Merge branch 'master' of https://github.com/goodNETnick/vyos-documentation

docs/_ext/testcoverage.py

@@ -1,14 +1,13 @@
 '''
 generate json with all commands from xml for vyos documentation coverage
-
 '''
 
-
 import sys
 import os
 import json
 import re
 import logging
+import datetime
 
 from io import BytesIO
 from lxml import etree as ET
@@ -33,11 +32,32 @@ input_data = [
     }
 ]
 
+vyos_commands_dir = "_include/coverage"
+
 node_data = {
     'cfgcmd': {},
     'opcmd': {},
 }
 
+
+def get_vyos_commands():
+    return_data = None
+    for (dirpath, dirnames, filenames) in os.walk(vyos_commands_dir):
+        for file in filenames:
+            with open(f"{vyos_commands_dir}/{file}") as f:
+                data = json.load(f)
+            
+            if not return_data:
+                return_data = data
+            
+            # find latestes export
+            if datetime.datetime.fromisoformat(return_data['date']) < datetime.datetime.fromisoformat(data['date']):
+                return_data = data
+    
+    return return_data
+
+
+
 def get_properties(p):
     props = {}
     props['valueless'] = False
@@ -378,6 +398,4 @@ def override_element(l: list):
         el.getparent().remove(el)
 
 if __name__ == "__main__":
-    res = get_working_commands()
+    get_vyos_commands()
-    print(json.dumps(res))
-    #print(res['cfgcmd'][0])

docs/_ext/vyos.py

@@ -8,7 +8,7 @@ from docutils.parsers.rst import Directive, directives, states
 
 from sphinx.util.docutils import SphinxDirective
 
-from testcoverage import get_working_commands
+from testcoverage import get_working_commands, get_vyos_commands
 
 from sphinx.util import logging
 
@@ -28,6 +28,11 @@ def setup(app):
         #{"cfgcmd": [], "opcmd": []},
         'html'
     )
+    app.add_config_value(
+        'vyos_commands',
+        get_vyos_commands(),
+        'html'
+    )
     app.add_config_value(
         'vyos_coverage',
         {
@@ -550,17 +555,20 @@ def build_row(app, fromdocname, rowdata):
 
 
 
-def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
+def process_coverage(app, fromdocname, doccmd, xmlcmd, vyoscmd, cli_type):
     coverage_list = {}
     strip_true_list = []
     for cmd in doccmd:
         coverage_item = {
             'doccmd': None,
             'xmlcmd': None,
+            'vyoscmd': None,
             'doccmd_item': None,
             'xmlcmd_item': None,
+            'vyoscmd_item': None,
             'indocs': False,
             'inxml': False,
+            'invyos': False,
             'xmlfilename': None
         }
         coverage_item['doccmd'] = cmd['cmd']
@@ -576,10 +584,13 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
             coverage_item = {
                 'doccmd': None,
                 'xmlcmd': None,
+                'vyoscmd': None,
                 'doccmd_item': None,
                 'xmlcmd_item': None,
+                'vyoscmd_item': None,
                 'indocs': False,
                 'inxml': False,
+                'invyos': False,
                 'xmlfilename': None
             }
             coverage_item['xmlcmd'] = cmd['cmd']
@@ -592,7 +603,33 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
             coverage_list[strip]['xmlcmd_item'] = cmd
             coverage_list[strip]['inxml'] = True
             coverage_list[strip]['xmlfilename'] = cmd['filename']
-            strip_true_list.append(strip)
+
+    
+    for item in vyoscmd[cli_type]:
+        cmd = ' '.join(item['cmd'])
+        strip = strip_cmd(cmd)
+        if strip not in coverage_list.keys():
+            coverage_item = {
+                'doccmd': None,
+                'xmlcmd': None,
+                'vyoscmd': None,
+                'doccmd_item': None,
+                'xmlcmd_item': None,
+                'vyoscmd_item': None,
+                'indocs': False,
+                'inxml': False,
+                'invyos': False,
+                'xmlfilename': None
+            }
+            coverage_item['vyoscmd'] = cmd
+            coverage_item['invyos'] = True
+            coverage_list[strip] = dict(coverage_item)
+        else:
+            coverage_list[strip]['vyoscmd'] = cmd
+            coverage_list[strip]['invyos'] = True
+            if coverage_list[strip]['indocs'] and coverage_list[strip]['inxml']:
+                strip_true_list.append(strip)
+
     
 
     strip_true_list = list(set(strip_true_list))
@@ -605,11 +642,11 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
     
 
     table = nodes.table()
-    tgroup = nodes.tgroup(cols=3)
+    tgroup = nodes.tgroup(cols=4)
     table += tgroup
 
-    header = (f'Status {len(strip_true_list)}/{len(coverage_list)}', 'Documentaion', 'XML')
+    header = (f'Status {len(strip_true_list)}/{len(coverage_list)}', 'Documentation', 'XML', f'in VyOS {vyoscmd["os"]}')
-    colwidths = (5, 50 , 50)
+    colwidths = (5, 33 , 33, 33)
     table = nodes.table()
     tgroup = nodes.tgroup(cols=len(header))
     table += tgroup
@@ -623,6 +660,7 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
     for entry in sorted(coverage_list):
         doc_cmd_text = []
         doc_xml_text = []
+        doc_vyos_text = []
         if coverage_list[entry]['indocs']:
             doc_cmd_text.append(coverage_list[entry]['doccmd_item'])
         else:
@@ -633,8 +671,14 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
             doc_xml_text.append(coverage_list[entry]['xmlcmd'])
         else:
             doc_xml_text.append('Nothing found in XML Definitions')
+        
+        if coverage_list[entry]['invyos']:
+            doc_vyos_text.append(coverage_list[entry]['vyoscmd'])
+        else:
+            doc_vyos_text.append('Nothing found in VyOS')
 
-        if not coverage_list[entry]['indocs'] or not coverage_list[entry]['inxml']:
+
+        if not coverage_list[entry]['indocs'] or not coverage_list[entry]['inxml'] or not coverage_list[entry]['invyos']:
             status = False
         else:
             status = True
@@ -643,7 +687,8 @@ def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
             (
                 status,
                 doc_cmd_text,
-                doc_xml_text
+                doc_xml_text,
+                doc_vyos_text
 
             )
         )
@@ -678,6 +723,7 @@ def process_cmd_nodes(app, doctree, fromdocname):
                         fromdocname,
                         env.vyos_cfgcmd,
                         app.config.vyos_working_commands['cfgcmd'],
+                        app.config.vyos_commands,
                         'cfgcmd'
                         )
                     )
@@ -695,6 +741,7 @@ def process_cmd_nodes(app, doctree, fromdocname):
                         fromdocname,
                         env.vyos_opcmd,
                         app.config.vyos_working_commands['opcmd'],
+                        app.config.vyos_commands,
                         'opcmd'
                         )
                     )

docs/_include/interface-ip.txt

@@ -19,7 +19,7 @@
   {{ var5 }} {{ var6 }} ip arp-cache-timeout
 
   Once a neighbor has been found, the entry is considered to be valid for at
-  least for this specifc time. An entry's validity will be extended if it
+  least for this specific time. An entry's validity will be extended if it
   receives positive feedback from higher level protocols.
 
   This defaults to 30 seconds.
@@ -63,6 +63,22 @@
 
     set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip disable-forwarding
 
+.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
+  {{ var5 }} {{ var6 }} ip enable-directed-broadcast
+
+  Define different modes for IP directed broadcast forwarding as described in
+  :rfc:`1812` and :rfc:`2644`.
+
+  If configured, incoming IP directed broadcast packets on this interface will
+  be forwarded.
+
+  If this option is unset (default), incoming IP directed broadcast packets
+  will not be forwarded.
+
+  .. code-block:: none
+
+    set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-directed-broadcast
+
 .. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
   {{ var5 }} {{ var6 }} ip enable-arp-accept
 

docs/_include/vyos-1x

@@ -1 +1 @@
-Subproject commit 0640a863255ef8f3d5b9d778fa0b6bff9922087e
+Subproject commit e632ed4b5409f955add4dab100bc7fa556606eb1

docs/automation/cloud-init.rst

@@ -50,7 +50,7 @@ In VyOS, by default, enables only two modules:
 
 * ``write_files`` - this module allows to insert any files into the filesystem
   before the first boot, for example, pre-generated encryption keys,
-  certificates, or even a whole ``config.boot`` file.
+  certificates, or even a whole ``config.boot`` file. The format is described in the cloudinit documentation `Cloud-init-write_files`_.
 
 * ``vyos_userdata`` - the module accepts a list of CLI configuration commands in
   a ``vyos_config_commands`` section, which gives an easy way to configure the
@@ -267,7 +267,7 @@ Most important keys that needs to be considered:
 Generate qcow image
 -------------------
 
-A VyOS qcow image with cloud-init options is needed. This can be obteined
+A VyOS qcow image with cloud-init options is needed. This can be obtained
 using `vyos-vm-images`_ repo. After clonning the repo, edit the file
 **qemu.yml** and comment the **download-iso** role.
 
@@ -427,5 +427,6 @@ References
 .. _vyos-vm-images: https://github.com/vyos/vyos-vm-images
 .. _cloud-init-docs: https://docs.vyos.io/en/equuleus/automation/cloud-init.html?highlight=cloud-init#vyos-cloud-init
 .. _Cloud-init-Support: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_cloud_init
+.. _Cloud-init-write_files: https://cloudinit.readthedocs.io/en/latest/topics/examples.html#writing-out-arbitrary-files
 
-.. start_vyoslinter
+.. start_vyoslinter

docs/automation/command-scripting.rst

@@ -83,10 +83,10 @@ Here is a simple example:
 
 .. code-block:: python
 
-  #!/usr/bin/env python
+  #!/usr/bin/env python3
-  print "delete firewall group address-group somehosts"
+  print("delete firewall group address-group somehosts")
-  print "set firewall group address-group somehosts address '192.0.2.3'"
+  print("set firewall group address-group somehosts address '192.0.2.3'")
-  print "set firewall group address-group somehosts address '203.0.113.55'"
+  print("set firewall group address-group somehosts address '203.0.113.55'")
 
 
 .. code-block:: none

docs/automation/vyos-api.rst

@@ -125,6 +125,24 @@ For example, get the addresses of a ``dum0`` interface.
       "error": null
    }
 
