@ -0,0 +1,3 @@ +############# +Protocols VRF +############# diff --git a/docs/configuration/service/broadcast-relay.rst b/docs/configuration/service/broadcast-relay.rst new file mode 100644 index 00000000..df48bfd6 --- /dev/null +++ b/docs/configuration/service/broadcast-relay.rst @@ -0,0 +1,61 @@ +.. _udp_broadcast_relay: + +################### +UDP Broadcast Relay +################### + +Certain vendors use broadcasts to identify their equipment within one ethernet +segment. Unfortunately if you split your network with multiple VLANs you loose +the ability of identifying your equipment. + +This is where "UDP broadcast relay" comes into play! It will forward received +broadcasts to other configured networks. + +Every UDP port which will be forward requires one unique ID. Currently we +support 99 IDs! + +Configuration +------------- + +.. cfgcmd:: set service broadcast-relay id description + + A description can be added for each and every unique relay ID. This is + useful to distinguish between multiple different ports/appliactions. + +.. cfgcmd:: set service broadcast-relay id interface + + The interface used to receive and relay individual broadcast packets. If you + want to receive/relay packets on both `eth1` and `eth2` both interfaces need + to be added. + +.. cfgcmd:: set service broadcast-relay id port + + The UDP port number used by your apllication. It is mandatory for this kind + of operation. + +.. cfgcmd:: set service broadcast-relay id disable + + Each broadcast relay instance can be individually disabled without deleting + the configured node by using the following command: + +.. cfgcmd:: set service broadcast-relay disable + + In addition you can also disable the whole service without the need to remove + it from the current configuration. + +.. note:: You can run the UDP broadcast relay service on multiple routers + connected to a subnet. There is **NO** UDP broadcast relay packet storm! + +Example +------- + +To forward all broadcast packets received on `UDP port 1900` on `eth3`, `eth4` +or `eth5` to all other interfaces in this configuration. + +.. code-block:: none + + set service broadcast-relay id 1 description 'SONOS' + set service broadcast-relay id 1 interface 'eth3' + set service broadcast-relay id 1 interface 'eth4' + set service broadcast-relay id 1 interface 'eth5' + set service broadcast-relay id 1 port '1900' diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst new file mode 100644 index 00000000..55cd088e --- /dev/null +++ b/docs/configuration/service/conntrack-sync.rst @@ -0,0 +1,200 @@ +.. include:: /_include/need_improvement.txt + +Conntrack +--------- + +One of the important features built on top of the Netfilter framework is +connection tracking. Connection tracking allows the kernel to keep track of all +logical network connections or sessions, and thereby relate all of the packets +which may make up that connection. NAT relies on this information to translate +all related packets in the same way, and iptables can use this information to +act as a stateful firewall. + +The connection state however is completely independent of any upper-level +state, such as TCP's or SCTP's state. Part of the reason for this is that when +merely forwarding packets, i.e. no local delivery, the TCP engine may not +necessarily be invoked at all. Even connectionless-mode transmissions such as +UDP, IPsec (AH/ESP), GRE and other tunneling protocols have, at least, a pseudo +connection state. The heuristic for such protocols is often based upon a preset +timeout value for inactivity, after whose expiration a Netfilter connection is +dropped. + +Each Netfilter connection is uniquely identified by a (layer-3 protocol, source +address, destination address, layer-4 protocol, layer-4 key) tuple. The layer-4 +key depends on the transport protocol; for TCP/UDP it is the port numbers, for +tunnels it can be their tunnel ID, but otherwise is just zero, as if it were +not part of the tuple. To be able to inspect the TCP port in all cases, packets +will be mandatorily defragmented. + +It is possible to use either Multicast or Unicast to sync conntrack traffic. +Most examples below show Multicast, but unicast can be specified by using the +"peer" keywork after the specificed interface, as in the following example: + +set service conntrack-sync interface eth0 peer 192.168.0.250 + +Configuration +^^^^^^^^^^^^^ + +.. code-block:: none + + # Protocols only for which local conntrack entries will be synced (tcp, udp, icmp, sctp) + set service conntrack-sync accept-protocol + + # Queue size for listening to local conntrack events (in MB) + set service conntrack-sync event-listen-queue-size + + # Protocol for which expect entries need to be synchronized. (all, ftp, h323, nfs, sip, sqlnet) + set service conntrack-sync expect-sync + + # Failover mechanism to use for conntrack-sync [REQUIRED] + set service conntrack-sync failover-mechanism + + set service conntrack-sync cluster