Merge branch 'vyos:master' into master

docs/_include/vyos-1x

@@ -1 +1 @@
-Subproject commit 0de84e53c36604af2bac3b5d8eb00480f9623aa0
+Subproject commit 09efa0550dd169e30a851513781b611dd84e9c79

docs/automation/cloud-init.rst

@@ -1,29 +1,31 @@
-.. _cloud-init:
+:lastproofread: 2021-06-27
+
+. _cloud-init:
 
 ###############
 VyOS cloud-init
 ###############
 
-Cloud instances of VyOS are initialized using the industry-standard cloud-init. 
+Cloud instances of VyOS are initialized using the industry-standard
-Via cloud-init, the system performs tasks such as injecting SSH keys and
+cloud-init. Via cloud-init, the system performs tasks such as injecting
-configuring the network. In addition, the user can supply a custom
+SSH keys and configuring the network. In addition, the user can supply a custom
 configuration at the time of instance launch.
 
 **************
 Config Sources
 **************
 
-VyOS support three type of config sources.
+VyOS support three types of config sources.
 
-.. stop_vyoslinter
+* Metadata - Metadata is sourced by the cloud platform or hypervisor.
+  In some clouds, there is implemented as an HTTP endpoint at
+  http://169.254.169.254.
 
-* Metadata - Metadata is sourced by the cloud platform or hypervisor. In some clouds, there is implemented as an HTTP endpoint at http://169.254.169.254.
+* Network configuration - This config source informs the system about the
+  network.
 
-* Network configuration - Ths config source informs the system about the network.
+* User-data - User-data is specified by the user. This config source offers the
-
+  most flexibility and will be the focus of this documentation.
-* User-data - User-data is specified by the user. This config source offers the most flexibility and will be the focus of this documentation.
-
-.. start_vyoslinter
 
 
 *********
@@ -86,7 +88,7 @@ These are the VyOS defaults and fallbacks.
 * DHCP on first Ethernet interface if no network configuration is provided
 
 
-All of these can be overridden using configuration in user-data.
+All of these can be overridden using the configuration in user-data.
 
 
 ***************

docs/automation/command-scripting.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-27
+
 .. _command-scripting:
 
 Command Scripting
@@ -34,7 +36,7 @@ example, if you want to disable a BGP peer on VRRP transition to backup:
 Run operational commands
 ------------------------
 
-Unlike a normal configuration sessions, all operational commands must be
+Unlike a normal configuration session, all operational commands must be
 prepended with ``run``, even if you haven't created a session with configure.
 
 .. code-block:: none
@@ -44,8 +46,8 @@ prepended with ``run``, even if you haven't created a session with configure.
   run show interfaces
   exit
 
-Other script language
+Other script languages
----------------------
+----------------------
 
 If you want to script the configs in a language other than bash you can have
 your script output commands and then source them in a bash script.
@@ -108,7 +110,7 @@ group, the script can be safeguarded like this:
 Executing pre-hooks/post-hooks Scripts
 --------------------------------------
 
-Vyos has the ability to run custom  scripts before and after each commit
+VyOS has the ability to run custom  scripts before and after each commit
 
 The default directories where your custom Scripts should be located are:
 
@@ -124,7 +126,8 @@ Scripts are run in alphabetical order. Their names must consist entirely of
 ASCII upper- and lower-case letters,ASCII digits, ASCII underscores, and 
 ASCII minus-hyphens.No other characters are allowed.
 
-.. note:: Custom scripts are not executed with root privileges (Use sudo inside if this is necessary).
+.. note:: Custom scripts are not executed with root privileges
+   (Use sudo inside if this is necessary).
 
 A simple example is shown below, where the ops command executed in 
 the post-hook script is "show interfaces".
@@ -148,8 +151,8 @@ Preconfig on boot
 The ``/config/scripts/vyos-preconfig-bootup.script`` script is called on boot
 before the VyOS configuration during boot process.
 
-Any modifications done to work around unfixed bugs and implement enhancements
+Any modifications were done to work around unfixed bugs and implement
-which are not complete in the VyOS system can be placed here.
+enhancements that are not complete in the VyOS system can be placed here.
 
 The default file looks like this:
 
@@ -167,8 +170,8 @@ Postconfig on boot
 The ``/config/scripts/vyos-postconfig-bootup.script`` script is called on boot
 after the VyOS configuration is fully applied.
 