+/reset
+======
+
+The ``reset`` endpoint run a ``reset`` command.
+
+.. code-block:: none
+
+   curl --location --request POST 'https://vyos/reset' \
+   --form data='{"op": "reset", "path": ["ip", "bgp", "192.0.2.11"]}' \
+   --form key='MY-HTTPS-API-PLAINTEXT-KEY'
+
+   respone:
+   {
+     "success": true,
+     "data": "",
+     "error": null
+   }
+
 /image
 ======
 

docs/changelog/1.3.rst

@@ -8,6 +8,116 @@
    _ext/releasenotes.py
 
 
+2022-07-14
+==========
+
+* :vytask:`T4491` (bug): Use empty string for internal name of root node of config_tree
+
+
+2022-07-13
+==========
+
+* :vytask:`T1375` (feature): Add clear  dhcp server  lease function
+
+
+2022-07-12
+==========
+
+* :vytask:`T4527` (bug): Prevent to create VRF name default
+* :vytask:`T4084` (default): Dehardcode the default login banner
+* :vytask:`T3864` (enhancment): Add Edgecore build to VyOS 1.3 Equuleus
+
+
+2022-07-09
+==========
+
+* :vytask:`T4507` (feature): IPoE-server add multiplier option for shaper
+* :vytask:`T4468` (bug): web-proxy source group cannot start with a number bug
+* :vytask:`T4373` (feature): PPPoE-server add multiplier option for shaper
+
+
+2022-07-07
+==========
+
+* :vytask:`T4456` (bug): NTP client in VRF tries to bind to interfaces outside VRF, logs many messages
+* :vytask:`T4509` (feature): Feature Request: DNS64
+
+
+2022-07-06
+==========
+
+* :vytask:`T4513` (bug): Webproxy monitor commands do not work
+
+
+2022-07-05
+==========
+
+* :vytask:`T4510` (bug): set system static-host-mapping doesn't allow IPv4 and IPv6 for same name.
+* :vytask:`T2654` (bug): Multiple names unable to be assigned to the same static mapping
+* :vytask:`T2683` (default): no dual stack in system static-host-mapping host-name 
+
+
+2022-07-01
+==========
+
+* :vytask:`T4489` (bug): MPLS sysctl not persistent for tunnel interfaces
+
+
+2022-06-20
+==========
+
+* :vytask:`T1856` (feature): Support configuring IPSec SA bytes
+
+
+2022-06-16
+==========
+
+* :vytask:`T3866` (bug): Configs with DNS forwarding listening on OpenVPN interfaces or interfaces without a fixed address cannot be migrated to the new syntax
+
+
+2022-06-15
+==========
+
+* :vytask:`T1890` (feature): Metatask: rewrite flow-accounting to XML and Python
+
+
+2022-06-09
+==========
+
+* :vytask:`T2580` (feature): Support for ip pools for ippoe
+
+
+2022-06-08
+==========
+
+* :vytask:`T4447` (bug): DHCPv6 prefix delegation `sla-id` limited to 128 
+* :vytask:`T4350` (bug): DMVPN opennhrp spokes dont work behind NAT
+
+
+2022-05-30
+==========
+
+* :vytask:`T4315` (feature): Telegraf - Output to prometheus
+
+
+2022-05-27
+==========
+
+* :vytask:`T4441` (bug): wwan: connection not possible after a change added after 1.3.1-S1 release
+
+
+2022-05-26
+==========
+
+* :vytask:`T4442` (feature): HTTP API add action "reset"
+
+
+2022-05-25
+==========
+
+* :vytask:`T2194` (default): "show firewall" garbled output
+
+
 2022-05-19
 ==========
 
@@ -238,12 +348,6 @@
 * :vytask:`T4087` (feature): IPsec IKE-group proposals limit of 10 pieces 
 
 
-2022-02-06
-==========
-
-* :vytask:`T4228` (bug): bond: OS error thrown when two bonds use the same member
-
-
 2022-02-05
 ==========
 
@@ -360,7 +464,7 @@
 2021-12-28
 ==========
 
-* :vytask:`T3380` (bug): Show vpn ike sa with IPv6 remote peer
+* :vytask:`T3380` (bug): "show vpn ike sa" does not display IPv6 peers
 * :vytask:`T2933` (feature): VRRP add option virtual_ipaddress_excluded
 
 
@@ -1696,7 +1800,7 @@
 2021-02-16
 ==========
 
-* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.191 / 5.10.113
+* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.204 / 5.10.129
 
 
 2021-02-14

docs/changelog/1.4.rst

@@ -8,6 +8,229 @@
    _ext/releasenotes.py
 
 
+2022-07-17
+==========
+
+* :vytask:`T4028` (bug): FRR 8.1 routes not being applied to routing table after reboot if an interface has 2 ip addresses
+
+
+2022-07-15
+==========
+
+* :vytask:`T4494` (bug): Cannot reset BGP peer within VRF
+* :vytask:`T4536` (feature): FRR: move to systemd for daemon control
+
+
+2022-07-14
+==========
+
+* :vytask:`T4491` (bug): Use empty string for internal name of root node of config_tree
+
+
+2022-07-13
+==========
+
+* :vytask:`T1375` (feature): Add clear  dhcp server  lease function
+
+
+2022-07-12
+==========
+
+* :vytask:`T4527` (bug): Prevent to create VRF name default
+* :vytask:`T4084` (default): Dehardcode the default login banner
+* :vytask:`T3948` (feature): IPSec VPN:  Add a new option "none" for the connection-type
+* :vytask:`T235` (feature): Ability to configure manual IP Rules
+
+
+2022-07-10
+==========
+
+* :vytask:`T3836` (bug): Setting a default IPv6 route while getting IPv4 gateway via DHCP removes the IPv4 gateway
+
+
+2022-07-09
+==========
+
+* :vytask:`T4507` (feature): IPoE-server add multiplier option for shaper
+* :vytask:`T4499` (bug): NAT source translation not showing a single output
+* :vytask:`T4468` (bug): web-proxy source group cannot start with a number bug
+* :vytask:`T4373` (feature): PPPoE-server add multiplier option for shaper
+* :vytask:`T3353` (bug): PPPoE server wrong vlan-range generating config
+* :vytask:`T3648` (bug): op-mode: nat rules broken
+* :vytask:`T4517` (feature): ip: Add options to enable directed broadcast forwarding
+
+
+2022-07-07
+==========
+
+* :vytask:`T4456` (bug): NTP client in VRF tries to bind to interfaces outside VRF, logs many messages
+* :vytask:`T4509` (feature): Feature Request: DNS64
+
+
+2022-07-06
+==========
+
+* :vytask:`T4513` (bug): Webproxy monitor commands do not work
+* :vytask:`T4299` (feature): Firewall - GeoIP filtering
+
+
+2022-07-05
+==========
+
+* :vytask:`T4378` (bug): Unable to submit wildcard ("*.example.com") A or AAAA records in dns forwarder
+* :vytask:`T2683` (default): no dual stack in system static-host-mapping host-name 
+* :vytask:`T478` (feature): Firewall address group (multi and nesting)
+
+
+2022-07-04
+==========
+
+* :vytask:`T4501` (bug): Syslog-identifier does not work in event handler
+* :vytask:`T3600` (bug): DHCP Interface static route breaks PBR
+* :vytask:`T4498` (feature): bridge: Add option to enable/disable IGMP/MLD snooping
+
+
+2022-07-01
+==========
+
+* :vytask:`T2455` (bug): No support for the IPv6 VTI
+* :vytask:`T4490` (feature): BGP- warning message that AFI/SAFI is needed to establish the neighborship
+* :vytask:`T4489` (bug): MPLS sysctl not persistent for tunnel interfaces
+
+
+2022-06-29
+==========
+
+* :vytask:`T4477` (feature): router-advert: support RDNSS lifetime option
+
+
+2022-06-28
+==========
+
+* :vytask:`T4486` (bug): Container can't be deleted
+* :vytask:`T4473` (bug): Use container network without network declaration error
+* :vytask:`T4458` (feature): Firewall - add support for matching ip ttl in firewall rules
+* :vytask:`T3907` (feature): Firewall - Set log levels
+
+
+2022-06-27
+==========
+
+* :vytask:`T4484` (default): Firewall op-mode summary doesn't correctly handle address group containing ranges
+
+
+2022-06-25
+==========
+
+* :vytask:`T4482` (bug): dhcp: toggle of "dhcp-options no-default-route" has no effect
+* :vytask:`T4483` (feature): Upgrade fastnetmon to v1.2.2 community edition
+
+
+2022-06-22
+==========
+
+* :vytask:`T1748` (feature): vbash: beautify tab completion output/line breaks
+
+
+2022-06-20
+==========
+
+* :vytask:`T1856` (feature): Support configuring IPSec SA bytes
+
+
+2022-06-18
+==========
+
+* :vytask:`T4467` (bug): Validator Does Not Accept Signed Numbers
+
+
+2022-06-17
+==========
+
+* :vytask:`T4209` (bug): Firewall incorrect handler for recent count and time
+
+
+2022-06-16
+==========
+
+* :vytask:`T4352` (bug): wan-load balance - priority traffic rule doesn't work 
+
+
+2022-06-15
+==========
+
+* :vytask:`T4450` (feature): Route-map - Extend options for ip|ipv6 address match
+* :vytask:`T4449` (feature): Route-map - Extend options for ip next-hop match
+* :vytask:`T990` (feature): Make DNAT/SNAT a valid state in firewall rules.  
+
+
+2022-06-12
+==========
+
+* :vytask:`T4420` (feature): Feature Request: ocserv: show configured 2FA OTP key
+* :vytask:`T4380` (default): Feature Request: ocserv: 2FA OTP key generator in VyOS CLI
+
+
+2022-06-10
+==========
+
+* :vytask:`T4365` (bug): NAT - Error on setting up tables
+* :vytask:`T4465` (feature): node.def generation misses whitespace on multiple use of <path>
+
+
+2022-06-09
+==========
+
+* :vytask:`T4444` (default): sstp: Feature request. Port number changing support
+* :vytask:`T2580` (feature): Support for ip pools for ippoe
+
+
+2022-06-08
+==========
+
+* :vytask:`T4447` (bug): DHCPv6 prefix delegation `sla-id` limited to 128 
+
+
+2022-05-31
+==========
+
+* :vytask:`T4212` (default): PermissionError when generating/installing server Certificate (generate pki certificate sign ...)
+* :vytask:`T4199` (bug): Commit failed when setting icmpv6 type any
+* :vytask:`T4148` (bug): Firewall - Error messages not that clear as it were in old firewall
+* :vytask:`T3659` (bug): Configuration won't accept IPv6 addresses for site-to-site VPN tunnel prefixes/traffic selectors
+
+
+2022-05-30
+==========
+
+* :vytask:`T4315` (feature): Telegraf - Output to prometheus
+
+
+2022-05-29
+==========
+
+* :vytask:`T2473` (feature): Xml for EIGRP [conf_mode]
+
+
+2022-05-28
+==========
+
+* :vytask:`T4448` (feature): rip: add support for explicit version selection
+
+
+2022-05-26
+==========
+
+* :vytask:`T4442` (feature): HTTP API add action "reset"
+
+
+2022-05-25
+==========
+
+* :vytask:`T4410` (feature): Telegraf - Output to Splunk
+* :vytask:`T4382` (bug): Replacing legacy loadFile exposes missing steps in migration scripts and other errors
+
+
 2022-05-21
 ==========
 
@@ -450,7 +673,6 @@
 * :vytask:`T4164` (bug): PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`
 * :vytask:`T3970` (feature): Add support for op-mode PKI direct install into an active config session
 * :vytask:`T3828` (bug): ipsec: Subtle change in "pfs enable" behavior from equuleus -> sagitta
-* :vytask:`T4228` (bug): bond: OS error thrown when two bonds use the same member
 
 
 2022-02-05
@@ -681,7 +903,7 @@
 2021-12-28
 ==========
 
-* :vytask:`T3380` (bug): Show vpn ike sa with IPv6 remote peer
+* :vytask:`T3380` (bug): "show vpn ike sa" does not display IPv6 peers
 