group + set service conntrack-sync vrrp sync-group <1-255> + + # IP addresses for which local conntrack entries will not be synced + set service conntrack-sync ignore-address ipv4 + + # Interface to use for syncing conntrack entries [REQUIRED] + set service conntrack-sync interface + + # Multicast group to use for syncing conntrack entries + set service conntrack-sync mcast-group + + # Peer to send Unicast UDP conntrack sync entires to, if not using Multicast above + set service conntrack-sync interface peer + + # Queue size for syncing conntrack entries (in MB) + set service conntrack-sync sync-queue-size + +Example +^^^^^^^ +The next example is a simple configuration of conntrack-sync. + + +.. figure:: /_static/images/service_conntrack_sync-schema.png + :scale: 60 % + :alt: Conntrack Sync Example + + Conntrack Sync Example + +First of all, make sure conntrack is enabled by running + +.. code-block:: none + + show conntrack table ipv4 + +If the table is empty and you have a warning message, it means conntrack is not +enabled. To enable conntrack, just create a NAT or a firewall rule. + +.. code-block:: none + + set firewall state-policy established action accept + +You now should have a conntrack table + +.. code-block:: none + + $ show conntrack table ipv4 + TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, + FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK, + TW - TIME WAIT, CL - CLOSE, LI - LISTEN + + CONN ID Source Destination Protocol TIMEOUT + 1015736576 10.35.100.87:58172 172.31.20.12:22 tcp [6] ES 430279 + 1006235648 10.35.101.221:57483 172.31.120.21:22 tcp [6] ES 413310 + 1006237088 10.100.68.100 172.31.120.21 icmp [1] 29 + 1015734848 10.35.100.87:56282 172.31.20.12:22 tcp [6] ES 300 + 1015734272 172.31.20.12:60286 239.10.10.14:694 udp [17] 29 + 1006239392 10.35.101.221 172.31.120.21 icmp [1] 29 + +Now configure conntrack-sync service on ``router1`` **and** ``router2`` + +.. code-block:: none + + set service conntrack-sync accept-protocol 'tcp,udp,icmp' + set service conntrack-sync event-listen-queue-size '8' + set service conntrack-sync failover-mechanism cluster group 'GROUP' + set service conntrack-sync interface 'eth0' + set service conntrack-sync mcast-group '225.0.0.50' + set service conntrack-sync sync-queue-size '8' + +If you are using VRRP, you need to define a VRRP sync-group, and use ``vrrp sync-group`` instead of ``cluster group``. + +.. code-block:: none + + set high-availablilty vrrp group internal virtual-address ... etc ... + set high-availability vrrp sync-group syncgrp member 'internal' + set service conntrack-sync failover-mechanism vrrp sync-group 'syncgrp' + + +On the active router, you should have information in the internal-cache of +conntrack-sync. The same current active connections number should be shown in +the external-cache of the standby router + +On active router run: + +.. code-block:: none + + $ show conntrack-sync statistics + + Main Table Statistics: + + cache internal: + current active connections: 10 + connections created: 8517 failed: 0 + connections updated: 127 failed: 0 + connections destroyed: 8507 failed: 0 + + cache external: + current active connections: 0 + connections created: 0 failed: 0 + connections updated: 0 failed: 0 + connections destroyed: 0 failed: 0 + + traffic processed: + 0 Bytes 0 Pckts + + multicast traffic (active device=eth0): + 868780 Bytes sent 224136 Bytes recv + 20595 Pckts sent 14034 Pckts recv + 0 Error send 0 Error recv + + message tracking: + 0 Malformed msgs 0 Lost msgs + + + +On standby router run: + + +.. code-block:: none + + + $ show conntrack-sync statistics + + Main Table Statistics: + + cache internal: + current active connections: 0 + connections created: 0 failed: 0 + connections updated: 0 failed: 0 + connections destroyed: 0 failed: 0 + + cache external: + current active connections: 10 + connections created: 888 failed: 0 + connections updated: 134 failed: 0 + connections destroyed: 878 failed: 0 + + traffic processed: + 0 Bytes 0 Pckts + + multicast traffic (active device=eth0): + 234184 Bytes sent 907504 Bytes recv + 14663 Pckts sent 21495 Pckts recv + 0 Error send 0 Error recv + + message tracking: + 0 Malformed msgs 0 Lost msgs + diff --git a/docs/configuration/service/console-server.rst b/docs/configuration/service/console-server.rst new file mode 100644 index 00000000..cf222544 --- /dev/null +++ b/docs/configuration/service/console-server.rst @@ -0,0 +1,107 @@ +.. _console_server: + +############## +Console Server +############## + +Starting of with VyOS 1.3 (equuleus) we added support for running VyOS as an +Out-of-Band Management device which provides remote access by means of SSH to +directly attached serial interfaces. + +Serial interfaces can be any interface which is directly connected to the CPU +or chipset (mostly known as a ttyS interface in Linux) or any other USB to +serial converter (Prolific PL2303 or FTDI FT232/FT4232 based chips). + +If you