-Any modifications done to work around unfixed bugs and implement enhancements
+Any modifications were done to work around unfixed bugs and implement
-which are not complete in the VyOS system can be placed here.
+enhancements that are not complete in the VyOS system can be placed here.
 
 The default file looks like this:
 
@@ -179,6 +182,6 @@ The default file looks like this:
   # applied. Any modifications required to work around unfixed bugs or use
   # services not available through the VyOS CLI system can be placed here.
 
-.. hint:: For configuration/upgrade management issues, modification of these
+.. hint:: For configuration/upgrade management issues, modification of this
    script should be the last option. Always try to find solutions based on CLI
    commands first.

docs/automation/vyos-ansible.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
 .. _vyos-ansible:
 
 Ansible

docs/automation/vyos-api.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
 .. _vyosapi:
 
 ########
@@ -10,11 +12,11 @@ for configuration and enabling the API see :ref:`http-api`
 Authentication
 **************
 
-All Endpoint only listen on HTTP POST requests and the API KEY must set as
+All endpoints only listen on HTTP POST requests and the API KEY must set as
 ``key`` in the formdata.
 
-Below see one example or curl and one for python.
+Below see one example for curl and one for python.
-In the following, the documentation is reduced to curl.
+The rest of the documentation is reduced to curl.
 
 .. code-block:: none
 
@@ -74,8 +76,7 @@ To get the whole configuration, pass an empty list to the ``path`` field
    }
 
 
-only get a part of the configuration, 
+To only get a part of the configuration, for example ``system syslog``.
-for example ``system syslog``.
 
 .. code-block:: none
 
@@ -105,7 +106,7 @@ for example ``system syslog``.
 if you just want the Value of a multi-valued node, use the ``returnValues``
 operation.
 
-for example get the addresses of a ``dum0`` interface
+For example, get the addresses of a ``dum0`` interface.
 
 .. code-block:: none
 
@@ -165,9 +166,9 @@ delete an image, for example ``1.3-rolling-202006070117``
 /show
 =====
 
-The ``/show`` endpoint is to show everthing in operational mode
+The ``/show`` endpoint is to show everything in the operational mode.
 
-for example which images are installed
+For example, show which images are installed.
 
 .. code-block:: none
 
@@ -189,7 +190,7 @@ for example which images are installed
 /generate
 =========
 
-to run a ``generate`` command use the
+THe ``generate`` endpoint run a ``generate`` command.
 
 .. code-block:: none
 
@@ -242,10 +243,10 @@ You can pass a ``set``, ``delete`` or ``comment`` command to the
       "error": null
    }
 
-The API push every request to a session and commit it.
+The API pushes every request to a session and commit it.
 But some of VyOS components like DHCP and PPPoE Servers, IPSec, VXLAN, and
 other tunnels require full configuration for commit. 
-The Endpoint will process multiple commands when you pass them as a list to
+The endpoint will process multiple commands when you pass them as a list to
 the ``data`` field.
 
 .. code-block:: none

docs/changelog/1.3.rst

@@ -8,6 +8,32 @@
    _ext/releasenotes.py
 
 
+2021-06-27
+==========
+
+* :vytask:`T3653` (default): Cloudinit subnet error if a cidr (/24) is used instead of a subnet mask (255.255.255.0)
+
+
+2021-06-25
+==========
+
+* :vytask:`T3650` (bug): OpenVPN: Upgrade package to 2.5.1 before releasing VyOS 1.3.0
+* :vytask:`T3649` (feature): Add bonding additional hash-policy
+
+
+2021-06-24
+==========
+
+* :vytask:`T2722` (bug): get_config_dict() and key_mangling=('-', '_') will alter CLI data for tagNodes
+
+
+2021-06-22
+==========
+
+* :vytask:`T3629` (bug): IPoE server shifting address in the range
+* :vytask:`T3582` (default): 'delete log file' does not work
+
+
 2021-06-19
 ==========
 
@@ -555,7 +581,7 @@
 2021-02-16
 ==========
 
-* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.127 / 5.10.45
+* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.128 / 5.10.46
 