 
 2021-12-27
@@ -728,7 +950,6 @@
 2021-12-22
 ==========
 
-* :vytask:`T4056` (bug): Traffic policy not set in live configuration
 * :vytask:`T3678` (bug): VyOS 1.4: Invalid error message while deleting ipsec vpn configuration
 * :vytask:`T3356` (feature): Script for remote file transfers
 
@@ -2169,7 +2390,7 @@
 ==========
 
 * :vytask:`T3313` (bug): ospfv3 interface missing options
-* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.191 / 5.10.113
+* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.204 / 5.10.129
 
 
 2021-02-15

docs/configexamples/autotest/DHCPRelay_through_GRE/DHCPRelay_through_GRE.rst

@@ -3,8 +3,8 @@ DHCP Relay trough GRE-Bridge
 ############################
 
 
-| Testdate: 2022-03-28
+| Testdate: 2022-07-11
-| Version: 1.4-rolling-202203280217
+| Version: 1.4-rolling-202207090632
 
 
 This simple structure shows how to configure a DHCP Relay over a GRE Bridge
@@ -77,14 +77,14 @@ Ping the Client from the DHCP Server.
 
    vyos@dhcp-server:~$ ping 192.168.0.30 count 4
    PING 192.168.0.30 (192.168.0.30) 56(84) bytes of data.
-   64 bytes from 192.168.0.30: icmp_seq=1 ttl=63 time=1.07 ms
+   64 bytes from 192.168.0.30: icmp_seq=1 ttl=63 time=1.29 ms
-   64 bytes from 192.168.0.30: icmp_seq=2 ttl=63 time=1.37 ms
+   64 bytes from 192.168.0.30: icmp_seq=2 ttl=63 time=1.32 ms
-   64 bytes from 192.168.0.30: icmp_seq=3 ttl=63 time=1.05 ms
+   64 bytes from 192.168.0.30: icmp_seq=3 ttl=63 time=1.31 ms
-   64 bytes from 192.168.0.30: icmp_seq=4 ttl=63 time=0.951 ms
+   64 bytes from 192.168.0.30: icmp_seq=4 ttl=63 time=1.31 ms
    
    --- 192.168.0.30 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3005ms
-   rtt min/avg/max/mdev = 0.951/1.108/1.367/0.155 ms
+   rtt min/avg/max/mdev = 1.291/1.308/1.321/0.010 ms
 
 
 And show all DHCP Leases
@@ -95,4 +95,4 @@ And show all DHCP Leases
    vyos@dhcp-server:~$ show dhcp server leases
    IP address    Hardware address    State    Lease start          Lease expiration     Remaining    Pool        Hostname
    ------------  ------------------  -------  -------------------  -------------------  -----------  ----------  ----------
-   192.168.0.30  00:50:79:66:68:05   active   2022/03/28 14:28:17  2022/03/29 14:28:17  23:59:17     DHCPTun100  VPCS
+   192.168.0.30  00:50:79:66:68:05   active   2022/07/11 19:37:30  2022/07/12 19:37:30  23:59:17     DHCPTun100  VPCS

docs/configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.rst

@@ -3,8 +3,8 @@
 L3VPN EVPN with VyOS
 ####################
 
-| Testdate: 2022-03-28
+| Testdate: 2022-07-11
-| Version: 1.4-rolling-202203280217
+| Version: 1.4-rolling-202207090632
 
 I spun up a new lab in EVE-NG, which represents this as the
 "Foo Bar - Service Provider Inc." that has 3 points of presence (PoP) in random
@@ -159,32 +159,32 @@ Show routes for all VRFs
           t - trapped, o - offload failure
    
    VRF blue:
-   C>* 10.1.1.0/24 is directly connected, br2000, 00:01:05
+   C>* 10.1.1.0/24 is directly connected, br2000, 00:01:07
-   B>* 10.1.2.0/24 [200/0] via 172.29.255.2, br2000 onlink, weight 1, 00:00:47
+   B>* 10.1.2.0/24 [200/0] via 172.29.255.2, br2000 onlink, weight 1, 00:00:48
-   B>* 10.1.3.0/24 [200/0] via 172.29.255.3, br2000 onlink, weight 1, 00:00:42
+   B>* 10.1.3.0/24 [200/0] via 172.29.255.3, br2000 onlink, weight 1, 00:00:44
    
    VRF default:
-   O   172.29.0.2/31 [110/1] is directly connected, eth1, weight 1, 00:01:02
+   O   172.29.0.2/31 [110/1] is directly connected, eth1, weight 1, 00:01:03
-   C>* 172.29.0.2/31 is directly connected, eth1, 00:01:04
+   C>* 172.29.0.2/31 is directly connected, eth1, 00:01:06
-   O>* 172.29.0.4/31 [110/2] via 172.29.0.3, eth1, weight 1, 00:00:39
+   O>* 172.29.0.4/31 [110/2] via 172.29.0.3, eth1, weight 1, 00:00:41
-     *                       via 172.29.0.7, eth3, weight 1, 00:00:39
+     *                       via 172.29.0.7, eth3, weight 1, 00:00:41
-   O   172.29.0.6/31 [110/1] is directly connected, eth3, weight 1, 00:01:02
+   O   172.29.0.6/31 [110/1] is directly connected, eth3, weight 1, 00:01:03
-   C>* 172.29.0.6/31 is directly connected, eth3, 00:01:05
+   C>* 172.29.0.6/31 is directly connected, eth3, 00:01:06
-   C>* 172.29.255.1/32 is directly connected, dum0, 00:01:06
+   C>* 172.29.255.1/32 is directly connected, dum0, 00:01:07
-   O>* 172.29.255.2/32 [110/20] via 172.29.0.3, eth1, weight 1, 00:00:48
+   O>* 172.29.255.2/32 [110/20] via 172.29.0.3, eth1, weight 1, 00:00:49
-   O>* 172.29.255.3/32 [110/20] via 172.29.0.7, eth3, weight 1, 00:00:38
+   O>* 172.29.255.3/32 [110/20] via 172.29.0.7, eth3, weight 1, 00:00:40
    
    VRF green:
-   C>* 10.3.1.0/24 is directly connected, br4000, 00:01:05
+   C>* 10.3.1.0/24 is directly connected, br4000, 00:01:07
-   B>* 10.3.3.0/24 [200/0] via 172.29.255.3, br4000 onlink, weight 1, 00:00:42
+   B>* 10.3.3.0/24 [200/0] via 172.29.255.3, br4000 onlink, weight 1, 00:00:44
    
    VRF mgmt:
-   S>* 0.0.0.0/0 [210/0] via 10.100.0.1, eth0, weight 1, 00:01:39
+   S>* 0.0.0.0/0 [210/0] via 10.100.0.1, eth0, weight 1, 00:01:42
-   C>* 10.100.0.0/24 is directly connected, eth0, 00:01:40
+   C>* 10.100.0.0/24 is directly connected, eth0, 00:01:42
    
    VRF red:
-   C>* 10.2.1.0/24 is directly connected, br3000, 00:01:04
+   C>* 10.2.1.0/24 is directly connected, br3000, 00:01:06
-   B>* 10.2.2.0/24 [200/0] via 172.29.255.2, br3000 onlink, weight 1, 00:00:47
+   B>* 10.2.2.0/24 [200/0] via 172.29.255.2, br3000 onlink, weight 1, 00:00:48
 
 Information about Ethernet Virtual Private Networks
 
@@ -209,7 +209,7 @@ Information about Ethernet Virtual Private Networks
    Route Distinguisher: 10.1.2.1:4
    *>i[5]:[0]:[24]:[10.1.2.0]
                        172.29.255.2             0    100      0 ?
-                       RT:100:2000 ET:8 Rmac:02:18:c8:f9:1a:d1
+                       RT:100:2000 ET:8 Rmac:12:22:ff:6c:a5:6f
    Route Distinguisher: 10.1.3.1:4
    *>i[5]:[0]:[24]:[10.1.3.0]
                        172.29.255.3             0    100      0 ?
@@ -221,7 +221,7 @@ Information about Ethernet Virtual Private Networks
    Route Distinguisher: 10.2.2.1:5
    *>i[5]:[0]:[24]:[10.2.2.0]
                        172.29.255.2             0    100      0 ?
-                       RT:100:3000 ET:8 Rmac:36:17:df:67:bd:bc
+                       RT:100:3000 ET:8 Rmac:1e:1b:a2:af:7d:62
    Route Distinguisher: 10.3.1.1:7
    *> [5]:[0]:[24]:[10.3.1.0]
                        172.29.255.1             0         32768 ?
@@ -248,4 +248,4 @@ the EVPN network we need to run
        172.29.255.1 (metric 20) from 172.29.255.1 (172.29.255.1)
          Origin incomplete, metric 0, localpref 100, valid, internal, best (First path received)
          Extended Community: RT:100:4000 ET:8 Rmac:50:00:00:01:00:06
-         Last update: Mon Mar 28 15:46:02 2022
+         Last update: Mon Jul 11 19:30:13 2022

docs/configexamples/autotest/Wireguard/Wireguard.rst

@@ -3,8 +3,8 @@ Wireguard
 #########
 
 
-| Testdate: 2022-03-28
+| Testdate: 2022-07-11
-| Version: 1.4-rolling-202203280217
+| Version: 1.4-rolling-202207090632
 
 
 This simple structure show how to connect two offices. One remote branch and the
@@ -45,8 +45,8 @@ After this, the public key can be displayed, to save for later.
 .. code-block:: none
 
    vyos@central:~$ generate pki wireguard
-   Private key: 2BmTwXO1NpakOsa2ynnIqW3c1s3aT/gVtCUJnecefXY=
+   Private key: EIvN662aSS0Ai9VdsgSioq2fxUXxDTsb/ObsbI8jRlY=
-   Public key: BU+4Dyr3VldI2DJiBji50Egqr58071puYdXhoyRvuH8=
+   Public key: g2/u7oMX4l5klNDWpQvYmNiCNPoqS7qzeWs+g4KPEEc=
 
 
 After you have each public key. The wireguard interfaces can be setup.
@@ -102,11 +102,11 @@ And ping the Branch PC from your central router to check the response.
 
    vyos@central:~$ ping 10.0.2.100 count 4
    PING 10.0.2.100 (10.0.2.100) 56(84) bytes of data.
-   64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.580 ms
+   64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.752 ms
-   64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=0.862 ms
+   64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=1.37 ms
-   64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=0.754 ms
+   64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=1.09 ms
-   64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=0.669 ms
+   64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=1.09 ms
    
    --- 10.0.2.100 ping statistics ---
-   4 packets transmitted, 4 received, 0% packet loss, time 3094ms
+   4 packets transmitted, 4 received, 0% packet loss, time 3053ms
-   rtt min/avg/max/mdev = 0.580/0.716/0.862/0.104 ms
+   rtt min/avg/max/mdev = 0.752/1.076/1.372/0.219 ms

docs/configexamples/autotest/Wireguard/_include/branch.conf

@@ -1,14 +1,14 @@
 set interface ethernet eth2 address 10.0.2.254/24
 set interface ethernet eth1 address 198.51.100.2/24
 
