vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/goodNETnick/vyos-documentation

Browse Source
This commit is contained in:
goodNETnick 2022-07-23 03:52:16 -04:00
commit 8189e1c7b5
49 changed files with 249466 additions and 2902 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docs/_ext/testcoverage.py
View File

@ -1,14 +1,13 @@
'''
generate json with all commands from xml for vyos documentation coverage
'''
import sys
import os
import json
import re
import logging
import datetime
from io import BytesIO
from lxml import etree as ET
@ -33,11 +32,32 @@ input_data = [
}
]
vyos_commands_dir = "_include/coverage"
node_data = {
'cfgcmd': {},
'opcmd': {},
}
def get_vyos_commands():
return_data = None
for (dirpath, dirnames, filenames) in os.walk(vyos_commands_dir):
for file in filenames:
with open(f"{vyos_commands_dir}/{file}") as f:
data = json.load(f)
if not return_data:
return_data = data
# find latestes export
if datetime.datetime.fromisoformat(return_data['date']) < datetime.datetime.fromisoformat(data['date']):
return_data = data
return return_data
def get_properties(p):
props = {}
props['valueless'] = False
@ -378,6 +398,4 @@ def override_element(l: list):
el.getparent().remove(el)
if __name__ == "__main__":
res = get_working_commands()
print(json.dumps(res))
#print(res['cfgcmd'][0])
get_vyos_commands()

63
docs/_ext/vyos.py
View File

@ -8,7 +8,7 @@ from docutils.parsers.rst import Directive, directives, states
from sphinx.util.docutils import SphinxDirective
from testcoverage import get_working_commands
from testcoverage import get_working_commands, get_vyos_commands
from sphinx.util import logging
@ -28,6 +28,11 @@ def setup(app):
#{"cfgcmd": [], "opcmd": []},
'html'
)
app.add_config_value(
'vyos_commands',
get_vyos_commands(),
'html'
)
app.add_config_value(
'vyos_coverage',
{
@ -550,17 +555,20 @@ def build_row(app, fromdocname, rowdata):
def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
def process_coverage(app, fromdocname, doccmd, xmlcmd, vyoscmd, cli_type):
coverage_list = {}
strip_true_list = []
for cmd in doccmd:
coverage_item = {
'doccmd': None,
'xmlcmd': None,
'vyoscmd': None,
'doccmd_item': None,
'xmlcmd_item': None,
'vyoscmd_item': None,
'indocs': False,
'inxml': False,
'invyos': False,
'xmlfilename': None
}
coverage_item['doccmd'] = cmd['cmd']
@ -576,10 +584,13 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
coverage_item = {
'doccmd': None,
'xmlcmd': None,
'vyoscmd': None,
'doccmd_item': None,
'xmlcmd_item': None,
'vyoscmd_item': None,
'indocs': False,
'inxml': False,
'invyos': False,
'xmlfilename': None
}
coverage_item['xmlcmd'] = cmd['cmd']
@ -592,7 +603,33 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
coverage_list[strip]['xmlcmd_item'] = cmd
coverage_list[strip]['inxml'] = True
coverage_list[strip]['xmlfilename'] = cmd['filename']
strip_true_list.append(strip)
for item in vyoscmd[cli_type]:
cmd = ' '.join(item['cmd'])
strip = strip_cmd(cmd)
if strip not in coverage_list.keys():
coverage_item = {
'doccmd': None,
'xmlcmd': None,
'vyoscmd': None,
'doccmd_item': None,
'xmlcmd_item': None,
'vyoscmd_item': None,
'indocs': False,
'inxml': False,
'invyos': False,
'xmlfilename': None
}
coverage_item['vyoscmd'] = cmd
coverage_item['invyos'] = True
coverage_list[strip] = dict(coverage_item)
else:
coverage_list[strip]['vyoscmd'] = cmd
coverage_list[strip]['invyos'] = True
if coverage_list[strip]['indocs'] and coverage_list[strip]['inxml']:
strip_true_list.append(strip)
strip_true_list = list(set(strip_true_list))
@ -605,11 +642,11 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
table = nodes.table()
tgroup = nodes.tgroup(cols=3)
tgroup = nodes.tgroup(cols=4)
table += tgroup
header = (f'Status {len(strip_true_list)}/{len(coverage_list)}', 'Documentaion', 'XML')
colwidths = (5, 50 , 50)
header = (f'Status {len(strip_true_list)}/{len(coverage_list)}', 'Documentation', 'XML', f'in VyOS {vyoscmd["os"]}')
colwidths = (5, 33 , 33, 33)
table = nodes.table()
tgroup = nodes.tgroup(cols=len(header))
table += tgroup
@ -623,6 +660,7 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
for entry in sorted(coverage_list):
doc_cmd_text = []
doc_xml_text = []
doc_vyos_text = []
if coverage_list[entry]['indocs']:
doc_cmd_text.append(coverage_list[entry]['doccmd_item'])
else:
@ -633,8 +671,14 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
doc_xml_text.append(coverage_list[entry]['xmlcmd'])
else:
doc_xml_text.append('Nothing found in XML Definitions')
if coverage_list[entry]['invyos']:
doc_vyos_text.append(coverage_list[entry]['vyoscmd'])
else:
doc_vyos_text.append('Nothing found in VyOS')
if not coverage_list[entry]['indocs'] or not coverage_list[entry]['inxml']:
if not coverage_list[entry]['indocs'] or not coverage_list[entry]['inxml'] or not coverage_list[entry]['invyos']:
status = False
else:
status = True
@ -643,7 +687,8 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
(
status,
doc_cmd_text,
doc_xml_text
doc_xml_text,
doc_vyos_text
)
)
@ -678,6 +723,7 @@ def process_cmd_nodes(app, doctree, fromdocname):
fromdocname,
env.vyos_cfgcmd,
app.config.vyos_working_commands['cfgcmd'],
app.config.vyos_commands,
'cfgcmd'
)
)
@ -695,6 +741,7 @@ def process_cmd_nodes(app, doctree, fromdocname):
fromdocname,
env.vyos_opcmd,
app.config.vyos_working_commands['opcmd'],
app.config.vyos_commands,
'opcmd'
)
)

120049
docs/_include/coverage/20220531-1.4-rolling-202205310217.json Normal file
View File

File diff suppressed because it is too large Load Diff

125395
docs/_include/coverage/20220712-1.4-rolling-202207111030.json Normal file
View File

File diff suppressed because it is too large Load Diff

18
docs/_include/interface-ip.txt
View File

@ -19,7 +19,7 @@
{{ var5 }} {{ var6 }} ip arp-cache-timeout
Once a neighbor has been found, the entry is considered to be valid for at
least for this specifc time. An entry's validity will be extended if it
least for this specific time. An entry's validity will be extended if it
receives positive feedback from higher level protocols.
This defaults to 30 seconds.
@ -63,6 +63,22 @@
set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip disable-forwarding
.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
{{ var5 }} {{ var6 }} ip enable-directed-broadcast
Define different modes for IP directed broadcast forwarding as described in
:rfc:`1812` and :rfc:`2644`.
If configured, incoming IP directed broadcast packets on this interface will
be forwarded.
If this option is unset (default), incoming IP directed broadcast packets
will not be forwarded.
.. code-block:: none
set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-directed-broadcast
.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
{{ var5 }} {{ var6 }} ip enable-arp-accept

2
docs/_include/vyos-1x

@ -1 +1 @@
Subproject commit 0640a863255ef8f3d5b9d778fa0b6bff9922087e
Subproject commit e632ed4b5409f955add4dab100bc7fa556606eb1

7
docs/automation/cloud-init.rst
View File

@ -50,7 +50,7 @@ In VyOS, by default, enables only two modules:
* ``write_files`` - this module allows to insert any files into the filesystem
before the first boot, for example, pre-generated encryption keys,
certificates, or even a whole ``config.boot`` file.
certificates, or even a whole ``config.boot`` file. The format is described in the cloudinit documentation `Cloud-init-write_files`_.
* ``vyos_userdata`` - the module accepts a list of CLI configuration commands in
a ``vyos_config_commands`` section, which gives an easy way to configure the
@ -267,7 +267,7 @@ Most important keys that needs to be considered:
Generate qcow image
-------------------
A VyOS qcow image with cloud-init options is needed. This can be obteined
A VyOS qcow image with cloud-init options is needed. This can be obtained
using `vyos-vm-images`_ repo. After clonning the repo, edit the file
**qemu.yml** and comment the **download-iso** role.
@ -427,5 +427,6 @@ References
.. _vyos-vm-images: https://github.com/vyos/vyos-vm-images
.. _cloud-init-docs: https://docs.vyos.io/en/equuleus/automation/cloud-init.html?highlight=cloud-init#vyos-cloud-init
.. _Cloud-init-Support: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_cloud_init
.. _Cloud-init-write_files: https://cloudinit.readthedocs.io/en/latest/topics/examples.html#writing-out-arbitrary-files
.. start_vyoslinter
.. start_vyoslinter

8
docs/automation/command-scripting.rst
View File

@ -83,10 +83,10 @@ Here is a simple example:
.. code-block:: python
#!/usr/bin/env python
print "delete firewall group address-group somehosts"
print "set firewall group address-group somehosts address '192.0.2.3'"
print "set firewall group address-group somehosts address '203.0.113.55'"
#!/usr/bin/env python3
print("delete firewall group address-group somehosts")
print("set firewall group address-group somehosts address '192.0.2.3'")
print("set firewall group address-group somehosts address '203.0.113.55'")
.. code-block:: none

18
docs/automation/vyos-api.rst
View File

@ -125,6 +125,24 @@ For example, get the addresses of a ``dum0`` interface.
"error": null
}
/reset
======
The ``reset`` endpoint run a ``reset`` command.
.. code-block:: none
curl --location --request POST 'https://vyos/reset' \
--form data='{"op": "reset", "path": ["ip", "bgp", "192.0.2.11"]}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'
respone:
{
"success": true,
"data": "",
"error": null
}
/image
======