 
 2021-02-14

docs/changelog/1.4.rst

@@ -8,6 +8,35 @@
    _ext/releasenotes.py
 
 
+2021-06-27
+==========
+
+* :vytask:`T3653` (default): Cloudinit subnet error if a cidr (/24) is used instead of a subnet mask (255.255.255.0)
+
+
+2021-06-25
+==========
+
+* :vytask:`T3641` (feature): Upgrade base system from Debian Buster -> Debian Bullseye
+* :vytask:`T3649` (feature): Add bonding additional hash-policy
+
+
+2021-06-23
+==========
+
+* :vytask:`T3647` (feature): Bullseye: gcc defaults to passing --as-needed to linker
+* :vytask:`T3644` (default): Replace GCC with a simpler preprocessor for including nested XML snippets in XML documents
+* :vytask:`T3356` (feature): Script for remote file transfers
+
+
+2021-06-22
+==========
+
+* :vytask:`T3629` (bug): IPoE server shifting address in the range
+* :vytask:`T3645` (feature): Bullseye: ethtool changed output for ring-buffer information
+* :vytask:`T3582` (default): 'delete log file' does not work
+
+
 2021-06-21
 ==========
 
@@ -662,7 +691,7 @@
 ==========
 
 * :vytask:`T3313` (bug): ospfv3 interface missing options
-* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.127 / 5.10.45
+* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.128 / 5.10.46
 
 
 2021-02-15

docs/configexamples/azure-vpn-bgp.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
 .. _examples-azure-vpn-bgp:
 
 Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)

docs/configexamples/azure-vpn-dual-bgp.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
 .. _examples-azure-vpn-dual-bgp:
 
 Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)

docs/configexamples/bgp-ipv6-unnumbered.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
 .. _examples-bgp-ipv6-unnumbered:
 
 #########################################

docs/configexamples/dhcp-relay-through-gre-bridge.rst

@@ -1,7 +1,4 @@
-
+:lastproofread: 2021-06-28
-
-
-
 
 .. _examples-dhcp-relay-through-gre-bridge:
 

docs/configexamples/ha.rst

@@ -1,24 +1,26 @@
+:lastproofread: 2021-06-28
+
 #############################
 High Availability Walkthrough
 #############################
 
 This document walks you through a complete HA setup of two VyOS machines. This
-design is based on a VM as the primary router, and a physical machine as a
+design is based on a VM as the primary router and a physical machine as a
-backup, using VRRP, BGP, OSPF and conntrack sharing.
+backup, using VRRP, BGP, OSPF, and conntrack sharing.
 
-The aim of this document is to walk you through setting everything up, so
+This document aims to walk you through setting everything up, so
 at a point where you can reboot any machine and not lose more than a few
 seconds worth of connectivity.
 
 Design
 ======
 
-This is based on a real life, in production design. One of the complex issues
+This is based on a real-life production design. One of the complex issues
 is ensuring you have redundant data INTO your network. We do this with a pair
-of Cisco Nexus switches, and using Virtual PortChannels that are spanned across
+of Cisco Nexus switches and using Virtual PortChannels that are spanned across
-them. This as an added bonus, also allows for complete switch failure without
+them. As a bonus, this also allows for complete switch failure without
-an outage. How you achieve this yourself is left as an exercise to the reader
+an outage. How you achieve this yourself is left as an exercise to the reader.
-but our setup is documented here.
+But our setup is documented here.
 
 Walkthrough suggestion
 ----------------------
@@ -31,7 +33,7 @@ If you are following through this document, it is strongly suggested you
 complete the entire document, ONLY doing the virtual router1 steps, and then
 come back and walk through it AGAIN on the backup hardware router.
 
-This ensures you don't go to fast, or miss a step. However, it will make your
+This ensures you don't go too fast or miss a step. However, it will make your
 life easier to configure the fixed IP address and default route now on the
 hardware router.
 
@@ -43,7 +45,7 @@ provider, which we are publishing on VLAN100.
 
 They want us to establish a BGP session to their routers on 192.0.2.11 and
 192.0.2.12 from our routers 192.0.2.21 and 192.0.2.22. They are AS 65550 and
-we are AS65551.
+we are AS 65551.
 