happened to use a Cisco NM-16A - Sixteen Port Async Network Module or +NM-32A - Thirty-two Port Async Network Module - this is your VyOS replacement. + +For USB port information please refor to: :ref:`hardware_usb`. + +Configuration +============= + +Between computers, the most common configuration used was "8N1": eight bit +characters, with one start bit, one stop bit, and no parity bit. Thus 10 Baud +times are used to send a single character, and so dividing the signalling +bit-rate by ten results in the overall transmission speed in characters per +second. This is also the default setting if none of those options are defined. + +.. cfgcmd:: set service console-server data-bits [7 | 8] + + Configure either seven or eight data bits. This defaults to eight data + bits if left unconfigured. + +.. cfgcmd:: set service console-server description + + A user friendly description identifying the connected peripheral. + +.. cfgcmd:: set service console-server parity [even | odd | none] + + Set the parity option for the console. If unset this will default to none. + +.. cfgcmd:: set service console-server stop-bits [1 | 2] + + Configure either one or two stop bits. This defaults to one stop bits if + left unconfigured. + +.. cfgcmd:: set service console-server speed [ 300 | 1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200 ] + + .. note:: USB to serial converters will handle most of their work in software + so you should be carefull with the selected baudrate as some times they + can't cope with the expected speed. + +Remote Access +------------- + +Each individual configured console-server device can be directly exposed to +the outside world. A user can directly connect via SSH to the configured +port. + +.. cfgcmd:: set service console-server ssh port + + Accept SSH connections for the given `` on TCP port ``. + After successfull authentication the user will be directly dropped to + the connected serial device. + + .. hint:: Multiple users can connect to the same serial device but only + one is allowed to write to the console port. + +Operation +========= + +.. opcmd:: show console-server ports + + Show configured serial ports and their respective interface configuration. + + .. code-block:: none + + vyos@vyos:~$ show console-server ports + usb0b2.4p1.0 on /dev/serial/by-bus/usb0b2.4p1.0@ at 9600n + +.. opcmd:: show console-server user + + Show currently connected users. + + .. code-block:: none + + vyos@vyos:~$ show console-server user + usb0b2.4p1.0 up vyos@localhost + + +.. opcmd:: connect console-server + + Locally connect to serial port identified by ``. + + .. code-block:: none + + vyos@vyos-r1:~$ connect console-server usb0b2.4p1.0 + [Enter `^Ec?' for help] + [-- MOTD -- VyOS Console Server] + + vyos-r2 login: + + .. hint:: Multiple users can connect to the same serial device but only + one is allowed to write to the console port. + + .. hint:: The sequence ``^Ec?`` translates to: ``Ctrl+E c ?``. To quit + the session use: ``Ctrl+E c .`` diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst new file mode 100644 index 00000000..445519b3 --- /dev/null +++ b/docs/configuration/service/dhcp-relay.rst @@ -0,0 +1,2 @@ +dhcp-relay +########## \ No newline at end of file diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst new file mode 100644 index 00000000..56316793 --- /dev/null +++ b/docs/configuration/service/dhcp-server.rst @@ -0,0 +1,776 @@ +.. _dhcp: + +############# +DHCP / DHCPv6 +############# + +VyOS uses ISC DHCPd for both IPv4 and IPv6 address assignment. + +.. _dhcp-server: + +DHCP Server +=========== + +The network topology is declared by shared-network-name and the subnet +declarations. The DHCP service can serve multiple shared networks, with each +shared network having 1 or more subnets. Each subnet must be present on an +interface. A range can be declared inside a subnet to define a pool of dynamic +addresses. Multiple ranges can be defined and can contain holes. Static +mappings can be set to assign "static" addresses to clients based on their MAC +address. + +Configuration +------------- + +.. cfgcmd:: set service dhcp-server shared-network-name authoritative + + This says that this device is the only DHCP server for this network. If other + devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to + any device trying to request an IP address that is not valid for this + network. + +.. cfgcmd:: set service dhcp-server shared-network-name subnet default-router
+ + This is a configuration parameter for the ``, saying that as part of + the response, tell the client that the default gateway can be reached at + `
`. + +.. cfgcmd:: set service dhcp-server shared-network-name subnet dns-server
+ + This is a configuration parameter for the subnet, saying that as part of the + response, tell the client that the DNS server can be found at `
`. + + Multiple DNS servers can be defined. + +.. cfgcmd:: set service dhcp-server shared-network-name subnet lease