120
docs/changelog/1.3.rst
View File

@ -8,6 +8,116 @@
_ext/releasenotes.py
2022-07-14
==========
* :vytask:`T4491` (bug): Use empty string for internal name of root node of config_tree
2022-07-13
==========
* :vytask:`T1375` (feature): Add clear dhcp server lease function
2022-07-12
==========
* :vytask:`T4527` (bug): Prevent to create VRF name default
* :vytask:`T4084` (default): Dehardcode the default login banner
* :vytask:`T3864` (enhancment): Add Edgecore build to VyOS 1.3 Equuleus
2022-07-09
==========
* :vytask:`T4507` (feature): IPoE-server add multiplier option for shaper
* :vytask:`T4468` (bug): web-proxy source group cannot start with a number bug
* :vytask:`T4373` (feature): PPPoE-server add multiplier option for shaper
2022-07-07
==========
* :vytask:`T4456` (bug): NTP client in VRF tries to bind to interfaces outside VRF, logs many messages
* :vytask:`T4509` (feature): Feature Request: DNS64
2022-07-06
==========
* :vytask:`T4513` (bug): Webproxy monitor commands do not work
2022-07-05
==========
* :vytask:`T4510` (bug): set system static-host-mapping doesn't allow IPv4 and IPv6 for same name.
* :vytask:`T2654` (bug): Multiple names unable to be assigned to the same static mapping
* :vytask:`T2683` (default): no dual stack in system static-host-mapping host-name
2022-07-01
==========
* :vytask:`T4489` (bug): MPLS sysctl not persistent for tunnel interfaces
2022-06-20
==========
* :vytask:`T1856` (feature): Support configuring IPSec SA bytes
2022-06-16
==========
* :vytask:`T3866` (bug): Configs with DNS forwarding listening on OpenVPN interfaces or interfaces without a fixed address cannot be migrated to the new syntax
2022-06-15
==========
* :vytask:`T1890` (feature): Metatask: rewrite flow-accounting to XML and Python
2022-06-09
==========
* :vytask:`T2580` (feature): Support for ip pools for ippoe
2022-06-08
==========
* :vytask:`T4447` (bug): DHCPv6 prefix delegation `sla-id` limited to 128
* :vytask:`T4350` (bug): DMVPN opennhrp spokes dont work behind NAT
2022-05-30
==========
* :vytask:`T4315` (feature): Telegraf - Output to prometheus
2022-05-27
==========
* :vytask:`T4441` (bug): wwan: connection not possible after a change added after 1.3.1-S1 release
2022-05-26
==========
* :vytask:`T4442` (feature): HTTP API add action "reset"
2022-05-25
==========
* :vytask:`T2194` (default): "show firewall" garbled output
2022-05-19
==========
@ -238,12 +348,6 @@
* :vytask:`T4087` (feature): IPsec IKE-group proposals limit of 10 pieces
2022-02-06
==========
* :vytask:`T4228` (bug): bond: OS error thrown when two bonds use the same member
2022-02-05
==========
@ -360,7 +464,7 @@
2021-12-28
==========
* :vytask:`T3380` (bug): Show vpn ike sa with IPv6 remote peer
* :vytask:`T3380` (bug): "show vpn ike sa" does not display IPv6 peers
* :vytask:`T2933` (feature): VRRP add option virtual_ipaddress_excluded
@ -1696,7 +1800,7 @@
2021-02-16
==========
* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.191 / 5.10.113
* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.204 / 5.10.129
2021-02-14

229
docs/changelog/1.4.rst
View File

@ -8,6 +8,229 @@
_ext/releasenotes.py
2022-07-17
==========
* :vytask:`T4028` (bug): FRR 8.1 routes not being applied to routing table after reboot if an interface has 2 ip addresses
2022-07-15
==========
* :vytask:`T4494` (bug): Cannot reset BGP peer within VRF
* :vytask:`T4536` (feature): FRR: move to systemd for daemon control
2022-07-14
==========
* :vytask:`T4491` (bug): Use empty string for internal name of root node of config_tree
2022-07-13
==========
* :vytask:`T1375` (feature): Add clear dhcp server lease function
2022-07-12
==========
* :vytask:`T4527` (bug): Prevent to create VRF name default
* :vytask:`T4084` (default): Dehardcode the default login banner
* :vytask:`T3948` (feature): IPSec VPN: Add a new option "none" for the connection-type
* :vytask:`T235` (feature): Ability to configure manual IP Rules
2022-07-10
==========
* :vytask:`T3836` (bug): Setting a default IPv6 route while getting IPv4 gateway via DHCP removes the IPv4 gateway
2022-07-09
==========
* :vytask:`T4507` (feature): IPoE-server add multiplier option for shaper
* :vytask:`T4499` (bug): NAT source translation not showing a single output
* :vytask:`T4468` (bug): web-proxy source group cannot start with a number bug
* :vytask:`T4373` (feature): PPPoE-server add multiplier option for shaper
* :vytask:`T3353` (bug): PPPoE server wrong vlan-range generating config
* :vytask:`T3648` (bug): op-mode: nat rules broken
* :vytask:`T4517` (feature): ip: Add options to enable directed broadcast forwarding
2022-07-07
==========
* :vytask:`T4456` (bug): NTP client in VRF tries to bind to interfaces outside VRF, logs many messages
* :vytask:`T4509` (feature): Feature Request: DNS64
2022-07-06
==========
* :vytask:`T4513` (bug): Webproxy monitor commands do not work
* :vytask:`T4299` (feature): Firewall - GeoIP filtering
2022-07-05
==========
* :vytask:`T4378` (bug): Unable to submit wildcard ("*.example.com") A or AAAA records in dns forwarder
* :vytask:`T2683` (default): no dual stack in system static-host-mapping host-name
* :vytask:`T478` (feature): Firewall address group (multi and nesting)
2022-07-04
==========
* :vytask:`T4501` (bug): Syslog-identifier does not work in event handler
* :vytask:`T3600` (bug): DHCP Interface static route breaks PBR
* :vytask:`T4498` (feature): bridge: Add option to enable/disable IGMP/MLD snooping
2022-07-01
==========
* :vytask:`T2455` (bug): No support for the IPv6 VTI
* :vytask:`T4490` (feature): BGP- warning message that AFI/SAFI is needed to establish the neighborship
* :vytask:`T4489` (bug): MPLS sysctl not persistent for tunnel interfaces
2022-06-29
==========
* :vytask:`T4477` (feature): router-advert: support RDNSS lifetime option
2022-06-28
==========
* :vytask:`T4486` (bug): Container can't be deleted
* :vytask:`T4473` (bug): Use container network without network declaration error
* :vytask:`T4458` (feature): Firewall - add support for matching ip ttl in firewall rules
* :vytask:`T3907` (feature): Firewall - Set log levels
2022-06-27
==========
* :vytask:`T4484` (default): Firewall op-mode summary doesn't correctly handle address group containing ranges
2022-06-25
==========
* :vytask:`T4482` (bug): dhcp: toggle of "dhcp-options no-default-route" has no effect
* :vytask:`T4483` (feature): Upgrade fastnetmon to v1.2.2 community edition
2022-06-22
==========
* :vytask:`T1748` (feature): vbash: beautify tab completion output/line breaks
2022-06-20
==========
* :vytask:`T1856` (feature): Support configuring IPSec SA bytes
2022-06-18
==========
* :vytask:`T4467` (bug): Validator Does Not Accept Signed Numbers
2022-06-17
==========
* :vytask:`T4209` (bug): Firewall incorrect handler for recent count and time
2022-06-16
==========
* :vytask:`T4352` (bug): wan-load balance - priority traffic rule doesn't work
2022-06-15
==========
* :vytask:`T4450` (feature): Route-map - Extend options for ip|ipv6 address match
* :vytask:`T4449` (feature): Route-map - Extend options for ip next-hop match
* :vytask:`T990` (feature): Make DNAT/SNAT a valid state in firewall rules.
2022-06-12
==========
* :vytask:`T4420` (feature): Feature Request: ocserv: show configured 2FA OTP key
* :vytask:`T4380` (default): Feature Request: ocserv: 2FA OTP key generator in VyOS CLI
2022-06-10
==========
* :vytask:`T4365` (bug): NAT - Error on setting up tables
* :vytask:`T4465` (feature): node.def generation misses whitespace on multiple use of <path>
2022-06-09
==========
* :vytask:`T4444` (default): sstp: Feature request. Port number changing support
* :vytask:`T2580` (feature): Support for ip pools for ippoe
2022-06-08
==========
* :vytask:`T4447` (bug): DHCPv6 prefix delegation `sla-id` limited to 128
2022-05-31
==========
* :vytask:`T4212` (default): PermissionError when generating/installing server Certificate (generate pki certificate sign ...)
* :vytask:`T4199` (bug): Commit failed when setting icmpv6 type any
* :vytask:`T4148` (bug): Firewall - Error messages not that clear as it were in old firewall
* :vytask:`T3659` (bug): Configuration won't accept IPv6 addresses for site-to-site VPN tunnel prefixes/traffic selectors
2022-05-30
==========
* :vytask:`T4315` (feature): Telegraf - Output to prometheus
2022-05-29
==========
* :vytask:`T2473` (feature): Xml for EIGRP [conf_mode]
2022-05-28
==========
* :vytask:`T4448` (feature): rip: add support for explicit version selection
2022-05-26
==========
* :vytask:`T4442` (feature): HTTP API add action "reset"
2022-05-25
==========
* :vytask:`T4410` (feature): Telegraf - Output to Splunk
* :vytask:`T4382` (bug): Replacing legacy loadFile exposes missing steps in migration scripts and other errors
2022-05-21
==========
@ -450,7 +673,6 @@
* :vytask:`T4164` (bug): PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`
* :vytask:`T3970` (feature): Add support for op-mode PKI direct install into an active config session
* :vytask:`T3828` (bug): ipsec: Subtle change in "pfs enable" behavior from equuleus -> sagitta
* :vytask:`T4228` (bug): bond: OS error thrown when two bonds use the same member
2022-02-05
@ -681,7 +903,7 @@
2021-12-28
==========
* :vytask:`T3380` (bug): Show vpn ike sa with IPv6 remote peer
* :vytask:`T3380` (bug): "show vpn ike sa" does not display IPv6 peers
2021-12-27
@ -728,7 +950,6 @@
2021-12-22
==========
* :vytask:`T4056` (bug): Traffic policy not set in live configuration
* :vytask:`T3678` (bug): VyOS 1.4: Invalid error message while deleting ipsec vpn configuration
* :vytask:`T3356` (feature): Script for remote file transfers
@ -2169,7 +2390,7 @@
==========
* :vytask:`T3313` (bug): ospfv3 interface missing options
* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.191 / 5.10.113
* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.204 / 5.10.129
2021-02-15