 Our routers are going to have a floating IP address of 203.0.113.1, and use
 .2 and .3 as their fixed IPs.
@@ -54,13 +56,13 @@ When traffic is originated from the 10.200.201.0/24 network, it will be
 masqueraded to 203.0.113.1
 
 For connection between sites, we are running a WireGuard link to two REMOTE
-routers, and using OSPF over those links to distribute routes. That remote
+routers and using OSPF over those links to distribute routes. That remote
 site is expected to send traffic from anything in 10.201.0.0/16
 
 VLANs
 -----
 
-These are the vlans we wll be using:
+These are the vlans we will be using:
 
 * 50: Upstream, using the 192.0.2.0/24 network allocated by them.
 * 100: 'Public' network, using our 203.0.113.0/24 network.
@@ -95,7 +97,7 @@ of scope of this.
 
 .. note:: Our implementation uses VMware's Distributed Port Groups, which allows
   VMware to use LACP. This is a part of the ENTERPRISE licence, and is not
-  available on a Free licence. If you are implementing this and do not have
+  available on a free licence. If you are implementing this and do not have
   access to DPGs, you should not use VMware, and use some other virtualization
   platform instead.
 
@@ -103,7 +105,7 @@ of scope of this.
 Basic Setup (via console)
 =========================
 
-Create your router1 VM so it is able to withstand a VM Host failing, or a
+Create your router1 VM. So it can withstand a VM Host failing or a
 network link failing. Using VMware, this is achieved by enabling vSphere DRS,
 vSphere Availability, and creating a Distributed Port Group that uses LACP.
 
@@ -177,7 +179,7 @@ Enable SSH so you can now SSH into the routers, rather than using the console.
    commit
    save
 
-At this point you should be able to SSH into both of them, and will no longer
+At this point, you should be able to SSH into both of them, and will no longer
 need access to the console (unless you break something!)
 
 
@@ -417,9 +419,9 @@ Make sure you can ping 10.254.60.1 and .2 from both routers.
 Create Export Filter
 --------------------
 
-We only want to export the networks we know we should be exporting. Always
+We only want to export the networks we know. Always do a whitelist on your route
-whitelist your route filters, both importing and exporting. A good rule of
+filters, both importing and exporting. A good rule of thumb is
-thumb is **'If you are not the default router for a network, don't advertise
+**'If you are not the default router for a network, don't advertise
 it'**. This means we explicitly do not want to advertise the 192.0.2.0/24
 network (but do want to advertise 10.200.201.0 and 203.0.113.0, which we ARE
 the default route for). This filter is applied to ``redistribute connected``.
@@ -448,7 +450,7 @@ default again. This is called 'flapping'.
 Create Import Filter
 --------------------
 
-We only want to import networks we know about. Our OSPF peer should only be
+We only want to import networks we know. Our OSPF peer should only be
 advertising networks in the 10.201.0.0/16 range. Note that this is an INVERSE
 MATCH. You deny in access-list 100 to accept the route.
 
@@ -491,7 +493,7 @@ Test OSPF
 
 When you have enabled OSPF on both routers, you should be able to see each
 other with the command ``show ip ospf neighbour``. The state must be 'Full'
-or '2-Way', if it is not then there is a network connectivity issue between the
+or '2-Way'. If it is not, then there is a network connectivity issue between the
 hosts. This is often caused by NAT or MTU issues. You should not see any new
 routes (unless this is the second pass) in the output of ``show ip route``
 
@@ -514,8 +516,8 @@ You should now be able to see the advertised network on the other host.
 Duplicate configuration
 -----------------------
 
-At this pont you now need to create the X link between all four routers. Use a
+At this point, you now need to create the X link between all four routers.
-different /30 for each link.
+Use amdifferent /30 for each link.
 
 Priorities
 ----------

docs/configexamples/ospf-unnumbered.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
 .. _examples-ospf-unnumbered:
 
 #########################

docs/configexamples/pppoe-ipv6-basic.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
 .. _examples-pppoe-ipv6-basic:
 
 #######################################
@@ -5,9 +7,9 @@ PPPoE IPv6 Basic Setup for Home Network
 #######################################
 
 This document is to describe a basic setup using PPPoE with DHCPv6-PD +
-SLAAC to construct a typical home network. The user can follow steps described
+SLAAC to construct a typical home network. The user can follow the steps
-here to quickly setup a working network and use this as a starting point to
+described here to quickly setup a working network and use this as a starting
-further configure or fine tune other settings.
+point to further configure or fine-tune other settings.
 
