From e1b2a017fdca013fa4aa7e16e5c56cef8d845ba3 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Mon, 4 Jul 2022 09:59:33 -0400 Subject: event handler: T3083: Created documentation for the new Event Handler Created documentation for the new Event Handler module --- docs/configuration/system/eventhandler.rst | 51 ------------------------------ docs/configuration/system/index.rst | 1 - 2 files changed, 52 deletions(-) delete mode 100644 docs/configuration/system/eventhandler.rst (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/eventhandler.rst b/docs/configuration/system/eventhandler.rst deleted file mode 100644 index 3eab4e2c..00000000 --- a/docs/configuration/system/eventhandler.rst +++ /dev/null @@ -1,51 +0,0 @@ -.. _event-handler: - -Event Handler -------------- - -Event handler allows you to execute scripts when a string that matches a regex -appears in a text stream (e.g. log file). - -It uses "feeds" (output of commands, or a named pipes) and "policies" that -define what to execute if a regex is matched. - -.. code-block:: none - - system - event-handler - feed - description - policy - source - preset - syslog # Use the syslog logs for feed - custom - command # E.g. "tail -f /var/log/somelogfile" - named-pipe - policy - description - event - description - pattern - run - -In this small example a script runs every time a login failed and an interface -goes down - -.. code-block:: none - - vyos@vyos# show system event-handler - feed Syslog { - policy MyPolicy - source { - preset syslog - } - } - policy MyPolicy { - description "Test policy" - event BadThingsHappened { - pattern "authentication failure" - pattern "interface \.* index \d+ .* DOWN.*" - run /config/scripts/email-to-admin - } - } \ No newline at end of file diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index 9b4bf2e3..5a6cb7b1 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -29,4 +29,3 @@ System :includehidden: default-route - eventhandler -- cgit v1.2.3 From 44b2e417141b0f4282b1b758267cd0ce77f6425c Mon Sep 17 00:00:00 2001 From: rebortg Date: Mon, 4 Jul 2022 19:18:35 +0200 Subject: add QAT documentation --- docs/configuration/system/acceleration.rst | 146 +++++++++++++++++++++++++++++ docs/configuration/system/index.rst | 1 + 2 files changed, 147 insertions(+) create mode 100644 docs/configuration/system/acceleration.rst (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst new file mode 100644 index 00000000..4c595022 --- /dev/null +++ b/docs/configuration/system/acceleration.rst @@ -0,0 +1,146 @@ +.. _acceleration: + +############ +Acceleration +############ + +In this command tree, all hardware acceleration options will be handled. +At the moment only `Intel® QAT`_ is supported + +********** +Intel® QAT +********** + +.. opcmd:: show system acceleration qat + + use this command to check if there is an Intel® QAT supported Processor in + your system. + + .. code-block:: + + vyos@vyos:~$ show system acceleration qat + 01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11) + + if there is non device the command will show ```No QAT device found``` + +.. cfgcmd:: set system acceleration qat + + if there is a supported device, enable Intel® QAT + +.. opcmd:: show system acceleration qat status + + Check if the Intel® QAT device is up and ready to do the job. + + .. code-block:: + + vyos@vyos:~$ show system acceleration qat status + Checking status of all devices. + There is 1 QAT acceleration device(s) in the system: + qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up + +Operation Mode +============== + +.. opcmd:: show system acceleration qat device config + + Show the full config uploaded to the QAT device. + +.. opcmd:: show system acceleration qat device flows + + Get an overview over the encryption counters. + +.. opcmd:: show system acceleration qat interrupts + + Show binded qat device interrupts to certain core. + + +Example +======= + +Let's build a simple VPN between 2 Intel® QAT ready devices. + +Side A: + +.. code-block:: + + set interfaces vti vti1 address '192.168.1.2/24' + set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' + set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' + set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' + set vpn ipsec ipsec-interfaces interface 'eth0' + set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123' + set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate' + set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2' + set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1' + +Side B: + +.. code-block:: + + set interfaces vti vti1 address '192.168.1.1/24' + set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' + set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' + set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' + set vpn ipsec ipsec-interfaces interface 'eth0' + set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123' + set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate' + set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1' + set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1' + +a bandwidth test over the VPN got these results: + +.. code-block:: + + Connecting to host 192.168.1.2, port 5201 + [ 9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201 + [ ID] Interval Transfer Bitrate Retr Cwnd + [ 9] 0.00-1.01 sec 32.3 MBytes 268 Mbits/sec 0 196 KBytes + [ 9] 1.01-2.03 sec 32.5 MBytes 268 Mbits/sec 0 208 KBytes + [ 9] 2.03-3.03 sec 32.5 MBytes 271 Mbits/sec 0 208 KBytes + [ 9] 3.03-4.04 sec 32.5 MBytes 272 Mbits/sec 0 208 KBytes + [ 9] 4.04-5.00 sec 31.2 MBytes 272 Mbits/sec 0 208 KBytes + [ 9] 5.00-6.01 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes + [ 9] 6.01-7.04 sec 32.5 MBytes 265 Mbits/sec 0 234 KBytes + [ 9] 7.04-8.04 