1474
docs/configexamples/autotest/DHCPRelay_through_GRE/DHCPRelay_through_GRE.log
View File

File diff suppressed because it is too large Load Diff

16
docs/configexamples/autotest/DHCPRelay_through_GRE/DHCPRelay_through_GRE.rst
View File

@ -3,8 +3,8 @@ DHCP Relay trough GRE-Bridge
############################
| Testdate: 2022-03-28
| Version: 1.4-rolling-202203280217
| Testdate: 2022-07-11
| Version: 1.4-rolling-202207090632
This simple structure shows how to configure a DHCP Relay over a GRE Bridge
@ -77,14 +77,14 @@ Ping the Client from the DHCP Server.
vyos@dhcp-server:~$ ping 192.168.0.30 count 4
PING 192.168.0.30 (192.168.0.30) 56(84) bytes of data.
64 bytes from 192.168.0.30: icmp_seq=1 ttl=63 time=1.07 ms
64 bytes from 192.168.0.30: icmp_seq=2 ttl=63 time=1.37 ms
64 bytes from 192.168.0.30: icmp_seq=3 ttl=63 time=1.05 ms
64 bytes from 192.168.0.30: icmp_seq=4 ttl=63 time=0.951 ms
64 bytes from 192.168.0.30: icmp_seq=1 ttl=63 time=1.29 ms
64 bytes from 192.168.0.30: icmp_seq=2 ttl=63 time=1.32 ms
64 bytes from 192.168.0.30: icmp_seq=3 ttl=63 time=1.31 ms
64 bytes from 192.168.0.30: icmp_seq=4 ttl=63 time=1.31 ms
--- 192.168.0.30 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.951/1.108/1.367/0.155 ms
rtt min/avg/max/mdev = 1.291/1.308/1.321/0.010 ms
And show all DHCP Leases
@ -95,4 +95,4 @@ And show all DHCP Leases
vyos@dhcp-server:~$ show dhcp server leases
IP address Hardware address State Lease start Lease expiration Remaining Pool Hostname
------------ ------------------ ------- ------------------- ------------------- ----------- ---------- ----------
192.168.0.30 00:50:79:66:68:05 active 2022/03/28 14:28:17 2022/03/29 14:28:17 23:59:17 DHCPTun100 VPCS
192.168.0.30 00:50:79:66:68:05 active 2022/07/11 19:37:30 2022/07/12 19:37:30 23:59:17 DHCPTun100 VPCS

1527
docs/configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.log
View File

File diff suppressed because it is too large Load Diff

46
docs/configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.rst
View File

@ -3,8 +3,8 @@
L3VPN EVPN with VyOS
####################
| Testdate: 2022-03-28
| Version: 1.4-rolling-202203280217
| Testdate: 2022-07-11
| Version: 1.4-rolling-202207090632
I spun up a new lab in EVE-NG, which represents this as the
"Foo Bar - Service Provider Inc." that has 3 points of presence (PoP) in random
@ -159,32 +159,32 @@ Show routes for all VRFs
t - trapped, o - offload failure
VRF blue:
C>* 10.1.1.0/24 is directly connected, br2000, 00:01:05
B>* 10.1.2.0/24 [200/0] via 172.29.255.2, br2000 onlink, weight 1, 00:00:47
B>* 10.1.3.0/24 [200/0] via 172.29.255.3, br2000 onlink, weight 1, 00:00:42
C>* 10.1.1.0/24 is directly connected, br2000, 00:01:07
B>* 10.1.2.0/24 [200/0] via 172.29.255.2, br2000 onlink, weight 1, 00:00:48
B>* 10.1.3.0/24 [200/0] via 172.29.255.3, br2000 onlink, weight 1, 00:00:44
VRF default:
O 172.29.0.2/31 [110/1] is directly connected, eth1, weight 1, 00:01:02
C>* 172.29.0.2/31 is directly connected, eth1, 00:01:04
O>* 172.29.0.4/31 [110/2] via 172.29.0.3, eth1, weight 1, 00:00:39
* via 172.29.0.7, eth3, weight 1, 00:00:39
O 172.29.0.6/31 [110/1] is directly connected, eth3, weight 1, 00:01:02
C>* 172.29.0.6/31 is directly connected, eth3, 00:01:05
C>* 172.29.255.1/32 is directly connected, dum0, 00:01:06
O>* 172.29.255.2/32 [110/20] via 172.29.0.3, eth1, weight 1, 00:00:48
O>* 172.29.255.3/32 [110/20] via 172.29.0.7, eth3, weight 1, 00:00:38
O 172.29.0.2/31 [110/1] is directly connected, eth1, weight 1, 00:01:03
C>* 172.29.0.2/31 is directly connected, eth1, 00:01:06
O>* 172.29.0.4/31 [110/2] via 172.29.0.3, eth1, weight 1, 00:00:41
* via 172.29.0.7, eth3, weight 1, 00:00:41
O 172.29.0.6/31 [110/1] is directly connected, eth3, weight 1, 00:01:03
C>* 172.29.0.6/31 is directly connected, eth3, 00:01:06
C>* 172.29.255.1/32 is directly connected, dum0, 00:01:07
O>* 172.29.255.2/32 [110/20] via 172.29.0.3, eth1, weight 1, 00:00:49
O>* 172.29.255.3/32 [110/20] via 172.29.0.7, eth3, weight 1, 00:00:40
VRF green:
C>* 10.3.1.0/24 is directly connected, br4000, 00:01:05
B>* 10.3.3.0/24 [200/0] via 172.29.255.3, br4000 onlink, weight 1, 00:00:42
C>* 10.3.1.0/24 is directly connected, br4000, 00:01:07
B>* 10.3.3.0/24 [200/0] via 172.29.255.3, br4000 onlink, weight 1, 00:00:44
VRF mgmt:
S>* 0.0.0.0/0 [210/0] via 10.100.0.1, eth0, weight 1, 00:01:39
C>* 10.100.0.0/24 is directly connected, eth0, 00:01:40
S>* 0.0.0.0/0 [210/0] via 10.100.0.1, eth0, weight 1, 00:01:42
C>* 10.100.0.0/24 is directly connected, eth0, 00:01:42
VRF red:
C>* 10.2.1.0/24 is directly connected, br3000, 00:01:04
B>* 10.2.2.0/24 [200/0] via 172.29.255.2, br3000 onlink, weight 1, 00:00:47
C>* 10.2.1.0/24 is directly connected, br3000, 00:01:06
B>* 10.2.2.0/24 [200/0] via 172.29.255.2, br3000 onlink, weight 1, 00:00:48
Information about Ethernet Virtual Private Networks
@ -209,7 +209,7 @@ Information about Ethernet Virtual Private Networks
Route Distinguisher: 10.1.2.1:4
*>i[5]:[0]:[24]:[10.1.2.0]
172.29.255.2 0 100 0 ?
RT:100:2000 ET:8 Rmac:02:18:c8:f9:1a:d1
RT:100:2000 ET:8 Rmac:12:22:ff:6c:a5:6f
Route Distinguisher: 10.1.3.1:4
*>i[5]:[0]:[24]:[10.1.3.0]
172.29.255.3 0 100 0 ?
@ -221,7 +221,7 @@ Information about Ethernet Virtual Private Networks
Route Distinguisher: 10.2.2.1:5
*>i[5]:[0]:[24]:[10.2.2.0]
172.29.255.2 0 100 0 ?
RT:100:3000 ET:8 Rmac:36:17:df:67:bd:bc
RT:100:3000 ET:8 Rmac:1e:1b:a2:af:7d:62
Route Distinguisher: 10.3.1.1:7
*> [5]:[0]:[24]:[10.3.1.0]
172.29.255.1 0 32768 ?
@ -248,4 +248,4 @@ the EVPN network we need to run
172.29.255.1 (metric 20) from 172.29.255.1 (172.29.255.1)
Origin incomplete, metric 0, localpref 100, valid, internal, best (First path received)
Extended Community: RT:100:4000 ET:8 Rmac:50:00:00:01:00:06
Last update: Mon Mar 28 15:46:02 2022
Last update: Mon Jul 11 19:30:13 2022