 To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure,
 please contact your ISP for more information.
@@ -40,8 +42,8 @@ DHCPv6-PD Setup
 ---------------
 
 During address configuration, in addition to assigning an address to the WAN
-interface, ISP also provides a prefix to allow router to configure addresses of
+interface, ISP also provides a prefix to allow the router to configure addresses
-LAN interface and other nodes connecting to LAN, which is called prefix
+of LAN interface and other nodes connecting to LAN, which is called prefix
 delegation (PD).
 
 .. code-block:: none
@@ -49,8 +51,8 @@ delegation (PD).
    set interfaces pppoe pppoe0 ipv6 address autoconf
    set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 address '100'
 
-* Here we use prefix to configure the address of eth1 (LAN) to form ``<prefix>::64``,
+* Here we use the prefix to configure the address of eth1 (LAN) to form
-  where ``64`` is hexadecimal of address 100.
+  ``<prefix>::64``, where ``64`` is hexadecimal of address 100.
 * For home network users, most of time ISP only provides /64 prefix, hence
   there is no need to set SLA ID and prefix length. See :ref:`pppoe-interface`
   for more information.
@@ -59,7 +61,7 @@ Router Advertisement
 --------------------
 
 We need to enable router advertisement for LAN network so that PC can receive
-the prefix and use SLAAC to configure address automatically.
+the prefix and use SLAAC to configure the address automatically.
 
 .. code-block:: none
 
@@ -68,8 +70,8 @@ the prefix and use SLAAC to configure address automatically.
    set service router-advert interface eth1 prefix ::/64 valid-lifetime '172800'
 
 * Set MTU in advertisement to 1492 because of PPPoE header overhead.
-* Set DNS server address in advertisement so that clients can obtain it by using
+* Set DNS server address in the advertisement so that clients can obtain it by
-  RDNSS option. Most operating systems (Windows, Linux, Mac) should
+  using RDNSS option. Most operating systems (Windows, Linux, Mac) should
   already support it.
 * Here we set the prefix to ``::/64`` to indicate advertising any /64 prefix
   the LAN interface is assigned.
@@ -106,5 +108,5 @@ To have basic protection while keeping IPv6 network functional, we need to:
    set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN'
    set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL'
 
-Note to allow router to receive DHCPv6 response from ISP, we need to allow
+Note to allow the router to receive DHCPv6 response from ISP. We need to allow
 packets with source port 547 (server) and destination port 546 (client).

docs/configexamples/tunnelbroker-ipv6.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
 .. _examples-tunnelbroker-ipv6:
 
 .. stop_vyoslinter
@@ -6,7 +8,7 @@
 Tunnelbroker.net (IPv6)
 #######################
 
-This guides walks through the setup of https://www.tunnelbroker.net/ for an
+This guide walks through the setup of https://www.tunnelbroker.net/ for an
 IPv6 Tunnel.
 
 Prerequisites
@@ -78,12 +80,12 @@ You should now be able to ping something by IPv6 DNS name:
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 16.880/17.153/17.426/0.273 ms
 
-Assuming everything works, you can proceed to client configuration
+Assuming everything works, you can proceed to the client configuration
 
 LAN Configuration
 =================
 
-At this point your VyOS install should have full IPv6, but now your LAN devices
+At this point, your VyOS install should have full IPv6, but now your LAN devices
 need access.
 
 With Tunnelbroker.net, you have two options:
@@ -140,7 +142,7 @@ The format of these addresses:
 In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff
 (1-65535).
 
-So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc:
+So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:
 
 .. code-block:: none
 

docs/configexamples/wan-load-balancing.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
 .. _wan-load-balancing:
 
 .. stop_vyoslinter # pictures and text have to change
@@ -65,21 +67,20 @@ Configure the WAN load balancer with the parameters described above:
 Example 2: Failover based on interface weights
 ----------------------------------------------
 
-This examples uses the failover mode.
+This example uses the failover mode.
-
 
 .. _wan:example2_overwiew:
 
 Overview
 ^^^^^^^^
-In this example eth0 is the primary interface and eth1 is the secondary
+In this example, eth0 is the primary interface and eth1 is the secondary
-interface to provide simple failover functionality. If eth0 fails, eth1
+interface. To provide simple failover functionality. If eth0 fails, eth1
 takes over.
 