-set interfaces wireguard wg01 private-key 'uNz9h7kM5t1Bz5NMk1WscVbtzY1URwm6qK2gnkslp08='
+set interfaces wireguard wg01 private-key '4FZyoJhU7aYIFlPsn1AWbgKMPVbV37+6ZnRXa3MhqUY='
 set interfaces wireguard wg01 address 192.168.0.2/24
 set interfaces wireguard wg01 description 'VPN-to-central'
 set interfaces wireguard wg01 peer central allowed-ips 10.0.1.0/24
 set interfaces wireguard wg01 peer central allowed-ips 192.168.0.0/24
 set interfaces wireguard wg01 peer central address 198.51.100.1
 set interfaces wireguard wg01 peer central port 51820
-set interfaces wireguard wg01 peer central public-key 'BU+4Dyr3VldI2DJiBji50Egqr58071puYdXhoyRvuH8='
+set interfaces wireguard wg01 peer central public-key 'g2/u7oMX4l5klNDWpQvYmNiCNPoqS7qzeWs+g4KPEEc='
 set interfaces wireguard wg01 port 51820
 
 set protocols static route 10.0.1.0/24 interface wg01

docs/configexamples/autotest/Wireguard/_include/central.conf

@@ -1,14 +1,14 @@
 set interface ethernet eth2 address 10.0.1.254/24
 set interface ethernet eth1 address 198.51.100.1/24
 
-set interfaces wireguard wg01 private-key '2BmTwXO1NpakOsa2ynnIqW3c1s3aT/gVtCUJnecefXY='
+set interfaces wireguard wg01 private-key 'EIvN662aSS0Ai9VdsgSioq2fxUXxDTsb/ObsbI8jRlY='
 set interfaces wireguard wg01 address 192.168.0.1/24
 set interfaces wireguard wg01 description 'VPN-to-Branch'
 set interfaces wireguard wg01 peer branch allowed-ips 10.0.2.0/24
 set interfaces wireguard wg01 peer branch allowed-ips 192.168.0.0/24
 set interfaces wireguard wg01 peer branch address 198.51.100.2
 set interfaces wireguard wg01 peer branch port 51820
-set interfaces wireguard wg01 peer branch public-key 'wgCmJKRpV4bm9VtQWc1ScKSojTSIVIkrqhYKUPxIgSA='
+set interfaces wireguard wg01 peer branch public-key '7CQshV+BLlSvdoAkjHOcBTCgGZv67czwEIJn945j7gE='
 set interfaces wireguard wg01 port 51820
 
 set protocols static route 10.0.2.0/24 interface wg01

docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst

@@ -4,8 +4,8 @@
 Tunnelbroker.net (IPv6)
 #######################
 
-| Testdate: 2022-03-28
+| Testdate: 2022-07-11
-| Version: 1.4-rolling-202203280217
+| Version: 1.4-rolling-202207090632
 
 This guide walks through the setup of https://www.tunnelbroker.net/ for an
 IPv6 Tunnel.
@@ -61,14 +61,14 @@ Now you should be able to ping a public IPv6 Address
 
    vyos@vyos-wan:~$ ping 2001:470:20::2 count 4
    PING 2001:470:20::2(2001:470:20::2) 56 data bytes
-   64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=76.9 ms
+   64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=31.4 ms
-   64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=30.2 ms
+   64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=30.5 ms
-   64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.3 ms
+   64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.8 ms
-   64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=30.1 ms
+   64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=90.5 ms
    
    --- 2001:470:20::2 ping statistics ---
-   4 packets transmitted, 4 received, 0% packet loss, time 3006ms
+   4 packets transmitted, 4 received, 0% packet loss, time 3005ms
-   rtt min/avg/max/mdev = 30.090/41.872/76.928/20.239 ms
+   rtt min/avg/max/mdev = 30.519/45.797/90.546/25.837 ms
 
 
 Assuming the pings are successful, you need to add some DNS servers.
@@ -85,14 +85,14 @@ You should now be able to ping something by IPv6 DNS name:
 
    vyos@vyos-wan:~$ ping tunnelbroker.net count 4
    PING tunnelbroker.net(tunnelbroker.net (2001:470:0:63::2)) 56 data bytes
-   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=54 time=179 ms
+   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=48 time=182 ms
-   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=54 time=179 ms
+   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=48 time=234 ms
-   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=54 time=207 ms
+   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=48 time=182 ms
-   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=54 time=179 ms
+   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=48 time=183 ms
    
    --- tunnelbroker.net ping statistics ---
-   4 packets transmitted, 4 received, 0% packet loss, time 3006ms
+   4 packets transmitted, 4 received, 0% packet loss, time 3005ms
-   rtt min/avg/max/mdev = 178.648/185.816/207.161/12.323 ms
+   rtt min/avg/max/mdev = 182.224/195.335/233.869/22.248 ms
 
 
 *****************
@@ -148,14 +148,14 @@ Now the Client is able to ping a public IPv6 address
 
    vyos@client:~$ ping 2001:470:20::2 count 4
    PING 2001:470:20::2(2001:470:20::2) 56 data bytes
-   64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=66.0 ms
+   64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=60.3 ms
-   64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=30.3 ms
+   64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=31.3 ms
-   64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=29.7 ms
+   64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=31.7 ms
-   64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=57.5 ms
+   64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=104 ms
    
    --- 2001:470:20::2 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3005ms
-   rtt min/avg/max/mdev = 29.658/45.867/66.049/16.177 ms
+   rtt min/avg/max/mdev = 31.331/56.908/104.282/29.764 ms
 
 
 Multiple LAN/DMZ Setup

docs/configexamples/ha.rst

@@ -208,7 +208,7 @@ peer-address.
    set high-availability vrrp group int peer-address '10.200.201.3'
    set high-availability vrrp group int no-preempt
    set high-availability vrrp group int priority '200'
-   set high-availability vrrp group int virtual-address '10.200.201.1/24'
+   set high-availability vrrp group int address '10.200.201.1/24'
    set high-availability vrrp group int vrid '201'
 
 
@@ -222,7 +222,7 @@ peer-address.
    set high-availability vrrp group int peer-address '10.200.201.2'
    set high-availability vrrp group int no-preempt
    set high-availability vrrp group int priority '100'
-   set high-availability vrrp group int virtual-address '10.200.201.1/24'
+   set high-availability vrrp group int address '10.200.201.1/24'
    set high-availability vrrp group int vrid '201'
 
 
@@ -244,7 +244,7 @@ enterprise-wide.
    set high-availability vrrp group public peer-address '203.0.113.3'
    set high-availability vrrp group public no-preempt
    set high-availability vrrp group public priority '200'
-   set high-availability vrrp group public virtual-address '203.0.113.1/24'
+   set high-availability vrrp group public address '203.0.113.1/24'
    set high-availability vrrp group public vrid '113'
 
 **router2**
@@ -257,7 +257,7 @@ enterprise-wide.
    set high-availability vrrp group public peer-address '203.0.113.2'
    set high-availability vrrp group public no-preempt
    set high-availability vrrp group public priority '100'
-   set high-availability vrrp group public virtual-address '203.0.113.1/24'
+   set high-availability vrrp group public address '203.0.113.1/24'
    set high-availability vrrp group public vrid '113'
 
 

docs/configexamples/l3vpn-hub-and-spoke.rst

@@ -104,9 +104,10 @@ Configuration
 Step-1: Configuring IGP and enabling MPLS LDP
 =============================================
 
-At the first step we need to configure the IP/MPLS backbone network using OSPF as 
+At the first step we need to configure the IP/MPLS backbone network using OSPF 
-IGP protocol and LDP as label-switching protocol for the base connectivity between 
+as IGP protocol and LDP as label-switching protocol for the base connectivity 
-**P** (rovider), **P** (rovider) **E** (dge) and **R** (oute) **R** (eflector) nodes:
+between **P** (rovider), **P** (rovider) **E** (dge) and **R** (oute) **R** 
+(eflector) nodes:
 
 - VyOS-P1:
 
@@ -333,12 +334,9 @@ VPN (L3VPN) routes between them:
    set protocols bgp neighbor 10.0.0.7 peer-group 'RR_VPNv4'
    set protocols bgp neighbor 10.0.0.8 address-family ipv4-vpn route-reflector-client
    set protocols bgp neighbor 10.0.0.8 peer-group 'RR_VPNv4'
-   set protocols bgp neighbor 10.0.0.9 address-family ipv4-vpn route-reflector-client
-   set protocols bgp neighbor 10.0.0.9 peer-group 'RR_VPNv4'
    set protocols bgp neighbor 10.0.0.10 address-family ipv4-vpn route-reflector-client
    set protocols bgp neighbor 10.0.0.10 peer-group 'RR_VPNv4'
    set protocols bgp parameters cluster-id '10.0.0.1'
-   set protocols bgp parameters default no-ipv4-unicast
    set protocols bgp parameters log-neighbor-changes
    set protocols bgp parameters router-id '10.0.0.1'
    set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@@ -353,12 +351,9 @@ VPN (L3VPN) routes between them:
    set protocols bgp neighbor 10.0.0.7 peer-group 'RR_VPNv4'
    set protocols bgp neighbor 10.0.0.8 address-family ipv4-vpn route-reflector-client
    set protocols bgp neighbor 10.0.0.8 peer-group 'RR_VPNv4'
-   set protocols bgp neighbor 10.0.0.9 address-family ipv4-vpn route-reflector-client
-   set protocols bgp neighbor 10.0.0.9 peer-group 'RR_VPNv4'
    set protocols bgp neighbor 10.0.0.10 address-family ipv4-vpn route-reflector-client
    set protocols bgp neighbor 10.0.0.10 peer-group 'RR_VPNv4'
    set protocols bgp parameters cluster-id '10.0.0.1'
-   set protocols bgp parameters default no-ipv4-unicast
    set protocols bgp parameters log-neighbor-changes
    set protocols bgp parameters router-id '10.0.0.2'
    set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@@ -373,7 +368,6 @@ VPN (L3VPN) routes between them:
    set protocols bgp neighbor 10.0.0.1 peer-group 'RR_VPNv4'
    set protocols bgp neighbor 10.0.0.2 address-family ipv4-vpn nexthop-self
    set protocols bgp neighbor 10.0.0.2 peer-group 'RR_VPNv4'
-   set protocols bgp parameters default no-ipv4-unicast
    set protocols bgp parameters log-neighbor-changes
    set protocols bgp parameters router-id '10.0.0.7'
    set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@@ -388,7 +382,6 @@ VPN (L3VPN) routes between them:
    set protocols bgp neighbor 10.0.0.1 peer-group 'RR_VPNv4'
    set protocols bgp neighbor 10.0.0.2 address-family ipv4-vpn nexthop-self
    set protocols bgp neighbor 10.0.0.2 peer-group 'RR_VPNv4'
-   set protocols bgp parameters default no-ipv4-unicast
    set protocols bgp parameters log-neighbor-changes
    set protocols bgp parameters router-id '10.0.0.8'
    set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@@ -403,7 +396,6 @@ VPN (L3VPN) routes between them:
    set protocols bgp neighbor 10.0.0.1 peer-group 'RR_VPNv4'
    set protocols bgp neighbor 10.0.0.2 address-family ipv4-vpn nexthop-self
    set protocols bgp neighbor 10.0.0.2 peer-group 'RR_VPNv4'
-   set protocols bgp parameters default no-ipv4-unicast
    set protocols bgp parameters log-neighbor-changes
    set protocols bgp parameters router-id '10.0.0.10'
    set protocols bgp peer-group RR_VPNv4 remote-as '65001'
@@ -504,13 +496,13 @@ configured L3VPN parameters.
    set interfaces ethernet eth0 address '10.50.50.2/24'
    