1190
docs/configexamples/autotest/Wireguard/Wireguard.log
View File

File diff suppressed because it is too large Load Diff

20
docs/configexamples/autotest/Wireguard/Wireguard.rst
View File

@ -3,8 +3,8 @@ Wireguard
#########
| Testdate: 2022-03-28
| Version: 1.4-rolling-202203280217
| Testdate: 2022-07-11
| Version: 1.4-rolling-202207090632
This simple structure show how to connect two offices. One remote branch and the
@ -45,8 +45,8 @@ After this, the public key can be displayed, to save for later.
.. code-block:: none
vyos@central:~$ generate pki wireguard
Private key: 2BmTwXO1NpakOsa2ynnIqW3c1s3aT/gVtCUJnecefXY=
Public key: BU+4Dyr3VldI2DJiBji50Egqr58071puYdXhoyRvuH8=
Private key: EIvN662aSS0Ai9VdsgSioq2fxUXxDTsb/ObsbI8jRlY=
Public key: g2/u7oMX4l5klNDWpQvYmNiCNPoqS7qzeWs+g4KPEEc=
After you have each public key. The wireguard interfaces can be setup.
@ -102,11 +102,11 @@ And ping the Branch PC from your central router to check the response.
vyos@central:~$ ping 10.0.2.100 count 4
PING 10.0.2.100 (10.0.2.100) 56(84) bytes of data.
64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.580 ms
64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=0.862 ms
64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=0.754 ms
64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=0.669 ms
64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.752 ms
64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=1.37 ms
64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=1.09 ms
64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=1.09 ms
--- 10.0.2.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3094ms
rtt min/avg/max/mdev = 0.580/0.716/0.862/0.104 ms
4 packets transmitted, 4 received, 0% packet loss, time 3053ms
rtt min/avg/max/mdev = 0.752/1.076/1.372/0.219 ms

4
docs/configexamples/autotest/Wireguard/_include/branch.conf
View File

@ -1,14 +1,14 @@
set interface ethernet eth2 address 10.0.2.254/24
set interface ethernet eth1 address 198.51.100.2/24
set interfaces wireguard wg01 private-key 'uNz9h7kM5t1Bz5NMk1WscVbtzY1URwm6qK2gnkslp08='
set interfaces wireguard wg01 private-key '4FZyoJhU7aYIFlPsn1AWbgKMPVbV37+6ZnRXa3MhqUY='
set interfaces wireguard wg01 address 192.168.0.2/24
set interfaces wireguard wg01 description 'VPN-to-central'
set interfaces wireguard wg01 peer central allowed-ips 10.0.1.0/24
set interfaces wireguard wg01 peer central allowed-ips 192.168.0.0/24
set interfaces wireguard wg01 peer central address 198.51.100.1
set interfaces wireguard wg01 peer central port 51820
set interfaces wireguard wg01 peer central public-key 'BU+4Dyr3VldI2DJiBji50Egqr58071puYdXhoyRvuH8='
set interfaces wireguard wg01 peer central public-key 'g2/u7oMX4l5klNDWpQvYmNiCNPoqS7qzeWs+g4KPEEc='
set interfaces wireguard wg01 port 51820
set protocols static route 10.0.1.0/24 interface wg01

4
docs/configexamples/autotest/Wireguard/_include/central.conf
View File

@ -1,14 +1,14 @@
set interface ethernet eth2 address 10.0.1.254/24
set interface ethernet eth1 address 198.51.100.1/24
set interfaces wireguard wg01 private-key '2BmTwXO1NpakOsa2ynnIqW3c1s3aT/gVtCUJnecefXY='
set interfaces wireguard wg01 private-key 'EIvN662aSS0Ai9VdsgSioq2fxUXxDTsb/ObsbI8jRlY='
set interfaces wireguard wg01 address 192.168.0.1/24
set interfaces wireguard wg01 description 'VPN-to-Branch'
set interfaces wireguard wg01 peer branch allowed-ips 10.0.2.0/24
set interfaces wireguard wg01 peer branch allowed-ips 192.168.0.0/24
set interfaces wireguard wg01 peer branch address 198.51.100.2
set interfaces wireguard wg01 peer branch port 51820
set interfaces wireguard wg01 peer branch public-key 'wgCmJKRpV4bm9VtQWc1ScKSojTSIVIkrqhYKUPxIgSA='
set interfaces wireguard wg01 peer branch public-key '7CQshV+BLlSvdoAkjHOcBTCgGZv67czwEIJn945j7gE='
set interfaces wireguard wg01 port 51820
set protocols static route 10.0.2.0/24 interface wg01

1177
docs/configexamples/autotest/tunnelbroker/tunnelbroker.log
View File

File diff suppressed because it is too large Load Diff

38
docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
View File

@ -4,8 +4,8 @@
Tunnelbroker.net (IPv6)
#######################
| Testdate: 2022-03-28
| Version: 1.4-rolling-202203280217
| Testdate: 2022-07-11
| Version: 1.4-rolling-202207090632
This guide walks through the setup of https://www.tunnelbroker.net/ for an
IPv6 Tunnel.
@ -61,14 +61,14 @@ Now you should be able to ping a public IPv6 Address
vyos@vyos-wan:~$ ping 2001:470:20::2 count 4
PING 2001:470:20::2(2001:470:20::2) 56 data bytes
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=76.9 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=30.2 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.3 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=30.1 ms
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=31.4 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=30.5 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.8 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=90.5 ms
--- 2001:470:20::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 30.090/41.872/76.928/20.239 ms
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 30.519/45.797/90.546/25.837 ms
Assuming the pings are successful, you need to add some DNS servers.
@ -85,14 +85,14 @@ You should now be able to ping something by IPv6 DNS name:
vyos@vyos-wan:~$ ping tunnelbroker.net count 4
PING tunnelbroker.net(tunnelbroker.net (2001:470:0:63::2)) 56 data bytes
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=54 time=179 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=54 time=179 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=54 time=207 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=54 time=179 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=48 time=182 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=48 time=234 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=48 time=182 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=48 time=183 ms
--- tunnelbroker.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 178.648/185.816/207.161/12.323 ms
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 182.224/195.335/233.869/22.248 ms
*****************
@ -148,14 +148,14 @@ Now the Client is able to ping a public IPv6 address
vyos@client:~$ ping 2001:470:20::2 count 4
PING 2001:470:20::2(2001:470:20::2) 56 data bytes
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=66.0 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=30.3 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=29.7 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=57.5 ms
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=60.3 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=31.3 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=31.7 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=104 ms
--- 2001:470:20::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 29.658/45.867/66.049/16.177 ms
rtt min/avg/max/mdev = 31.331/56.908/104.282/29.764 ms
Multiple LAN/DMZ Setup

8
docs/configexamples/ha.rst
View File

@ -208,7 +208,7 @@ peer-address.
set high-availability vrrp group int peer-address '10.200.201.3'
set high-availability vrrp group int no-preempt
set high-availability vrrp group int priority '200'
set high-availability vrrp group int virtual-address '10.200.201.1/24'
set high-availability vrrp group int address '10.200.201.1/24'
set high-availability vrrp group int vrid '201'
@ -222,7 +222,7 @@ peer-address.
set high-availability vrrp group int peer-address '10.200.201.2'
set high-availability vrrp group int no-preempt
set high-availability vrrp group int priority '100'
set high-availability vrrp group int virtual-address '10.200.201.1/24'
set high-availability vrrp group int address '10.200.201.1/24'
set high-availability vrrp group int vrid '201'
@ -244,7 +244,7 @@ enterprise-wide.
set high-availability vrrp group public peer-address '203.0.113.3'
set high-availability vrrp group public no-preempt
set high-availability vrrp group public priority '200'
set high-availability vrrp group public virtual-address '203.0.113.1/24'
set high-availability vrrp group public address '203.0.113.1/24'
set high-availability vrrp group public vrid '113'
**router2**
@ -257,7 +257,7 @@ enterprise-wide.
set high-availability vrrp group public peer-address '203.0.113.2'
set high-availability vrrp group public no-preempt
set high-availability vrrp group public priority '100'
set high-availability vrrp group public virtual-address '203.0.113.1/24'
set high-availability vrrp group public address '203.0.113.1/24'
set high-availability vrrp group public vrid '113'