 Create interface weight based configuration
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 The configuration steps are the same as in the previous example, except
-rule 10 so we keep the configuration, remove rule 10 and add a new rule
+rule 10. So we keep the configuration, remove rule 10 and add a new rule
 for the failover mode:
 
 .. code-block:: none
@@ -93,8 +94,8 @@ for the failover mode:
 Example 3: Failover based on rule order
 ---------------------------------------
 
-The previous example used the failover command to send traffic thorugh
+The previous example used the failover command to send traffic through
-eth1 if eth0 fails. In this example failover functionality is provided
+eth1 if eth0 fails. In this example, failover functionality is provided
 by rule order.
 
 .. _wan:example3_overwiew:
@@ -108,7 +109,7 @@ directing traffic to eth1.
 
 Create rule order based configuration
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-We keep the configurtation from the previous example, delete rule 10
+We keep the configuration from the previous example, delete rule 10
 and create the two new rules as described:
 
 .. code-block:: none
@@ -122,20 +123,20 @@ and create the two new rules as described:
 Example 4: Failover based on rule order - priority traffic
 ----------------------------------------------------------
 
-A rule order for prioritising traffic is useful in scenarios where the
+A rule order for prioritizing traffic is useful in scenarios where the
 secondary link has a lower speed and should only carry high priority
 traffic. It is assumed for this example that eth1 is connected to a
-slower connection than eth0 and should prioritise VoIP traffic.
+slower connection than eth0 and should prioritize VoIP traffic.
 
 
 .. _wan:example4_overwiew:
 
 Overview
 ^^^^^^^^
-A rule order for prioritising traffic is useful in scenarios where the
+A rule order for prioritizing traffic is useful in scenarios where the
 secondary link has a lower speed and should only carry high priority
 traffic. It is assumed for this example that eth1 is connected to a
-slower connection than eth0 and should prioritise VoIP traffic. 
+slower connection than eth0 and should prioritize VoIP traffic. 
 
 Create rule order based configuration with low speed secondary link
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

docs/configexamples/zone-policy.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
 .. _examples-zone-policy:
 
 Zone-Policy example
@@ -132,7 +134,7 @@ To add logging to the default rule, do:
   set firewall name <ruleSet> enable-default-log
 
 
-By default, iptables does not allow traffic for established session to
+By default, iptables does not allow traffic for established sessions to
 return, so you must explicitly allow this. I do this by adding two rules
 to every ruleset. 1 allows established and related state packets through
 and rule 2 drops and logs invalid state packets. We place the
@@ -367,7 +369,7 @@ IPv6 Tunnel
 ^^^^^^^^^^^
 
 If you are using a IPv6 tunnel from HE.net or someone else, the basis is
-the same except you have two WAN interface. One for v4 and one for v6.
+the same except you have two WAN interfaces. One for v4 and one for v6.
 
 You would have 5 zones instead of just 4 and you would configure your v6
 ruleset between your tunnel interface and your LAN/DMZ zones instead of

docs/configuration/firewall/index.rst

@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
 .. _firewall:
 
 ########
@@ -29,7 +31,7 @@ or zone based firewall policy.
 Global settings
 ***************
 
-Some firewall settings are global and have a affect on the whole system.
+Some firewall settings are global and have an affect on the whole system.
 
 .. cfgcmd:: set firewall all-ping [enable | disable]
 
@@ -89,7 +91,7 @@ Some firewall settings are global and have a affect on the whole system.
 
 .. cfgcmd:: set firewall send-redirects [enable | disable]
 
-   enable or disable of ICMPv4 redirect messages send by VyOS 
+   enable or disable  ICMPv4 redirect messages send by VyOS 
    The following system parameter will be altered:
 
    * ``net.ipv4.conf.all.send_redirects``
@@ -127,7 +129,7 @@ Some firewall settings are global and have a affect on the whole system.
 
 .. cfgcmd:: set firewall state-policy established log enable
 
-   Set the global setting for a established connections.
+   Set the global setting for an established connection.
 
 .. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
 
@@ -163,8 +165,8 @@ names.
 Address Groups
 ==============
 
-In a **address group** a single IP adresses or IP address ranges are
+In an **address group** a single IP address or IP address ranges are
-definded.
+defined.
 