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes + [ 9] 8.04-9.04 sec 32.5 MBytes 273 Mbits/sec 0 336 KBytes + [ 9] 9.04-10.00 sec 31.2 MBytes 272 Mbits/sec 0 336 KBytes + - - - - - - - - - - - - - - - - - - - - - - - - - + [ ID] Interval Transfer Bitrate Retr + [ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec 0 sender + [ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec receiver + +with :cfgcmd:`set system acceleration qat` on both systems the bandwidth +increases. + +.. code-block:: + + Connecting to host 192.168.1.2, port 5201 + [ 9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201 + [ ID] Interval Transfer Bitrate Retr Cwnd + [ 9] 0.00-1.00 sec 97.3 MBytes 817 Mbits/sec 0 1000 KBytes + [ 9] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 0 1.07 MBytes + [ 9] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 820 KBytes + [ 9] 3.00-4.00 sec 92.5 MBytes 776 Mbits/sec 0 899 KBytes + [ 9] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 972 KBytes + [ 9] 5.00-6.00 sec 92.5 MBytes 776 Mbits/sec 0 1.02 MBytes + [ 9] 6.00-7.00 sec 92.5 MBytes 776 Mbits/sec 0 1.08 MBytes + [ 9] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 0 1.14 MBytes + [ 9] 8.00-9.00 sec 91.2 MBytes 765 Mbits/sec 0 915 KBytes + [ 9] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 0 1000 KBytes + - - - - - - - - - - - - - - - - - - - - - - - - - + [ ID] Interval Transfer Bitrate Retr + [ 9] 0.00-10.00 sec 927 MBytes 778 Mbits/sec 0 sender + [ 9] 0.00-10.01 sec 925 MBytes 775 Mbits/sec receiver + + +.. _`Intel® QAT`: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html \ No newline at end of file diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index 9b4bf2e3..9791ddb1 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -7,6 +7,7 @@ System :maxdepth: 1 :includehidden: + acceleration conntrack console flow-accounting -- cgit v1.2.3 From a04df9e0c61fee87f297972db17fee93878016de Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 5 Jul 2022 12:23:39 +0200 Subject: ipv6: adjust BGP neighbor reset command --- docs/configuration/system/ipv6.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst index 19016e7b..0b9f9cc8 100644 --- a/docs/configuration/system/ipv6.rst +++ b/docs/configuration/system/ipv6.rst @@ -160,7 +160,7 @@ Show commands Reset commands ^^^^^^^^^^^^^^ -.. opcmd:: reset ipv6 bgp
+.. opcmd:: reset bgp ipv6
Use this command to clear Border Gateway Protocol statistics or status. -- cgit v1.2.3 From 2fadd2febf36b867d1b6d66a1cf5d09a5f4219f2 Mon Sep 17 00:00:00 2001 From: Yuxiang Zhu Date: Tue, 12 Jul 2022 22:55:43 +0800 Subject: Add directed broadcast forwarding documentation --- docs/_include/interface-ip.txt | 18 +++++++++++++++++- docs/configuration/system/ip.rst | 11 ++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-) (limited to 'docs/configuration/system') diff --git a/docs/_include/interface-ip.txt b/docs/_include/interface-ip.txt index 75441040..4164985b 100644 --- a/docs/_include/interface-ip.txt +++ b/docs/_include/interface-ip.txt @@ -19,7 +19,7 @@ {{ var5 }} {{ var6 }} ip arp-cache-timeout Once a neighbor has been found, the entry is considered to be valid for at - least for this specifc time. An entry's validity will be extended if it + least for this specific time. An entry's validity will be extended if it receives positive feedback from higher level protocols. This defaults to 30 seconds. @@ -63,6 +63,22 @@ set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip disable-forwarding +.. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip enable-directed-broadcast + + Define different modes for IP directed broadcast forwarding as described in + :rfc:`1812` and :rfc:`2644`. + + If configured, incoming IP directed broadcast packets on this interface will + be forwarded. + + If this option is unset (default), incoming IP directed broadcast packets + will not be forwarded. + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-directed-broadcast + .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} {{ var5 }} {{ var6 }} ip enable-arp-accept diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst index 78aeef4e..f36cf9f5 100644 --- a/docs/configuration/system/ip.rst +++ b/docs/configuration/system/ip.rst @@ -9,6 +9,15 @@ System configuration commands Use this command to disable IPv4 forwarding on all interfaces. +.. cfgcmd:: set system ip disable-directed-broadcast-forwarding + + Use this command to disable IPv4 directed broadcast forwarding on all + interfaces. + + If set, IPv4 directed broadcast forwarding will be completely disabled + regardless of whether per-interface directed broadcast forwarding is + enabled or not. + .. cfgcmd:: set system ip arp table-size Use this command to define the maximum number of entries to keep in @@ -67,4 +76,4 @@ And the different IPv4 **reset** commands available: bgp Clear Border Gateway Protocol (BGP) statistics or status igmp IGMP clear commands multicast IP multicast routing table - route Reset IP route \ No newline at end of file + route Reset IP route -- cgit v1.2.3 From d840ed62580f176c505353c79a89ae839a6fc60f Mon Sep 17 00:00:00 2001 From: Robert Göhler Date: Tue, 12 Jul 2022 21:14:01 +0200 Subject: disable-directed-broadcast correct command --- docs/configuration/system/ip.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst index f36cf9f5..29f46ae9 100644 --- a/docs/configuration/system/ip.rst +++ b/docs/configuration/system/ip.rst @@ -9,7 +9,7 @@ System configuration commands Use this command to disable IPv4 forwarding on all interfaces. -.. cfgcmd:: set system ip disable-directed-broadcast-forwarding +.. cfgcmd:: set system ip disable-directed-broadcast Use this command to disable IPv4 directed broadcast forwarding on all interfaces. -- cgit v1.2.3