60
docs/configexamples/l3vpn-hub-and-spoke.rst
View File

@ -104,9 +104,10 @@ Configuration
Step-1: Configuring IGP and enabling MPLS LDP
=============================================
At the first step we need to configure the IP/MPLS backbone network using OSPF as
IGP protocol and LDP as label-switching protocol for the base connectivity between
**P** (rovider), **P** (rovider) **E** (dge) and **R** (oute) **R** (eflector) nodes:
At the first step we need to configure the IP/MPLS backbone network using OSPF
as IGP protocol and LDP as label-switching protocol for the base connectivity
between **P** (rovider), **P** (rovider) **E** (dge) and **R** (oute) **R**
(eflector) nodes:
- VyOS-P1:
@ -333,12 +334,9 @@ VPN (L3VPN) routes between them:
set protocols bgp neighbor 10.0.0.7 peer-group 'RR_VPNv4'
set protocols bgp neighbor 10.0.0.8 address-family ipv4-vpn route-reflector-client
set protocols bgp neighbor 10.0.0.8 peer-group 'RR_VPNv4'
set protocols bgp neighbor 10.0.0.9 address-family ipv4-vpn route-reflector-client
set protocols bgp neighbor 10.0.0.9 peer-group 'RR_VPNv4'
set protocols bgp neighbor 10.0.0.10 address-family ipv4-vpn route-reflector-client
set protocols bgp neighbor 10.0.0.10 peer-group 'RR_VPNv4'
set protocols bgp parameters cluster-id '10.0.0.1'
set protocols bgp parameters default no-ipv4-unicast
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.0.0.1'
set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@ -353,12 +351,9 @@ VPN (L3VPN) routes between them:
set protocols bgp neighbor 10.0.0.7 peer-group 'RR_VPNv4'
set protocols bgp neighbor 10.0.0.8 address-family ipv4-vpn route-reflector-client
set protocols bgp neighbor 10.0.0.8 peer-group 'RR_VPNv4'
set protocols bgp neighbor 10.0.0.9 address-family ipv4-vpn route-reflector-client
set protocols bgp neighbor 10.0.0.9 peer-group 'RR_VPNv4'
set protocols bgp neighbor 10.0.0.10 address-family ipv4-vpn route-reflector-client
set protocols bgp neighbor 10.0.0.10 peer-group 'RR_VPNv4'
set protocols bgp parameters cluster-id '10.0.0.1'
set protocols bgp parameters default no-ipv4-unicast
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.0.0.2'
set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@ -373,7 +368,6 @@ VPN (L3VPN) routes between them:
set protocols bgp neighbor 10.0.0.1 peer-group 'RR_VPNv4'
set protocols bgp neighbor 10.0.0.2 address-family ipv4-vpn nexthop-self
set protocols bgp neighbor 10.0.0.2 peer-group 'RR_VPNv4'
set protocols bgp parameters default no-ipv4-unicast
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.0.0.7'
set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@ -388,7 +382,6 @@ VPN (L3VPN) routes between them:
set protocols bgp neighbor 10.0.0.1 peer-group 'RR_VPNv4'
set protocols bgp neighbor 10.0.0.2 address-family ipv4-vpn nexthop-self
set protocols bgp neighbor 10.0.0.2 peer-group 'RR_VPNv4'
set protocols bgp parameters default no-ipv4-unicast
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.0.0.8'
set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@ -403,7 +396,6 @@ VPN (L3VPN) routes between them:
set protocols bgp neighbor 10.0.0.1 peer-group 'RR_VPNv4'
set protocols bgp neighbor 10.0.0.2 address-family ipv4-vpn nexthop-self
set protocols bgp neighbor 10.0.0.2 peer-group 'RR_VPNv4'
set protocols bgp parameters default no-ipv4-unicast
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.0.0.10'
set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@ -504,13 +496,13 @@ configured L3VPN parameters.
set interfaces ethernet eth0 address '10.50.50.2/24'
# BGP for peering with PE
set protocols bgp 65035 address-family ipv4-unicast network 10.0.0.80/32
set protocols bgp 65035 neighbor 10.50.50.1 ebgp-multihop '2'
set protocols bgp 65035 neighbor 10.50.50.1 remote-as '65001'
set protocols bgp 65035 neighbor 10.50.50.1 update-source 'eth0'
set protocols bgp 65035 parameters default no-ipv4-unicast
set protocols bgp 65035 parameters log-neighbor-changes
set protocols bgp 65035 parameters router-id '10.50.50.2'
set protocols bgp local-as 65035
set protocols bgp address-family ipv4-unicast network 10.0.0.80/32
set protocols bgp neighbor 10.50.50.1 ebgp-multihop '2'
set protocols bgp neighbor 10.50.50.1 remote-as '65001'
set protocols bgp neighbor 10.50.50.1 update-source 'eth0'
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.50.50.2'
- VyOS-CE1-HUB:
@ -521,14 +513,14 @@ configured L3VPN parameters.
set interfaces ethernet eth0 address '10.80.80.2/24'
# BGP for peering with PE
set protocols bgp 65035 address-family ipv4-unicast network 10.0.0.100/32
set protocols bgp 65035 address-family ipv4-unicast redistribute connected
set protocols bgp 65035 neighbor 10.80.80.1 ebgp-multihop '2'
set protocols bgp 65035 neighbor 10.80.80.1 remote-as '65001'
set protocols bgp 65035 neighbor 10.80.80.1 update-source 'eth0'
set protocols bgp 65035 parameters default no-ipv4-unicast
set protocols bgp 65035 parameters log-neighbor-changes
set protocols bgp 65035 parameters router-id '10.80.80.2'
set protocols bgp local-as 65035
set protocols bgp address-family ipv4-unicast network 10.0.0.100/32
set protocols bgp address-family ipv4-unicast redistribute connected
set protocols bgp neighbor 10.80.80.1 ebgp-multihop '2'
set protocols bgp neighbor 10.80.80.1 remote-as '65001'
set protocols bgp neighbor 10.80.80.1 update-source 'eth0'
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.80.80.2'
- VyOS-CE2-SPOKE:
@ -539,13 +531,13 @@ configured L3VPN parameters.
set interfaces ethernet eth0 address '10.60.60.2/24'
# BGP for peering with PE
set protocols bgp 65035 address-family ipv4-unicast network 10.0.0.90/32
set protocols bgp 65035 neighbor 10.60.60.1 ebgp-multihop '2'
set protocols bgp 65035 neighbor 10.60.60.1 remote-as '65001'
set protocols bgp 65035 neighbor 10.60.60.1 update-source 'eth0'
set protocols bgp 65035 parameters default no-ipv4-unicast
set protocols bgp 65035 parameters log-neighbor-changes
set protocols bgp 65035 parameters router-id '10.60.60.2'
set protocols bgp local-as 65035
set protocols bgp address-family ipv4-unicast network 10.0.0.90/32
set protocols bgp neighbor 10.60.60.1 ebgp-multihop '2'
set protocols bgp neighbor 10.60.60.1 remote-as '65001'
set protocols bgp neighbor 10.60.60.1 update-source 'eth0'
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.60.60.2'

160
docs/configuration/container/index.rst
View File

@ -1,34 +1,19 @@
:lastproofread: 2021-06-30
.. include:: /_include/need_improvement.txt
.. _container:
:lastproofread: 2022-06-10
#########
Container
#########
The VyOS container implementation is based on `Podman<https://podman.io/>` as
a deamonless container engine.
*************
Configuration
*************
.. cfgcmd:: set container <name>
Set a named container.
.. cfgcmd:: set container network <networkname>
Creates a named container network
.. cfgcmd:: set container registry <name>
Adds registry to list of unqualified-search-registries. By default, for any
image that does not include the registry in the image name, Vyos will use
docker.io as the container registry.
.. cfgcmd:: set container <name> image
.. cfgcmd:: set container name <name> image
Sets the image name in the hub registry
Sets the image name in the hub registry
.. code-block:: none
@ -42,7 +27,7 @@ Configuration
set container name mysql-server image quay.io/mysql:8.0
.. cfgcmd:: set container <name> allow-host-networks
.. cfgcmd:: set container name <name> allow-host-networks
Allow host networking in a container. The network stack of the container is
not isolated from the host and will use the host IP.
@ -50,13 +35,25 @@ Configuration
The following commands translate to "--net host" when the container
is created
.. note:: **allow-host-networks** cannot be used with **network**
.. note:: **allow-host-networks** cannot be used with **network**
.. cfgcmd:: set container <name> description <text>
.. cfgcmd:: set container name <name> network <networkname>
Sets the container description
Attaches user-defined network to a container.
Only one network must be specified and must already exist.
.. cfgcmd:: set container <name> environment '<key>' value '<value>'
.. cfgcmd:: set container name <name> network <networkname> address <address>
Optionally set a specific static IPv4 or IPv6 address for the container.
This address must be within the named network prefix.
.. note:: The first IP in the container network is reserved by the engine and cannot be used
.. cfgcmd:: set container name <name> description <text>
Set a container description
.. cfgcmd:: set container name <name> environment <key> value <value>
Add custom environment variables.
Multiple environment variables are allowed.
@ -65,35 +62,25 @@ Configuration
.. code-block:: none
set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
set container name mysql-server environment MYSQL_DATABASE value 'zabbix'
set container name mysql-server environment MYSQL_USER value 'zabbix'
set container name mysql-server environment MYSQL_PASSWORD value 'zabbix_pwd'
set container name mysql-server environment MYSQL_ROOT_PASSWORD value 'root_pwd'
.. cfgcmd:: set container <name> network <networkname>
.. cfgcmd:: set container name <name> port <portname> source <portnumber>
.. cfgcmd:: set container name <name> port <portname> destination <portnumber>
.. cfgcmd:: set container name <name> port <portname> protocol <tcp | udp>
Attaches user-defined network to a container.
Only one network must be specified and must already exist.
Optionally a specific static IPv4 or IPv6 address can be set for
the container. This address must be within the named network.
.. code-block:: none
set container <name> network <networkname> address <address>
.. note:: The first IP in the container network is reserved by the engine and cannot be used
.. cfgcmd:: set container <name> port <portname> [source | destination ] <portnumber>
Publishes a port for the container
Publish a port for the container.
.. code-block:: none
set container name zabbix-web-nginx-mysql port http source 80
set container name zabbix-web-nginx-mysql port http destination 8080
set container name zabbix-web-nginx-mysql port http protocol tcp
.. cfgcmd:: set container <name> volume <volumename> [source | destination ] <path>
.. cfgcmd:: set container name <name> volume <volumename> source <path>
.. cfgcmd:: set container name <name> volume <volumename> destination <path>
Mount a volume into the container
@ -102,6 +89,85 @@ Configuration
set container name coredns volume 'corefile' source /config/coredns/Corefile
set container name coredns volume 'corefile' destination /etc/Corefile
.. cfgcmd:: set container name <name> restart [no | on-failure | always]
Set the restart behavior of the container.
- **no**: Do not restart containers on exit
- **on-failure**: Restart containers when they exit with a non-zero exit code, retrying indefinitely (default)
- **always**: Restart containers when they exit, regardless of status, retrying indefinitely
.. cfgcmd:: set container name <name> memory <MB>
Constrain the memory available to the container.
Default is 512 MB. Use 0 MB for unlimited memory.
.. cfgcmd:: set container name <name> device <devicename> source <path>
.. cfgcmd:: set container name <name> device <devicename> destination <path>
Add a host device to the container.
.. cfgcmd:: container name <name> cap-add <text>
Set container capabilities or permissions.
- **net-admin**: Network operations (interface, firewall, routing tables)
- **net-bind-service**: Bind a socket to privileged ports (port numbers less than 1024)
- **net-raw**: Permission to create raw network sockets
- **setpcap**: Capability sets (from bounded or inherited set)
- **sys-admin**: Administation operations (quotactl, mount, sethostname, setdomainame)
- **sys-time**: Permission to set system clock
.. cfgcmd:: set container name <name> disable
Disable a container.
.. cfgcmd:: set container network <networkname>
Creates a named container network
.. cfgcmd:: set container registry <name>
Adds registry to list of unqualified-search-registries. By default, for any
image that does not include the registry in the image name, Vyos will use
docker.io as the container registry.
******************
Operation Commands
******************
.. opcmd:: add container image <containername>
Pull a new image for container
.. opcmd:: show container
Show the list of all active containers.
.. opcmd:: show container image
Show the local container images.
.. opcmd:: show container log <containername>
Show logs from a given container
.. opcmd:: show container network
Show a list available container networks
.. opcmd:: restart container <containername>
Restart a given container
.. opcmd:: update container image <containername>
Update container image
*********************
Example Configuration
*********************