    # BGP for peering with PE
-   set protocols bgp 65035 address-family ipv4-unicast network 10.0.0.80/32
+   set protocols bgp local-as 65035 
-   set protocols bgp 65035 neighbor 10.50.50.1 ebgp-multihop '2'
+   set protocols bgp address-family ipv4-unicast network 10.0.0.80/32
-   set protocols bgp 65035 neighbor 10.50.50.1 remote-as '65001'
+   set protocols bgp neighbor 10.50.50.1 ebgp-multihop '2'
-   set protocols bgp 65035 neighbor 10.50.50.1 update-source 'eth0'
+   set protocols bgp neighbor 10.50.50.1 remote-as '65001'
-   set protocols bgp 65035 parameters default no-ipv4-unicast
+   set protocols bgp neighbor 10.50.50.1 update-source 'eth0'
-   set protocols bgp 65035 parameters log-neighbor-changes
+   set protocols bgp parameters log-neighbor-changes
-   set protocols bgp 65035 parameters router-id '10.50.50.2'
+   set protocols bgp parameters router-id '10.50.50.2'
 
 - VyOS-CE1-HUB:
 
@@ -521,14 +513,14 @@ configured L3VPN parameters.
    set interfaces ethernet eth0 address '10.80.80.2/24'
    
    # BGP for peering with PE
-   set protocols bgp 65035 address-family ipv4-unicast network 10.0.0.100/32
+   set protocols bgp local-as 65035 
-   set protocols bgp 65035 address-family ipv4-unicast redistribute connected
+   set protocols bgp address-family ipv4-unicast network 10.0.0.100/32
-   set protocols bgp 65035 neighbor 10.80.80.1 ebgp-multihop '2'
+   set protocols bgp address-family ipv4-unicast redistribute connected
-   set protocols bgp 65035 neighbor 10.80.80.1 remote-as '65001'
+   set protocols bgp neighbor 10.80.80.1 ebgp-multihop '2'
-   set protocols bgp 65035 neighbor 10.80.80.1 update-source 'eth0'
+   set protocols bgp neighbor 10.80.80.1 remote-as '65001'
-   set protocols bgp 65035 parameters default no-ipv4-unicast
+   set protocols bgp neighbor 10.80.80.1 update-source 'eth0'
-   set protocols bgp 65035 parameters log-neighbor-changes
+   set protocols bgp parameters log-neighbor-changes
-   set protocols bgp 65035 parameters router-id '10.80.80.2'
+   set protocols bgp parameters router-id '10.80.80.2'
 
 - VyOS-CE2-SPOKE:
 
@@ -539,13 +531,13 @@ configured L3VPN parameters.
    set interfaces ethernet eth0 address '10.60.60.2/24'
    
    # BGP for peering with PE 
-   set protocols bgp 65035 address-family ipv4-unicast network 10.0.0.90/32
+   set protocols bgp local-as 65035 
-   set protocols bgp 65035 neighbor 10.60.60.1 ebgp-multihop '2'
+   set protocols bgp address-family ipv4-unicast network 10.0.0.90/32
-   set protocols bgp 65035 neighbor 10.60.60.1 remote-as '65001'
+   set protocols bgp neighbor 10.60.60.1 ebgp-multihop '2'
-   set protocols bgp 65035 neighbor 10.60.60.1 update-source 'eth0'
+   set protocols bgp neighbor 10.60.60.1 remote-as '65001'
-   set protocols bgp 65035 parameters default no-ipv4-unicast
+   set protocols bgp neighbor 10.60.60.1 update-source 'eth0'
-   set protocols bgp 65035 parameters log-neighbor-changes
+   set protocols bgp parameters log-neighbor-changes
-   set protocols bgp 65035 parameters router-id '10.60.60.2'
+   set protocols bgp parameters router-id '10.60.60.2'
 
 
 

docs/configuration/container/index.rst

@@ -1,34 +1,19 @@
-:lastproofread: 2021-06-30
+:lastproofread: 2022-06-10
-
-.. include:: /_include/need_improvement.txt
-
-.. _container:
 
 #########
 Container
 #########
 
+The VyOS container implementation is based on `Podman<https://podman.io/>` as
+a deamonless container engine.
+
 *************
 Configuration
 *************
 
-.. cfgcmd:: set container <name>
+.. cfgcmd:: set container name <name> image        
-
-   Set a named container.
-
-.. cfgcmd:: set container network <networkname>
-
-    Creates a named container network
-
-.. cfgcmd:: set container registry <name>
-
-    Adds registry to list of unqualified-search-registries. By default, for any
-    image that does not include the registry in the image name, Vyos will use 
-    docker.io as the container registry. 
-
-.. cfgcmd:: set container <name> image        
     
-    Sets the image name in the hub registry 
+    Sets the image name in the hub registry
 
     .. code-block:: none
 
@@ -42,7 +27,7 @@ Configuration
 
       set container name mysql-server image quay.io/mysql:8.0
 
-.. cfgcmd:: set container <name> allow-host-networks
+.. cfgcmd:: set container name <name> allow-host-networks
     
     Allow host networking in a container. The network stack of the container is 
     not isolated from the host and will use the host IP.
@@ -50,13 +35,25 @@ Configuration
     The following commands translate to "--net host" when the container
     is created 
 
-    .. note:: **allow-host-networks** cannot be used with **network** 
+    .. note:: **allow-host-networks** cannot be used with **network**
 
-.. cfgcmd:: set container <name> description <text>
+.. cfgcmd:: set container name <name> network <networkname> 
 
-    Sets the container description
+    Attaches user-defined network to a container.
+    Only one network must be specified and must already exist.
 
-.. cfgcmd:: set container <name> environment '<key>' value '<value>'
+.. cfgcmd:: set container name <name> network <networkname> address <address> 
+
+    Optionally set a specific static IPv4 or IPv6 address for the container.
+    This address must be within the named network prefix.
+
+    .. note:: The first IP in the container network is reserved by the engine and cannot be used
+
+.. cfgcmd:: set container name <name> description <text>
+
+    Set a container description
+
+.. cfgcmd:: set container name <name> environment <key> value <value>
 
     Add custom environment variables.
     Multiple environment variables are allowed.
@@ -65,35 +62,25 @@ Configuration
 
     .. code-block:: none
 
-        set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
+        set container name mysql-server environment MYSQL_DATABASE value 'zabbix'
-        set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
+        set container name mysql-server environment MYSQL_USER value 'zabbix'
-        set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+        set container name mysql-server environment MYSQL_PASSWORD value 'zabbix_pwd'
-        set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+        set container name mysql-server environment MYSQL_ROOT_PASSWORD value 'root_pwd'
 
-.. cfgcmd:: set container <name> network <networkname> 
+.. cfgcmd:: set container name <name> port <portname> source <portnumber>
+.. cfgcmd:: set container name <name> port <portname> destination <portnumber>
+.. cfgcmd:: set container name <name> port <portname> protocol <tcp | udp>
 
-    Attaches user-defined network to a container.
+    Publish a port for the container.
-    Only one network must be specified and must already exist.
-
-    Optionally a specific static IPv4 or IPv6 address can be set for
-    the container. This address must be within the named network.
-
-    .. code-block:: none
-
-        set container <name> network <networkname> address <address> 
-
-    .. note:: The first IP in the container network is reserved by the engine and cannot be used
-
-.. cfgcmd:: set container <name> port <portname> [source | destination ] <portnumber>
-
-    Publishes a port for the container
 
     .. code-block:: none
 
         set container name zabbix-web-nginx-mysql port http source 80
         set container name zabbix-web-nginx-mysql port http destination 8080
+        set container name zabbix-web-nginx-mysql port http protocol tcp
 
-.. cfgcmd:: set container <name> volume <volumename> [source | destination ] <path>
+.. cfgcmd:: set container name <name> volume <volumename> source <path>
+.. cfgcmd:: set container name <name> volume <volumename> destination <path>
 
     Mount a volume into the container
 
@@ -102,6 +89,85 @@ Configuration
         set container name coredns volume 'corefile' source /config/coredns/Corefile
         set container name coredns volume 'corefile' destination /etc/Corefile
 
+.. cfgcmd:: set container name <name> restart [no | on-failure | always]
+
+   Set the restart behavior of the container.
+
+   - **no**: Do not restart containers on exit
+   - **on-failure**: Restart containers when they exit with a non-zero exit code, retrying indefinitely (default)
+   - **always**: Restart containers when they exit, regardless of status, retrying indefinitely
+
+.. cfgcmd:: set container name <name> memory <MB>
+   
+   Constrain the memory available to the container.
+   
+   Default is 512 MB. Use 0 MB for unlimited memory.
+
+.. cfgcmd:: set container name <name> device <devicename> source <path>
+.. cfgcmd:: set container name <name> device <devicename> destination <path>
+
+   Add a host device to the container.
+
+.. cfgcmd:: container name <name> cap-add <text>
+
+   Set container capabilities or permissions.
+
+   - **net-admin**: Network operations (interface, firewall, routing tables)
+   - **net-bind-service**: Bind a socket to privileged ports (port numbers less than 1024)
+   - **net-raw**: Permission to create raw network sockets
+   - **setpcap**: Capability sets (from bounded or inherited set)
+   - **sys-admin**: Administation operations (quotactl, mount, sethostname, setdomainame)
+   - **sys-time**: Permission to set system clock
+
+.. cfgcmd:: set container name <name> disable
+   
+   Disable a container.
+
+.. cfgcmd:: set container network <networkname>
+
+    Creates a named container network
+
+.. cfgcmd:: set container registry <name>
+
+    Adds registry to list of unqualified-search-registries. By default, for any
+    image that does not include the registry in the image name, Vyos will use 
+    docker.io as the container registry.
+
+
+******************
+Operation Commands
+******************
+
+.. opcmd:: add container image <containername>
+    
+    Pull a new image for container
+
+.. opcmd:: show container
+
+    Show the list of all active containers.
+
+.. opcmd:: show container image
+    
+    Show the local container images.
+
+.. opcmd:: show container log <containername>
+
+    Show logs from a given container
+
+.. opcmd:: show container network
+
+    Show a list available container networks
+
+.. opcmd:: restart container <containername>
+
+    Restart a given container
+
+.. opcmd:: update container image <containername>
+
+    Update container image
+
+
+
 *********************
 Example Configuration
 *********************

docs/configuration/firewall/index.rst

@@ -264,7 +264,7 @@ the action of the rule will be executed.
 
 .. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject |
    accept]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop | 
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop |
    reject | accept]
 
    This required setting defines the action of the current rule.
@@ -275,11 +275,18 @@ the action of the rule will be executed.
    Provide a description for each rule.
 
 .. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable | 
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
    enable]
 
    Enable or disable logging for the matched packet.
 