102
docs/configuration/firewall/index.rst
View File

@ -264,7 +264,7 @@ the action of the rule will be executed.
.. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject |
accept]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop | 
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop |
reject | accept]
This required setting defines the action of the current rule.
@ -275,11 +275,18 @@ the action of the rule will be executed.
Provide a description for each rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
enable]
Enable or disable logging for the matched packet.
.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg |
alert | crit | err | warn | notice | info | debug]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg |
alert | crit | err | warn | notice | info | debug]
Define log-level. Only applicable if rule log is enable.
.. cfgcmd:: set firewall name <name> rule <1-999999> disable
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
@ -316,6 +323,32 @@ There are a lot of matching criteria against which the package can be tested.
set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
<country>
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
inverse-match
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
country-code <country>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
inverse-match
Match IP addresses based on its geolocation.
More info: `geoip matching
<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
Use inverse-match to match anything except the given country-codes.
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
permits redistribution so we can include a database in images(~3MB
compressed). Includes cron script (manually callable by op-mode update
geoip) to keep database and rules updated.
.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
<mac-address>
@ -355,37 +388,40 @@ There are a lot of matching criteria against which the package can be tested.
set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
address-group <name>
address-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
address-group <name>
address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
address-group <name>
address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
address-group <name>
address-group <name | !name>
Use a specific address-group
Use a specific address-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
network-group <name>
network-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
network-group <name>
network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
network-group <name>
network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
network-group <name>
network-group <name | !name>
Use a specific network-group
Use a specific network-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
port-group <name>
port-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
port-group <name>
port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
port-group <name>
port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
port-group <name>
port-group <name | !name>
Use a specific port-group
Use a specific port-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
<0-255> | all | tcp_udp]
@ -423,6 +459,26 @@ There are a lot of matching criteria against which the package can be tested.
Match against the state of a packet.
.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
lt> <0-255>
Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second |
minute | hour>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second |
minute | hour>
Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts.
***********************************
Applying a Rule-Set to an Interface
@ -495,10 +551,10 @@ Applying a Rule-Set to a Zone
Before you are able to apply a rule-set to a zone you have to create the zones
first.
It helps to think of the syntax as: (see below). The 'rule-set' should be
It helps to think of the syntax as: (see below). The 'rule-set' should be
written from the perspective of: *Source Zone*-to->*Destination Zone*
.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone>
.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone>
firewall name <rule-set>
.. cfgcmd:: set zone-policy zone <name> from <name> firewall name
@ -786,3 +842,11 @@ Example Partial Config
}
}
}
Update geoip database
=====================
.. opcmd:: update geoip
Command used to update GeoIP database and firewall sets.

6
docs/configuration/interfaces/bridge.rst
View File

@ -78,7 +78,11 @@ Bridge Options
.. cfgcmd:: set interfaces bridge <interface> igmp querier
Enable IGMP querier
Enable IGMP and MLD querier.
.. cfgcmd:: set interfaces bridge <interface> igmp snooping
Enable IGMP and MLD snooping.
.. _stp:

2
docs/configuration/interfaces/openvpn.rst
View File

@ -332,7 +332,7 @@ before using under the openvpn interface configuration.
Now we need to specify the server network settings. In all cases we need to
specify the subnet for client tunnel endpoints. Since we want clients to access
a specific network behind out router, we will use a push-route option for
a specific network behind our router, we will use a push-route option for
installing that route on clients.
.. code-block:: none

21
docs/configuration/interfaces/wireless.rst
View File

@ -590,3 +590,24 @@ To get it to work as an access point with this configuration you will need
to set up a DHCP server to work with that network. You can - of course - also
bridge the Wireless interface with any configured bridge
(:ref:`bridge-interface`) on the system.
.. _wireless-interface-intel-ax200:
Intel AX200
===========
The Intel AX200 card does not work out of the box in AP mode, see
https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can
still put this card into AP mode using the following configuration:
.. stop_vyoslinter
.. code-block:: none
set interfaces wireless wlan0 channel '1'
set interfaces wireless wlan0 country-code 'us'
set interfaces wireless wlan0 mode 'n'
set interfaces wireless wlan0 physical-device 'phy0'
set interfaces wireless wlan0 ssid 'VyOS'
set interfaces wireless wlan0 type 'access-point'
.. start_vyoslinter

15
docs/configuration/policy/route-map.rst
View File

@ -82,11 +82,26 @@ Route Map
IP next-hop of route to match, based on access-list.
.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop
address <x.x.x.x>
IP next-hop of route to match, based on ip address.
.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop
prefix-len <0-32>
IP next-hop of route to match, based on prefix length.
.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop
prefix-list <text>
IP next-hop of route to match, based on prefix-list.
.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop
type <blackhole>
IP next-hop of route to match, based on type.
.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip route-source
access-list <1-2699>

11
docs/configuration/protocols/bgp.rst
View File

@ -177,7 +177,7 @@ process. The BGP process starts when the first neighbor is configured.
.. cfgcmd:: set protocols bgp local-as <asn>
Set local autonomous system number that this router represents. This is a
a mandatory option!
mandatory option!
Peers Configuration
-------------------
@ -431,7 +431,7 @@ Peer Parameters
This command enforces Generalized TTL Security Mechanism (GTSM),
as specified in :rfc:`5082`. With this command, only neighbors
that are the specified number of hops away will be allowed to
that are specified number of hops away will be allowed to
become neighbors. The number of hops range is 1 to 254. This
command is mutually exclusive with :cfgcmd:`ebgp-multihop`.
@ -563,11 +563,6 @@ Common parameters
Path (both AS number and AS path length), Origin code, MED, IGP
metric. Also, the next hop address for each path must be different.
.. cfgcmd:: set protocols bgp parameters default no-ipv4-unicast
This command allows the user to specify that IPv4 peering is turned off by
default.
.. cfgcmd:: set protocols bgp parameters log-neighbor-changes
This command enable logging neighbor up/down changes and reset reason.
@ -984,7 +979,7 @@ Show
.. opcmd:: show ip bgp filter-list <name>
This command displays BGP routes allowed by by the specified AS Path
This command displays BGP routes allowed by the specified AS Path
access list.
.. opcmd:: show <ip|ipv6> bgp neighbors <address> advertised-routes

5
docs/configuration/service/broadcast-relay.rst
View File

@ -28,6 +28,11 @@ Configuration
want to receive/relay packets on both `eth1` and `eth2` both interfaces need
to be added.
.. cfgcmd:: set service broadcast-relay id <n> address <ipv4-address>
Set the source IP of forwarded packets, otherwise original senders address
is used.
.. cfgcmd:: set service broadcast-relay id <n> port <port>
The UDP port number used by your apllication. It is mandatory for this kind

4
docs/configuration/service/conntrack-sync.rst
View File

@ -114,11 +114,11 @@ Operation
conntrack is not enabled. To enable conntrack, just create a NAT or a firewall
rule. :cfgcmd:`set firewall state-policy established action accept`
.. opcmd:: show conntrack-sync external-cache
.. opcmd:: show conntrack-sync cache external
Show connection syncing external cache entries
.. opcmd:: show conntrack-sync internal-cache
.. opcmd:: show conntrack-sync cache internal
Show connection syncing internal cache entries

127
docs/configuration/service/eventhandler.rst Normal file
View File

@ -0,0 +1,127 @@
.. _event-handler:
#############
Event Handler
#############
*********************************
Event Handler Technology Overview
*********************************
Event handler allows you to execute scripts when a string that matches a regex or a regex with
a service name appears in journald logs. You can pass variables, arguments, and a full matching string to the script.
******************************
How to configure Event Handler
******************************
`1. Create an event handler`_
`2. Add regex to the script`_
`3. Add a full path to the script`_
`4. Add optional parameters`_
*********************************
Event Handler Configuration Steps
*********************************
1. Create an event handler
==========================
.. cfgcmd:: set service event-handler event <event-handler name>
This is an optional command because the event handler will be automatically created after any of the next commands.
2. Add regex to the script
===========================================
.. cfgcmd:: set service event-handler event <event-handler name> filter pattern <regex>
This is a mandatory command. Sets regular expression to match against log string message.
.. note:: The regular expression matches if and only if the entire string matches the pattern.
3. Add a full path to the script
================================
.. cfgcmd:: set service event-handler event <event-handler name> script path <path to script>
This is a mandatory command. Sets the full path to the script. The script file must be executable.
4. Add optional parameters
==========================
.. cfgcmd:: set service event-handler event <event-handler name> filter syslog-identifier <sylogid name>
This is an optional command. Filters log messages by syslog-identifier.
.. cfgcmd:: set service event-handler event <event-handler name> script environment <env name> value <env value>
This is an optional command. Adds environment and its value to the script. Use separate commands for each environment.
One implicit environment exists.
* ``message``: Full message that has triggered the script.
.. cfgcmd:: set service event-handler event <event-handler name> script arguments <arguments>
This is an optional command. Adds arguments to the script. Arguments must be separated by spaces.
.. note:: We don't recomend to use arguments. Using environments is more preffereble.
*******
Example
*******
Event handler that monitors the state of interface eth0.
.. code-block:: none
set service event-handler event INTERFACE_STATE_DOWN filter pattern '.*eth0.*,RUNNING,.*->.*'
set service event-handler event INTERFACE_STATE_DOWN filter syslog-identifier 'netplugd'
set service event-handler event INTERFACE_STATE_DOWN script environment interface_action value 'down'
set service event-handler event INTERFACE_STATE_DOWN script environment interface_name value 'eth2'
set service event-handler event INTERFACE_STATE_DOWN script path '/config/scripts/eventhandler.py'
Event handler script
.. code-block:: none
#!/usr/bin/env python3
#
# VyOS event-handler script example
from os import environ
import subprocess
from sys import exit
# Perform actions according to requirements
def process_event() -> None:
# Get variables
message_text = environ.get('message')
interface_name = environ.get('interface_name')
interface_action = environ.get('interface_action')
# Print the message that triggered this script
print(f'Logged message: {message_text}')
# Prepare a command to run
command = f'sudo ip link set {interface_name} {interface_action}'.split()
# Execute a command
subprocess.run(command)
if __name__ == '__main__':
try:
# Run script actions and exit
process_event()
exit(0)
except Exception as err:
# Exit properly in case if something in the script goes wrong
print(f'Error running script: {err}')
exit(1)

6
docs/configuration/service/https.rst
View File

@ -28,6 +28,10 @@ Configuration
Set the listen port of the local API, this has no effect on the
webserver. The default is port 8080
.. cfgcmd:: set service https api socket
Use local socket for API
.. cfgcmd:: set service https api strict
Enforce strict path checking
@ -89,4 +93,4 @@ To use this full configuration we asume a public accessible hostname.
set service https virtual-host rtr01 listen-address 198.51.100.2
set service https virtual-host rtr01 listen-port 11443
set service https virtual-host rtr01 server-name rtr01.example.com
set service https api-restrict virtual-host rtr01.example.com
set service https api-restrict virtual-host rtr01

1
docs/configuration/service/index.rst
View File

@ -25,3 +25,4 @@ Service
ssh
tftp-server
webproxy
eventhandler

107
docs/configuration/service/monitoring.rst
View File

@ -1,10 +1,111 @@
Monitoring
----------
Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided.
Azure-data-explorer
===================
Telegraf output plugin azure-data-explorer_
.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-id <client-id>
Authentication application client-id.
.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-secret <client-secret>
Authentication application client-secret.
.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication tenant-id <tenant-id>
Authentication application tenant-id
.. cfgcmd:: set service monitoring telegraf azure-data-explorer database <name>
Remote databe name.
.. cfgcmd:: set service monitoring telegraf azure-data-explorer group-metrics <single-table | table-per-metric>
Type of metrics grouping when push to Azure Data Explorer. The default is
``table-per-metric``.
.. cfgcmd:: set service monitoring telegraf azure-data-explorer table <name>
Name of the single table Only if set group-metrics single-table.
.. cfgcmd:: set service monitoring telegraf azure-data-explorer url <url>
Remote URL.
Prometheus-client
=================
Telegraf output plugin prometheus-client_
.. cfgcmd:: set service monitoring telegraf prometheus-client
Output plugin Prometheus client
.. cfgcmd:: set service monitoring telegraf prometheus-client allow-from <prefix>
Networks allowed to query this server
.. cfgcmd:: set service monitoring telegraf prometheus-client authentication username <username>
HTTP basic authentication username
.. cfgcmd:: set service monitoring telegraf prometheus-client authentication password <password>
HTTP basic authentication username
.. cfgcmd:: set service monitoring telegraf prometheus-client listen-address <address>
Local IP addresses to listen on
.. cfgcmd:: set service monitoring telegraf prometheus-client metric-version <1 | 2>
Metris version, the default is ``2``
.. cfgcmd:: set service monitoring telegraf prometheus-client port <port>
Port number used by connection, default is ``9273``
Example:
.. code-block:: none
set service monitoring telegraf prometheus-client
.. code-block:: none
vyos@r14:~$ curl --silent localhost:9273/metrics | egrep -v "#" | grep cpu_usage_system
cpu_usage_system{cpu="cpu-total",host="r14"} 0.20040080160320556
cpu_usage_system{cpu="cpu0",host="r14"} 0.17182130584191915
cpu_usage_system{cpu="cpu1",host="r14"} 0.22896393817971655
Splunk
======
Telegraf output plugin splunk_. HTTP Event Collector.
.. cfgcmd:: set service monitoring telegraf splunk authentication insecure
Use TLS but skip host validation
.. cfgcmd:: set service monitoring telegraf splunk authentication token <token>
Authorization token
.. cfgcmd:: set service monitoring telegraf splunk authentication url <url>
Remote URL to Splunk collector
Example:
.. code-block:: none
set service monitoring telegraf splunk authentication insecure
set service monitoring telegraf splunk authentication token 'xxxxf5b8-xxxx-452a-xxxx-43828911xxxx'
set service monitoring telegraf splunk url 'https://192.0.2.10:8088/services/collector'
Telegraf
========
Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided.
Telegraf is the open source server agent to help you collect metrics, events
and logs from your routers.
@ -43,3 +144,7 @@ An example of a configuration that sends ``telegraf`` metrics to remote
set service monitoring telegraf port '8086'
set service monitoring telegraf source 'all'
set service monitoring telegraf url 'http://r1.influxdb2.local'
.. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer
.. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client
.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html

30
docs/configuration/service/ssh.rst
View File

@ -109,6 +109,36 @@ Configuration
Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
Dynamic-protection
==================
Protects host from brute-force attacks against
SSH. Log messages are parsed, line-by-line, for recognized patterns. If an
attack, such as several login failures within a few seconds, is detected, the
offending IP is blocked. Offenders are unblocked after a set interval.
.. cfgcmd:: set service ssh dynamic-protection
Allow ``ssh`` dynamic-protection.
.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix>
Whitelist of addresses and networks. Always allow inbound connections from
these systems.
.. cfgcmd:: set service ssh dynamic-protection block-time <sec>
Block source IP in seconds. Subsequent blocks increase by a factor of 1.5
The default is 120.
.. cfgcmd:: set service ssh dynamic-protection detect-time <sec>
Remember source IP in seconds before reset their score. The default is 1800.
.. cfgcmd:: set service ssh dynamic-protection threshold <sec>
Block source IP when their cumulative attack score exceeds threshold. The
default is 30.
Operation
=========

146
docs/configuration/system/acceleration.rst Normal file
View File

@ -0,0 +1,146 @@
.. _acceleration:
############
Acceleration
############
In this command tree, all hardware acceleration options will be handled.
At the moment only `Intel® QAT`_ is supported
**********
Intel® QAT
**********
.. opcmd:: show system acceleration qat
use this command to check if there is an Intel® QAT supported Processor in
your system.
.. code-block::
vyos@vyos:~$ show system acceleration qat
01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11)
if there is non device the command will show ```No QAT device found```
.. cfgcmd:: set system acceleration qat
if there is a supported device, enable Intel® QAT
.. opcmd:: show system acceleration qat status
Check if the Intel® QAT device is up and ready to do the job.
.. code-block::
vyos@vyos:~$ show system acceleration qat status
Checking status of all devices.
There is 1 QAT acceleration device(s) in the system:
qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up
Operation Mode
==============
.. opcmd:: show system acceleration qat device <device> config
Show the full config uploaded to the QAT device.
.. opcmd:: show system acceleration qat device <device> flows
Get an overview over the encryption counters.
.. opcmd:: show system acceleration qat interrupts
Show binded qat device interrupts to certain core.
Example
=======
Let's build a simple VPN between 2 Intel® QAT ready devices.
Side A:
.. code-block::
set interfaces vti vti1 address '192.168.1.2/24'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123'
set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2'
set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1'
Side B:
.. code-block::
set interfaces vti vti1 address '192.168.1.1/24'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123'
set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1'
set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1'
a bandwidth test over the VPN got these results:
.. code-block::
Connecting to host 192.168.1.2, port 5201
[ 9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 9] 0.00-1.01 sec 32.3 MBytes 268 Mbits/sec 0 196 KBytes
[ 9] 1.01-2.03 sec 32.5 MBytes 268 Mbits/sec 0 208 KBytes
[ 9] 2.03-3.03 sec 32.5 MBytes 271 Mbits/sec 0 208 KBytes
[ 9] 3.03-4.04 sec 32.5 MBytes 272 Mbits/sec 0 208 KBytes
[ 9] 4.04-5.00 sec 31.2 MBytes 272 Mbits/sec 0 208 KBytes
[ 9] 5.00-6.01 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
[ 9] 6.01-7.04 sec 32.5 MBytes 265 Mbits/sec 0 234 KBytes
[ 9] 7.04-8.04 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
[ 9] 8.04-9.04 sec 32.5 MBytes 273 Mbits/sec 0 336 KBytes
[ 9] 9.04-10.00 sec 31.2 MBytes 272 Mbits/sec 0 336 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec 0 sender
[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec receiver
with :cfgcmd:`set system acceleration qat` on both systems the bandwidth
increases.
.. code-block::
Connecting to host 192.168.1.2, port 5201
[ 9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 9] 0.00-1.00 sec 97.3 MBytes 817 Mbits/sec 0 1000 KBytes
[ 9] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 0 1.07 MBytes
[ 9] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 820 KBytes
[ 9] 3.00-4.00 sec 92.5 MBytes 776 Mbits/sec 0 899 KBytes
[ 9] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 972 KBytes
[ 9] 5.00-6.00 sec 92.5 MBytes 776 Mbits/sec 0 1.02 MBytes
[ 9] 6.00-7.00 sec 92.5 MBytes 776 Mbits/sec 0 1.08 MBytes
[ 9] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 0 1.14 MBytes
[ 9] 8.00-9.00 sec 91.2 MBytes 765 Mbits/sec 0 915 KBytes
[ 9] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 0 1000 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 9] 0.00-10.00 sec 927 MBytes 778 Mbits/sec 0 sender
[ 9] 0.00-10.01 sec 925 MBytes 775 Mbits/sec receiver
.. _`Intel® QAT`: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html