+.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg |
+   alert | crit | err | warn | notice | info | debug]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg |
+   alert | crit | err | warn | notice | info | debug]
+
+   Define log-level. Only applicable if rule log is enable.
+
 .. cfgcmd:: set firewall name <name> rule <1-999999> disable
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
 
@@ -316,6 +323,32 @@ There are a lot of matching criteria against which the package can be tested.
       set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
       set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
 
+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
+   <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+   country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+   inverse-match
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+   country-code <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+   inverse-match
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+   country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+   inverse-match
+
+Match IP addresses based on its geolocation.
+More info: `geoip matching
+<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
+
+Use inverse-match to match anything except the given country-codes.
+
+Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
+permits redistribution so we can include a database in images(~3MB
+compressed). Includes cron script (manually callable by op-mode update
+geoip) to keep database and rules updated.
 
 .. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
    <mac-address>
@@ -355,37 +388,40 @@ There are a lot of matching criteria against which the package can be tested.
       set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
 
 .. cfgcmd:: set firewall name <name> rule <1-999999> source group
-   address-group <name>
+   address-group <name | !name>
 .. cfgcmd:: set firewall name <name> rule <1-999999> destination group
-   address-group <name>
+   address-group <name | !name>
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
-   address-group <name>
+   address-group <name | !name>
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
-   address-group <name>
+   address-group <name | !name>
 
-   Use a specific address-group
+   Use a specific address-group. Prepend character '!' for inverted matching
+   criteria.
 
 .. cfgcmd:: set firewall name <name> rule <1-999999> source group
-   network-group <name>
+   network-group <name | !name>
 .. cfgcmd:: set firewall name <name> rule <1-999999> destination group
-   network-group <name>
+   network-group <name | !name>
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
-   network-group <name>
+   network-group <name | !name>
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
-   network-group <name>
+   network-group <name | !name>
 
-   Use a specific network-group
+   Use a specific network-group. Prepend character '!' for inverted matching
+   criteria.
 
 .. cfgcmd:: set firewall name <name> rule <1-999999> source group
-   port-group <name>
+   port-group <name | !name>
 .. cfgcmd:: set firewall name <name> rule <1-999999> destination group
-   port-group <name>
+   port-group <name | !name>
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
-   port-group <name>
+   port-group <name | !name>
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
-   port-group <name>
+   port-group <name | !name>
 
-   Use a specific port-group
+   Use a specific port-group. Prepend character '!' for inverted matching
+   criteria.
 
 .. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
    <0-255> | all | tcp_udp]
@@ -423,6 +459,26 @@ There are a lot of matching criteria against which the package can be tested.
 
    Match against the state of a packet.
 
+.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
+
+   Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
+   'greater than', and 'lt' stands for 'less than'.
+
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
+   lt> <0-255>
+
+   Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
+   'greater than', and 'lt' stands for 'less than'.
+   
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | 
+   minute | hour>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | 
+   minute | hour>
+
+   Match when 'count' amount of connections are seen within 'time'. These 
+   matching criteria can be used to block brute-force attempts.
 
 ***********************************
 Applying a Rule-Set to an Interface
@@ -495,10 +551,10 @@ Applying a Rule-Set to a Zone
 Before you are able to apply a rule-set to a zone you have to create the zones
 first.
 
-It helps to think of the syntax as: (see below). The 'rule-set' should be 
+It helps to think of the syntax as: (see below). The 'rule-set' should be
 written from the perspective of: *Source Zone*-to->*Destination Zone*
 
-.. cfgcmd::  set zone-policy zone <Destination Zone> from <Source Zone> 
+.. cfgcmd::  set zone-policy zone <Destination Zone> from <Source Zone>
    firewall name <rule-set>
 
 .. cfgcmd::  set zone-policy zone <name> from <name> firewall name
@@ -786,3 +842,11 @@ Example Partial Config
          }
      }
   }
+
+
+Update geoip database
+=====================
+
+.. opcmd:: update geoip
+
+   Command used to update GeoIP database and firewall sets.

docs/configuration/interfaces/bridge.rst

@@ -78,7 +78,11 @@ Bridge Options
 
 .. cfgcmd:: set interfaces bridge <interface> igmp querier
 
-   Enable IGMP querier
+   Enable IGMP and MLD querier.
+
+.. cfgcmd:: set interfaces bridge <interface> igmp snooping
+
+   Enable IGMP and MLD snooping.
 
 .. _stp:
 

docs/configuration/interfaces/openvpn.rst

@@ -332,7 +332,7 @@ before using under the openvpn interface configuration.
 
 Now we need to specify the server network settings. In all cases we need to
 specify the subnet for client tunnel endpoints. Since we want clients to access
-a specific network behind out router, we will use a push-route option for
+a specific network behind our router, we will use a push-route option for
 installing that route on clients.
 
 .. code-block:: none

docs/configuration/interfaces/wireless.rst

@@ -590,3 +590,24 @@ To get it to work as an access point with this configuration you will need
 to set up a DHCP server to work with that network. You can - of course - also
 bridge the Wireless interface with any configured bridge
 (:ref:`bridge-interface`) on the system.
+
+.. _wireless-interface-intel-ax200:
+
+Intel AX200
+===========
+
+The Intel AX200 card does not work out of the box in AP mode, see
+https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can
+still put this card into AP mode using the following configuration:
+
+.. stop_vyoslinter
+.. code-block:: none
+
+  set interfaces wireless wlan0 channel '1'
+  set interfaces wireless wlan0 country-code 'us'
+  set interfaces wireless wlan0 mode 'n'
+  set interfaces wireless wlan0 physical-device 'phy0'
+  set interfaces wireless wlan0 ssid 'VyOS'
+  set interfaces wireless wlan0 type 'access-point'
+
+.. start_vyoslinter

docs/configuration/policy/route-map.rst

@@ -82,11 +82,26 @@ Route Map
 
    IP next-hop of route to match, based on access-list.
 
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop
+   address <x.x.x.x>
+
+   IP next-hop of route to match, based on ip address.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop
+   prefix-len <0-32>
+
+   IP next-hop of route to match, based on prefix length.
+
 .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop
    prefix-list <text>
 
    IP next-hop of route to match, based on prefix-list.
 
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop
+   type <blackhole>
+
+   IP next-hop of route to match, based on type.
+
 .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip route-source
    access-list <1-2699>
 

docs/configuration/protocols/bgp.rst

@@ -177,7 +177,7 @@ process. The BGP process starts when the first neighbor is configured.
 .. cfgcmd:: set protocols bgp local-as <asn>
 
   Set local autonomous system number that this router represents. This is a
-  a mandatory option!
+  mandatory option!
 
 Peers Configuration
 -------------------
@@ -431,7 +431,7 @@ Peer Parameters
 
    This command enforces Generalized TTL Security Mechanism (GTSM),
    as specified in :rfc:`5082`. With this command, only neighbors
-   that are the specified number of hops away will be allowed to
+   that are specified number of hops away will be allowed to
    become neighbors. The number of hops range is 1 to 254. This
    command is mutually exclusive with :cfgcmd:`ebgp-multihop`.
 
@@ -563,11 +563,6 @@ Common parameters
    Path (both AS number and AS path length), Origin code, MED, IGP
    metric. Also, the next hop address for each path must be different.
 
-.. cfgcmd:: set protocols bgp parameters default no-ipv4-unicast
-
-   This command allows the user to specify that IPv4 peering is turned off by
-   default.
-
 .. cfgcmd:: set protocols bgp parameters log-neighbor-changes
 
    This command enable logging neighbor up/down changes and reset reason.
@@ -984,7 +979,7 @@ Show
 
 .. opcmd:: show ip bgp filter-list <name>
 
-   This command displays BGP routes allowed by by the specified AS Path
+   This command displays BGP routes allowed by the specified AS Path
    access list.
 
 .. opcmd:: show <ip|ipv6> bgp neighbors <address> advertised-routes

docs/configuration/service/broadcast-relay.rst

@@ -28,6 +28,11 @@ Configuration
    want to receive/relay packets on both `eth1` and `eth2` both interfaces need
    to be added.
 
+.. cfgcmd:: set service broadcast-relay id <n> address <ipv4-address>
+
+   Set the source IP of forwarded packets, otherwise original senders address
+   is used.
+
 .. cfgcmd:: set service broadcast-relay id <n> port <port>
 
    The UDP port number used by your apllication. It is mandatory for this kind

docs/configuration/service/conntrack-sync.rst

@@ -114,11 +114,11 @@ Operation
     conntrack is not enabled. To enable conntrack, just create a NAT or a firewall
     rule. :cfgcmd:`set firewall state-policy established action accept`
 
-.. opcmd:: show conntrack-sync external-cache
+.. opcmd:: show conntrack-sync cache external
 
   Show connection syncing external cache entries
 
-.. opcmd:: show conntrack-sync internal-cache
+.. opcmd:: show conntrack-sync cache internal
 
   Show connection syncing internal cache entries
 

docs/configuration/service/eventhandler.rst

@@ -0,0 +1,127 @@
+.. _event-handler:
+
+#############
+Event Handler
+#############
+
+*********************************
+Event Handler Technology Overview
+*********************************
+
+Event handler allows you to execute scripts when a string that matches a regex or a regex with 
+a service name appears in journald logs. You can pass variables, arguments, and a full matching string to the script.
+
+
+******************************
+How to configure Event Handler
+******************************
+
+    `1. Create an event handler`_
+
+    `2. Add regex to the script`_
+
+    `3. Add a full path to the script`_
+
+    `4. Add optional parameters`_
+
+*********************************
+Event Handler Configuration Steps
+*********************************
+
+1. Create an event handler
+==========================
+
+    .. cfgcmd:: set service event-handler event <event-handler name>
+
+    This is an optional command because the event handler will be automatically created after any of the next commands.
+
+
+2. Add regex to the script
+===========================================
+
+    .. cfgcmd:: set service event-handler event <event-handler name> filter pattern <regex>   
+
+    This is a mandatory command. Sets regular expression to match against log string message.
+    
+    .. note:: The regular expression matches if and only if the entire string matches the pattern.
+
+
+
+3. Add a full path to the script
+================================
+
+    .. cfgcmd:: set service event-handler event <event-handler name> script path <path to script>
+   
+    This is a mandatory command. Sets the full path to the script. The script file must be executable.
+
+
+   
+4. Add optional parameters
+==========================
+
+    .. cfgcmd:: set service event-handler event <event-handler name> filter syslog-identifier <sylogid name>
+
+    This is an optional command. Filters log messages by syslog-identifier.
+
+    .. cfgcmd:: set service event-handler event <event-handler name> script environment <env name> value <env value>
+
+    This is an optional command. Adds environment and its value to the script. Use separate commands for each environment.
+    
+    One implicit environment exists.
+    
+    * ``message``: Full message that has triggered the script.
+
+    .. cfgcmd:: set service event-handler event <event-handler name> script arguments <arguments>
+
+    This is an optional command. Adds arguments to the script. Arguments must be separated by spaces.
+
+    .. note:: We don't recomend to use arguments. Using environments is more preffereble.
+    
+
+*******
+Example
+*******
+
+    Event handler that monitors the state of interface eth0.
+
+    .. code-block:: none
+
+	set service event-handler event INTERFACE_STATE_DOWN filter pattern '.*eth0.*,RUNNING,.*->.*'
+	set service event-handler event INTERFACE_STATE_DOWN filter syslog-identifier 'netplugd'
+	set service event-handler event INTERFACE_STATE_DOWN script environment interface_action value 'down'
+	set service event-handler event INTERFACE_STATE_DOWN script environment interface_name value 'eth2'
+	set service event-handler event INTERFACE_STATE_DOWN script path '/config/scripts/eventhandler.py'
+
+    Event handler script
+
+    .. code-block:: none
+
+	#!/usr/bin/env python3
+	#
+	# VyOS event-handler script example
+	from os import environ
+	import subprocess
+	from sys import exit
+
+	# Perform actions according to requirements
+	def process_event() -> None:
+    	    # Get variables
+    	    message_text = environ.get('message')
+    	    interface_name = environ.get('interface_name')
+    	    interface_action = environ.get('interface_action')
+    	    # Print the message that triggered this script
+    	    print(f'Logged message: {message_text}')
+    	    # Prepare a command to run
+    	    command = f'sudo ip link set {interface_name} {interface_action}'.split()
+    	    # Execute a command
+    	    subprocess.run(command)
+
+	if __name__ == '__main__':
+    	    try:
+        	# Run script actions and exit
+        	process_event()
+    	        exit(0)
+    	    except Exception as err:
+        	# Exit properly in case if something in the script goes wrong
+            	print(f'Error running script: {err}')
+            	exit(1)

docs/configuration/service/https.rst

@@ -28,6 +28,10 @@ Configuration
    Set the listen port of the local API, this has no effect on the
    webserver. The default is port 8080
 