51
docs/configuration/system/eventhandler.rst
View File

@ -1,51 +0,0 @@
.. _event-handler:
Event Handler
-------------
Event handler allows you to execute scripts when a string that matches a regex
appears in a text stream (e.g. log file).
It uses "feeds" (output of commands, or a named pipes) and "policies" that
define what to execute if a regex is matched.
.. code-block:: none
system
event-handler
feed <name>
description <feed description>
policy <policy name>
source
preset
syslog # Use the syslog logs for feed
custom
command <command to execute> # E.g. "tail -f /var/log/somelogfile"
named-pipe <path to a names pipe>
policy <policy name>
description <policy description>
event <event name>
description <event description>
pattern <regex>
run <command to run>
In this small example a script runs every time a login failed and an interface
goes down
.. code-block:: none
vyos@vyos# show system event-handler
feed Syslog {
policy MyPolicy
source {
preset syslog
}
}
policy MyPolicy {
description "Test policy"
event BadThingsHappened {
pattern "authentication failure"
pattern "interface \.* index \d+ .* DOWN.*"
run /config/scripts/email-to-admin
}
}

2
docs/configuration/system/index.rst
View File

@ -7,6 +7,7 @@ System
:maxdepth: 1
:includehidden:
acceleration
conntrack
console
flow-accounting
@ -29,4 +30,3 @@ System
:includehidden:
default-route
eventhandler

11
docs/configuration/system/ip.rst
View File

@ -9,6 +9,15 @@ System configuration commands
Use this command to disable IPv4 forwarding on all interfaces.
.. cfgcmd:: set system ip disable-directed-broadcast
Use this command to disable IPv4 directed broadcast forwarding on all
interfaces.
If set, IPv4 directed broadcast forwarding will be completely disabled
regardless of whether per-interface directed broadcast forwarding is
enabled or not.
.. cfgcmd:: set system ip arp table-size <number>
Use this command to define the maximum number of entries to keep in
@ -67,4 +76,4 @@ And the different IPv4 **reset** commands available:
bgp Clear Border Gateway Protocol (BGP) statistics or status
igmp IGMP clear commands
multicast IP multicast routing table
route Reset IP route
route Reset IP route

2
docs/configuration/system/ipv6.rst
View File

@ -160,7 +160,7 @@ Show commands
Reset commands
^^^^^^^^^^^^^^
.. opcmd:: reset ipv6 bgp <address>
.. opcmd:: reset bgp ipv6 <address>
Use this command to clear Border Gateway Protocol statistics or
status.

1
docs/configuration/vpn/dmvpn.rst
View File

@ -278,6 +278,7 @@ spoke01-spoke04
ip nhrp registration timeout 75
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
tunnel key 1
!
interface FastEthernet0/0

4
docs/configuration/vrf/index.rst
View File

@ -197,7 +197,7 @@ Example
VRF route leaking
-----------------
The following example topology was build using EVE-NG.
The following example topology was built using EVE-NG.
.. figure:: /_static/images/vrf-example-topology-01.png
:alt: VRF topology example
@ -338,7 +338,7 @@ VRF Route Leaking
BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN
SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may
also be leaked between any VRFs (including the unicast RIB of the default BGP
instanced). A shortcut syntax is also available for specifying leaking from
instance). A shortcut syntax is also available for specifying leaking from
one VRF to another VRF using the default instances VPN RIB as the intemediary
. A common application of the VRF-VRF feature is to connect a customers
private routing domain to a providers VPN service. Leaking is configured from

24
docs/contributing/build-vyos.rst
View File

@ -23,7 +23,7 @@ also set up your own build machine and run a :ref:`build_native`.
The source code remains public and an ISO can be built using the process
outlined in this chapter.
This will guide you though the process of building a VyOS ISO using Docker_.
This will guide you through the process of building a VyOS ISO using Docker_.
This process has been tested on clean installs of Debian Jessie, Stretch, and
Buster.
@ -59,11 +59,11 @@ yourusername``.
Build Container
---------------
The container can built by hand or by fetching the pre-built one from DockerHub.
Using the pre-built containers from the `VyOS DockerHub organisation`_ will
ensure that the container is always up-to-date. A rebuild is triggered once the
container changes (please note this will take 2-3 hours after pushing to the
vyos-build repository).
The container can be built by hand or by fetching the pre-built one from
DockerHub. Using the pre-built containers from the `VyOS DockerHub
organisation`_ will ensure that the container is always up-to-date. A rebuild
is triggered once the container changes (please note this will take 2-3 hours
after pushing to the vyos-build repository).
.. note: If you are using the pre-built container, it will be automatically
downloaded from DockerHub if it is not found on your local machine when
@ -131,7 +131,7 @@ your development containers in your current working directory.
.. note:: Some VyOS packages (namely vyos-1x) come with build-time tests which
verify some of the internal library calls that they work as expected. Those
tests are carried out through the Python Unittest module. If you wan't to
tests are carried out through the Python Unittest module. If you want to
build the ``vyos-1x`` package (which is our main development package) you need
to start your Docker container using the following argument:
``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will fail.
@ -304,8 +304,8 @@ more or less similar looking error message:
(10:13) vyos_bld ece068908a5b:/vyos [current] #
To debug the build process and gain additional information of what could be the
root cause wou need to `chroot` into the build directry. This is explained in
the following step by step procedure:
root cause, you need to use `chroot` to change into the build directry. This is
explained in the following step by step procedure:
.. code-block:: none
@ -729,7 +729,7 @@ package from our GitHub organisation - this is the place to be.
Any "modified" package may refer to an altered version of e.g. vyos-1x package
that you would like to test before filing a pull request on GitHub.
Building an ISO with any customized package is in no way different then
Building an ISO with any customized package is in no way different than
building a regular (customized or not) ISO image. Simply place your modified
`*.deb` package inside the `packages` folder within `vyos-build`. The build
process will then pickup your custom package and integrate it into your ISO.
@ -771,7 +771,7 @@ Virtualization Platforms
QEMU
----
Run following command after building the ISO image.
Run the following command after building the ISO image.
.. code-block:: none
@ -780,7 +780,7 @@ Run following command after building the ISO image.
VMware
------
Run following command after building the QEMU image.
Run the following command after building the QEMU image.
.. code-block:: none

23
docs/coverage.rst
View File

@ -6,21 +6,23 @@ Overview over all commands, which are documented in the
``.. cfgcmd::`` or ``.. opcmd::`` Directives.
The build process take all xml definition files
from `vyos-1x <https://github.com/vyos/vyos-1x>`_ and extract each leaf
command or executable command. After this the commands are compare and shown in
from `vyos-1x <https://github.com/vyos/vyos-1x>`_ and a periodical export of
all VyOS commands and extract each leaf command or executable command.
After this the commands are compare and shown in
the following two tables. The script compare only the fixed part of a command.
All varables or values will be erase and then compare:
for example there are these two commands:
* documentation: ``interfaces ethernet <interface> address
<address | dhcp | dhcpv6>```
* xml: ``interface ethernet <ethernet> address <address>``
<address | dhcp | dhcpv6>``
* xml: ``interfaces ethernet <ethernet> address <address>``
* VyOS: ``interfaces ethernet <text> address <value>``
Now the script earse all in between ``<`` and ``>`` and simply compare
the strings.
**There are 2 kind of problems:**
**There are 3 kind of problems:**
``Not documented yet``
@ -30,9 +32,14 @@ the strings.
``Nothing found in XML Definitions``
* ``.. cfgcmd::`` or ``.. opcmd::`` Command are not found in a XML command
* Maybe the command where changed in the XML Definition, or the feature is
not anymore in VyOS
* Some commands are not yet translated to XML
* Maybe the command where changed in the XML Definition, the feature is
not anymore in VyOS, or there is a typo
``Nothing found in VyOS``
* ``.. cfgcmd::`` or ``.. opcmd::`` Command are not found in a VyOS command
* Maybe the command where changed, the feature is
not anymore in VyOS, or there is a typo
Configuration Commands

2
docs/installation/vyos-on-baremetal.rst
View File

@ -115,6 +115,8 @@ Refer to :ref:`wireless-interface` for additional information, below listed
modules have been tested successfully on this Hardware platform:
* Compex WLE900VX mini-PCIe WiFi module, only supported in mPCIe slot 1.
* Intel Corporation AX200 mini-PCIe WiFi module, only supported in mPCIe slot 1.
(see :ref:`wireless-interface-intel-ax200`)
WWAN
""""

2
docs/introducing/history.rst
View File

@ -119,7 +119,7 @@ software) and even distribute them, given you rename it and remove
such assets before building. Although note that we do not provide
support for images distributed by a third-party. See the
`artwork license <https://github.com/vyos/vyos-build/blob/current/LICENSE.artwork>`_
and the end-user license agreement at ``/usr/share/doc/vyos/EULA`` in
and the end-user license agreement at ``/usr/share/vyos/EULA`` in
any pre-built image for more precise information.

2
requirements.txt
View File

@ -2,6 +2,6 @@ Sphinx==4.5.0
sphinx-rtd-theme==1.0.0
sphinx-autobuild==2021.3.14
sphinx-notfound-page==0.8
lxml==4.8.0
lxml==4.9.1
myst-parser==0.17.1
sphinx-panels==0.6.0