+.. cfgcmd:: set service https api socket
+
+   Use local socket for API
+
 .. cfgcmd:: set service https api strict
 
    Enforce strict path checking
@@ -89,4 +93,4 @@ To use this full configuration we asume a public accessible hostname.
    set service https virtual-host rtr01 listen-address 198.51.100.2
    set service https virtual-host rtr01 listen-port 11443
    set service https virtual-host rtr01 server-name rtr01.example.com
-   set service https api-restrict virtual-host rtr01.example.com
+   set service https api-restrict virtual-host rtr01

docs/configuration/service/index.rst

@@ -25,3 +25,4 @@ Service
    ssh
    tftp-server
    webproxy
+   eventhandler

docs/configuration/service/monitoring.rst

@@ -1,10 +1,111 @@
 Monitoring
 ----------
 
-Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided.
+Azure-data-explorer
+===================
+Telegraf output plugin azure-data-explorer_
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-id <client-id>
+
+   Authentication application client-id.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-secret <client-secret>
+
+   Authentication application client-secret.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication tenant-id <tenant-id>
+
+   Authentication application tenant-id
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer database <name>
+
+   Remote databe name.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer group-metrics <single-table | table-per-metric>
+
+   Type of metrics grouping when push to Azure Data Explorer. The default is
+   ``table-per-metric``.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer table <name>
+
+   Name of the single table Only if set group-metrics single-table.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer url <url>
+
+   Remote URL.
+
+Prometheus-client
+=================
+Telegraf output plugin prometheus-client_
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client
+
+   Output plugin Prometheus client
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client allow-from <prefix>
+
+   Networks allowed to query this server
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client authentication username <username>
+
+   HTTP basic authentication username
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client authentication password <password>
+
+   HTTP basic authentication username
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client listen-address <address>
+
+   Local IP addresses to listen on
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client metric-version <1 | 2>
+
+   Metris version, the default is ``2``
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client port <port>
+
+   Port number used by connection, default is ``9273``
+
+Example:
+
+.. code-block:: none
+
+  set service monitoring telegraf prometheus-client
+
+.. code-block:: none
+
+  vyos@r14:~$ curl --silent localhost:9273/metrics | egrep -v "#" |  grep cpu_usage_system
+  cpu_usage_system{cpu="cpu-total",host="r14"} 0.20040080160320556
+  cpu_usage_system{cpu="cpu0",host="r14"} 0.17182130584191915
+  cpu_usage_system{cpu="cpu1",host="r14"} 0.22896393817971655
+
+Splunk
+======
+Telegraf output plugin splunk_. HTTP Event Collector.
+
+.. cfgcmd:: set service monitoring telegraf splunk authentication insecure
+
+   Use TLS but skip host validation
+
+.. cfgcmd:: set service monitoring telegraf splunk authentication token <token>
+
+   Authorization token
+
+.. cfgcmd:: set service monitoring telegraf splunk authentication url <url>
+
+   Remote URL to Splunk collector
+
+Example:
+
+.. code-block:: none
+
+  set service monitoring telegraf splunk authentication insecure
+  set service monitoring telegraf splunk authentication token 'xxxxf5b8-xxxx-452a-xxxx-43828911xxxx'
+  set service monitoring telegraf splunk url 'https://192.0.2.10:8088/services/collector'
 
 Telegraf
 ========
+Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided.
 Telegraf is the open source server agent to help you collect metrics, events
 and logs from your routers.
 
@@ -43,3 +144,7 @@ An example of a configuration that sends ``telegraf`` metrics to remote
   set service monitoring telegraf port '8086'
   set service monitoring telegraf source 'all'
   set service monitoring telegraf url 'http://r1.influxdb2.local'
+
+.. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer
+.. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client
+.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html

docs/configuration/service/ssh.rst

@@ -109,6 +109,36 @@ Configuration
 
   Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
 
+Dynamic-protection
+==================
+Protects host from brute-force attacks against
+SSH. Log messages are parsed, line-by-line, for recognized patterns. If an
+attack, such as several login failures within a few seconds, is detected, the
+offending IP is blocked. Offenders are unblocked after a set interval.
+
+.. cfgcmd:: set service ssh dynamic-protection
+
+  Allow ``ssh`` dynamic-protection.
+
+.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix>
+
+  Whitelist of addresses and networks. Always allow inbound connections from
+  these systems.
+
+.. cfgcmd:: set service ssh dynamic-protection block-time <sec>
+
+  Block source IP in seconds. Subsequent blocks increase by a factor of 1.5
+  The default is 120.
+
+.. cfgcmd:: set service ssh dynamic-protection detect-time <sec>
+
+  Remember source IP in seconds before reset their score. The default is 1800.
+
+.. cfgcmd:: set service ssh dynamic-protection threshold <sec>
+
+  Block source IP when their cumulative attack score exceeds threshold. The
+  default is 30.
+
 Operation
 =========
 

docs/configuration/system/acceleration.rst

@@ -0,0 +1,146 @@
+.. _acceleration:
+
+############
+Acceleration
+############
+
+In this command tree, all hardware acceleration options will be handled.
+At the moment only `Intel® QAT`_ is supported
+
+**********
+Intel® QAT
+**********
+
+.. opcmd:: show system acceleration qat
+
+    use this command to check if there is an Intel® QAT supported Processor in
+    your system.
+
+    .. code-block::
+
+        vyos@vyos:~$ show system acceleration qat
+        01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11)
+
+    if there is non device the command will show ```No QAT device found```
+
+.. cfgcmd:: set system acceleration qat
+
+    if there is a supported device, enable Intel® QAT
+
+.. opcmd:: show system acceleration qat status
+
+    Check if the Intel® QAT device is up and ready to do the job.
+
+    .. code-block::
+
+        vyos@vyos:~$ show system acceleration qat status
+        Checking status of all devices.
+        There is 1 QAT acceleration device(s) in the system:
+        qat_dev0 - type: c3xxx,  inst_id: 0,  node_id: 0,  bsf: 0000:01:00.0,  #accel: 3 #engines: 6 state: up
+    
+Operation Mode
+==============
+
+.. opcmd:: show system acceleration qat device <device> config
+
+    Show the full config uploaded to the QAT device.
+
+.. opcmd:: show system acceleration qat device <device> flows
+
+    Get an overview over the encryption counters.
+
+.. opcmd:: show system acceleration qat interrupts
+
+    Show binded qat device interrupts to certain core.
+
+
+Example
+=======
+
+Let's build a simple VPN between 2 Intel® QAT ready devices.
+
+Side A:
+
+.. code-block::
+
+    set interfaces vti vti1 address '192.168.1.2/24'
+    set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
+    set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
+    set vpn ipsec ipsec-interfaces interface 'eth0'
+    set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret'
+    set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123'
+    set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate'
+    set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup'
+    set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup'
+    set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2'
+    set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1'
+
+Side B:
+
+.. code-block::
+
+    set interfaces vti vti1 address '192.168.1.1/24'
+    set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
+    set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
+    set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
+    set vpn ipsec ipsec-interfaces interface 'eth0'
+    set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret'
+    set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123'
+    set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate'
+    set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup'
+    set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup'
+    set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1'
+    set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1'
+
+a bandwidth test over the VPN got these results:
+
+.. code-block::
+
+    Connecting to host 192.168.1.2, port 5201
+    [  9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201
+    [ ID] Interval           Transfer     Bitrate         Retr  Cwnd
+    [  9]   0.00-1.01   sec  32.3 MBytes   268 Mbits/sec    0    196 KBytes
+    [  9]   1.01-2.03   sec  32.5 MBytes   268 Mbits/sec    0    208 KBytes
+    [  9]   2.03-3.03   sec  32.5 MBytes   271 Mbits/sec    0    208 KBytes
+    [  9]   3.03-4.04   sec  32.5 MBytes   272 Mbits/sec    0    208 KBytes
+    [  9]   4.04-5.00   sec  31.2 MBytes   272 Mbits/sec    0    208 KBytes
+    [  9]   5.00-6.01   sec  32.5 MBytes   272 Mbits/sec    0    234 KBytes
+    [  9]   6.01-7.04   sec  32.5 MBytes   265 Mbits/sec    0    234 KBytes
+    [  9]   7.04-8.04   sec  32.5 MBytes   272 Mbits/sec    0    234 KBytes
+    [  9]   8.04-9.04   sec  32.5 MBytes   273 Mbits/sec    0    336 KBytes
+    [  9]   9.04-10.00  sec  31.2 MBytes   272 Mbits/sec    0    336 KBytes
+    - - - - - - - - - - - - - - - - - - - - - - - - -
+    [ ID] Interval           Transfer     Bitrate         Retr
+    [  9]   0.00-10.00  sec   322 MBytes   270 Mbits/sec    0           sender
+    [  9]   0.00-10.00  sec   322 MBytes   270 Mbits/sec                receiver
+
+with :cfgcmd:`set system acceleration qat` on both systems the bandwidth
+increases.
+
+.. code-block::
+
+    Connecting to host 192.168.1.2, port 5201
+    [  9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201
+    [ ID] Interval           Transfer     Bitrate         Retr  Cwnd
+    [  9]   0.00-1.00   sec  97.3 MBytes   817 Mbits/sec    0   1000 KBytes
+    [  9]   1.00-2.00   sec  92.5 MBytes   776 Mbits/sec    0   1.07 MBytes
+    [  9]   2.00-3.00   sec  92.5 MBytes   776 Mbits/sec    0    820 KBytes
+    [  9]   3.00-4.00   sec  92.5 MBytes   776 Mbits/sec    0    899 KBytes
+    [  9]   4.00-5.00   sec  91.2 MBytes   765 Mbits/sec    0    972 KBytes
+    [  9]   5.00-6.00   sec  92.5 MBytes   776 Mbits/sec    0   1.02 MBytes
+    [  9]   6.00-7.00   sec  92.5 MBytes   776 Mbits/sec    0   1.08 MBytes
+    [  9]   7.00-8.00   sec  92.5 MBytes   776 Mbits/sec    0   1.14 MBytes
+    [  9]   8.00-9.00   sec  91.2 MBytes   765 Mbits/sec    0    915 KBytes
+    [  9]   9.00-10.00  sec  92.5 MBytes   776 Mbits/sec    0   1000 KBytes
+    - - - - - - - - - - - - - - - - - - - - - - - - -
+    [ ID] Interval           Transfer     Bitrate         Retr
+    [  9]   0.00-10.00  sec   927 MBytes   778 Mbits/sec    0             sender
+    [  9]   0.00-10.01  sec   925 MBytes   775 Mbits/sec                  receiver
+
+
+.. _`Intel® QAT`: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html

docs/configuration/system/eventhandler.rst

@@ -1,51 +0,0 @@
-.. _event-handler:
-
-Event Handler
--------------
-
-Event handler allows you to execute scripts when a string that matches a regex
-appears in a text stream (e.g. log file).
-
-It uses "feeds" (output of commands, or a named pipes) and "policies" that
-define what to execute if a regex is matched.
-
-.. code-block:: none
-
-  system
-  event-handler
-      feed <name>
-      description <feed description>
-      policy <policy name>
-      source
-          preset
-          syslog # Use the syslog logs for feed
-          custom
-          command <command to execute> # E.g. "tail -f /var/log/somelogfile"
-          named-pipe <path to a names pipe>
-      policy <policy name>
-      description <policy description>
-      event <event name>
-          description <event description>
-          pattern <regex>
-          run <command to run>
-
-In this small example a script runs every time a login failed and an interface
-goes down
-
-.. code-block:: none
-
-  vyos@vyos# show system event-handler
-  feed Syslog {
-      policy MyPolicy
-      source {
-          preset syslog
-      }
-  }
-  policy MyPolicy {
-      description "Test policy"
-      event BadThingsHappened {
-          pattern "authentication failure"
-          pattern "interface \.* index \d+ .* DOWN.*"
-          run /config/scripts/email-to-admin
-      }
-  }

docs/configuration/system/index.rst

@@ -7,6 +7,7 @@ System
    :maxdepth: 1
    :includehidden:
 
+   acceleration
    conntrack
    console
    flow-accounting
@@ -29,4 +30,3 @@ System
    :includehidden:
 
    default-route
-   eventhandler

docs/configuration/system/ip.rst

@@ -9,6 +9,15 @@ System configuration commands
 
    Use this command to disable IPv4 forwarding on all interfaces.
 
+.. cfgcmd:: set system ip disable-directed-broadcast
+
+   Use this command to disable IPv4 directed broadcast forwarding on all
+   interfaces.
+
+   If set, IPv4 directed broadcast forwarding will be completely disabled
+   regardless of whether per-interface directed broadcast forwarding is
+   enabled or not.
+
 .. cfgcmd:: set system ip arp table-size <number>
 
    Use this command to define the maximum number of entries to keep in
@@ -67,4 +76,4 @@ And the different IPv4 **reset** commands available:
      bgp           Clear Border Gateway Protocol (BGP) statistics or status
      igmp          IGMP clear commands
      multicast     IP multicast routing table
-     route         Reset IP route
+     route         Reset IP route

docs/configuration/system/ipv6.rst

@@ -160,7 +160,7 @@ Show commands
 Reset commands
 ^^^^^^^^^^^^^^
 
-.. opcmd:: reset ipv6 bgp <address>
+.. opcmd:: reset bgp ipv6 <address>
 
    Use this command to clear Border Gateway Protocol statistics or
    status.

docs/configuration/vpn/dmvpn.rst

@@ -278,6 +278,7 @@ spoke01-spoke04
    ip nhrp registration timeout 75
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
+   tunnel protection ipsec profile DMVPN
    tunnel key 1
   !
   interface FastEthernet0/0

docs/configuration/vrf/index.rst

@@ -197,7 +197,7 @@ Example
 VRF route leaking
 -----------------
 
-The following example topology was build using EVE-NG.
+The following example topology was built using EVE-NG.
 
 .. figure:: /_static/images/vrf-example-topology-01.png
    :alt: VRF topology example
@@ -338,7 +338,7 @@ VRF Route Leaking
 BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN
 SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may 
 also be leaked between any VRFs (including the unicast RIB of the default BGP
-instanced). A shortcut syntax is also available for specifying leaking from 
+instance). A shortcut syntax is also available for specifying leaking from 
 one VRF to another VRF using the default instance’s VPN RIB as the intemediary
 . A common application of the VRF-VRF feature is to connect a customer’s 
 private routing domain to a provider’s VPN service. Leaking is configured from

docs/contributing/build-vyos.rst

@@ -23,7 +23,7 @@ also set up your own build machine and run a :ref:`build_native`.
    The source code remains public and an ISO can be built using the process
    outlined in this chapter.
 
-This will guide you though the process of building a VyOS ISO using Docker_.
+This will guide you through the process of building a VyOS ISO using Docker_.
 This process has been tested on clean installs of Debian Jessie, Stretch, and
 Buster.
 
@@ -59,11 +59,11 @@ yourusername``.
 Build Container
 ---------------
 
-The container can built by hand or by fetching the pre-built one from DockerHub.
+The container can be built by hand or by fetching the pre-built one from 
-Using the pre-built containers from the `VyOS DockerHub organisation`_ will
+DockerHub. Using the pre-built containers from the `VyOS DockerHub 
-ensure that the container is always up-to-date. A rebuild is triggered once the
+organisation`_ will ensure that the container is always up-to-date. A rebuild 
-container changes (please note this will take 2-3 hours after pushing to the
+is triggered once the container changes (please note this will take 2-3 hours 
-vyos-build repository).
+after pushing to the vyos-build repository).
 
 .. note: If you are using the pre-built container, it will be automatically
    downloaded from DockerHub if it is not found on your local machine when
@@ -131,7 +131,7 @@ your development containers in your current working directory.
 
 .. note:: Some VyOS packages (namely vyos-1x) come with build-time tests which
    verify some of the internal library calls that they work as expected. Those
-   tests are carried out through the Python Unittest module. If you wan't to
+   tests are carried out through the Python Unittest module. If you want to
    build the ``vyos-1x`` package (which is our main development package) you need
    to start your Docker container using the following argument:
    ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will fail.
@@ -304,8 +304,8 @@ more or less similar looking error message:
   (10:13) vyos_bld ece068908a5b:/vyos [current] #
 
 To debug the build process and gain additional information of what could be the
-root cause wou need to `chroot` into the build directry. This is explained in
+root cause, you need to use `chroot` to change into the build directry. This is 
-the following step by step procedure:
+explained in the following step by step procedure:
 
 .. code-block:: none
 
@@ -729,7 +729,7 @@ package from our GitHub organisation - this is the place to be.
 Any "modified" package may refer to an altered version of e.g. vyos-1x package
 that you would like to test before filing a pull request on GitHub.
 
-Building an ISO with any customized package is in no way different then
+Building an ISO with any customized package is in no way different than
 building a regular (customized or not) ISO image. Simply place your modified
 `*.deb` package inside the `packages` folder within `vyos-build`. The build
 process will then pickup your custom package and integrate it into your ISO.
@@ -771,7 +771,7 @@ Virtualization Platforms
 QEMU
 ----
 
-Run following command after building the ISO image.
+Run the following command after building the ISO image.
 
 .. code-block:: none
 
@@ -780,7 +780,7 @@ Run following command after building the ISO image.
 VMware
 ------
 
-Run following command after building the QEMU image.
+Run the following command after building the QEMU image.
 
 .. code-block:: none
 

docs/coverage.rst

@@ -6,21 +6,23 @@ Overview over all commands, which are documented in the
 ``.. cfgcmd::`` or ``.. opcmd::`` Directives.
 
 The build process take all xml definition files
-from `vyos-1x <https://github.com/vyos/vyos-1x>`_  and extract each leaf
+from `vyos-1x <https://github.com/vyos/vyos-1x>`_  and a periodical export of
-command or executable command. After this the commands are compare and shown in
+all VyOS commands and extract each leaf command or executable command.
+After this the commands are compare and shown in
 the following two tables. The script compare only the fixed part of a command.
 All varables or values will be erase and then compare:
 
 for example there are these two commands:
 
   * documentation: ``interfaces ethernet <interface> address
-    <address | dhcp | dhcpv6>```
+    <address | dhcp | dhcpv6>``
-  * xml: ``interface ethernet <ethernet> address <address>``
+  * xml: ``interfaces ethernet <ethernet> address <address>``
+  * VyOS: ``interfaces ethernet <text> address <value>``
 
 Now the script earse all in between ``<`` and ``>`` and simply compare
 the strings.
 
-**There are 2 kind of problems:**   
+**There are 3 kind of problems:**   
 
 ``Not documented yet``
 
@@ -30,9 +32,14 @@ the strings.
 ``Nothing found in XML Definitions``
 
   * ``.. cfgcmd::`` or ``.. opcmd::`` Command are not found in a XML command
-  * Maybe the command where changed in the XML Definition, or the feature is
+  * Maybe the command where changed in the XML Definition, the feature is
-    not anymore in VyOS
+    not anymore in VyOS, or there is a typo
-  * Some commands are not yet translated to XML
+
+``Nothing found in VyOS``
+
+  * ``.. cfgcmd::`` or ``.. opcmd::`` Command are not found in a VyOS command
+  * Maybe the command where changed, the feature is
+    not anymore in VyOS, or there is a typo
 
 
 Configuration Commands

docs/installation/vyos-on-baremetal.rst

@@ -115,6 +115,8 @@ Refer to :ref:`wireless-interface` for additional information, below listed
 modules have been tested successfully on this Hardware platform:
 
 * Compex WLE900VX mini-PCIe WiFi module, only supported in mPCIe slot 1.
+* Intel Corporation AX200 mini-PCIe WiFi module, only supported in mPCIe slot 1.
+  (see :ref:`wireless-interface-intel-ax200`)
 
 WWAN
 """"

docs/introducing/history.rst

@@ -119,7 +119,7 @@ software) and even distribute them, given you rename it and remove
 such assets before building. Although note that we do not provide
 support for images distributed by a third-party. See the
 `artwork license <https://github.com/vyos/vyos-build/blob/current/LICENSE.artwork>`_
-and the end-user license agreement at ``/usr/share/doc/vyos/EULA`` in
+and the end-user license agreement at ``/usr/share/vyos/EULA`` in
 any pre-built image for more precise information.
 
 

requirements.txt

@@ -2,6 +2,6 @@ Sphinx==4.5.0
 sphinx-rtd-theme==1.0.0
 sphinx-autobuild==2021.3.14
 sphinx-notfound-page==0.8
-lxml==4.8.0
+lxml==4.9.1
 myst-parser==0.17.1
 sphinx-panels==0.6.0