 .. cfgcmd::  set firewall group address-group <name> address [address |
    address range]
@@ -221,7 +223,7 @@ filtering unnecessary ports. Ranges of ports can be specified by using
 .. cfgcmd:: set firewall group port-group <name> port
    [portname | portnumber | startport-endport]
 
-   Define a port group. A port name are any name defined in
+   Define a port group. A port name can be any name defined in
    /etc/services. e.g.: http
 
    .. code-block:: none
@@ -240,10 +242,10 @@ Rule-Sets
 *********
 
 A rule-set is a named collection of firewall rules that can be applied
-to an interface or zone. Each rule is numbered, has an action to apply
+to an interface or a zone. Each rule is numbered, has an action to apply
 if the rule is matched, and the ability to specify the criteria to
 match. Data packets go through the rules from 1 - 9999, at the first match
-the action of the rule will executed.
+the action of the rule will be executed.
 
 .. cfgcmd:: set firewall name <name> description <text>
 .. cfgcmd:: set firewall ipv6-name <name> description <text>
@@ -267,7 +269,7 @@ the action of the rule will executed.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> action [drop | reject |
    accept]
 
-   This required setting define the action of the current rule.
+   This required setting defines the action of the current rule.
 
 .. cfgcmd:: set firewall name <name> rule <1-9999> description <text>
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> description <text>
@@ -287,7 +289,7 @@ the action of the rule will executed.
 Matching criteria
 =================
 
-There are a lot of matching criteria gainst which the package can be tested.
+There are a lot of matching criteria against which the package can be tested.
 
 
 .. cfgcmd:: set firewall name <name> rule <1-9999> source address 
@@ -299,7 +301,7 @@ There are a lot of matching criteria gainst which the package can be tested.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination address
    [address | addressrange | CIDR]
 
-   This is similiar to the network groups part, but here you are able to negate
+   This is similar to the network groups part, but here you are able to negate
    the matching addresses.
 
    .. code-block:: none
@@ -315,7 +317,7 @@ There are a lot of matching criteria gainst which the package can be tested.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> source mac-address 
    <mac-address>
 
-   Only in the source criteria you can specify a mac-address
+   Only in the source criteria, you can specify a mac-address.
 
    .. code-block:: none
 
@@ -331,7 +333,7 @@ There are a lot of matching criteria gainst which the package can be tested.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination port
    [1-65535 | portname | start-end]
 
-   A port can be set with a portnumber or a name which is here
+   A port can be set with a port number or a name which is here
    defined: ``/etc/services``.
 
    .. code-block:: none
@@ -410,9 +412,9 @@ There are a lot of matching criteria gainst which the package can be tested.
       set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
 
 .. cfgcmd:: set firewall name <name> rule <1-9999> state [established |
-   invalid | new | related] [enable | disable ]
+   invalid | new | related] [enable | disable]
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> state [established |
-   invalid | new | related] [enable | disable ]
+   invalid | new | related] [enable | disable]
 
    Match against the state of a packet.
 
@@ -423,8 +425,8 @@ Applying a Rule-Set to an Interface
 
 A Rule-Set can be applied to every interface:
 
-* ``in``: Ruleset for forwarded packets on inbound interface
+* ``in``: Ruleset for forwarded packets on an inbound interface
-* ``out``: Ruleset for forwarded packets on outbound interface
+* ``out``: Ruleset for forwarded packets on an outbound interface
 * ``local``: Ruleset for packets destined for this router
 
 .. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local] 
@@ -451,7 +453,7 @@ Zone-based Firewall Policy
 As an alternative to applying policy to an interface directly, a
 zone-based firewall can be created to simplify configuration when
 multiple interfaces belong to the same security zone. Instead of
-applying rulesets to interfaces, they are applied to source
+applying rule-sets to interfaces, they are applied to source
 zone-destination zone pairs.
 
 An basic introduction to zone-based firewalls can be found `here
@@ -465,12 +467,12 @@ To define a zone setup either one with interfaces or a local zone.
 
 .. cfgcmd:: set zone-policy zone <name> interface <interfacenames>
 
-   Set a interfaces to a zone. A zone can have multiple interfaces.
+   Set interfaces to a zone. A zone can have multiple interfaces.
-   But a interface can only be member in one zone.
+   But an interface can only be a member in one zone.
 
 .. cfgcmd:: set zone-policy zone <name> local-zone
 
-   Define the Zone as a local zone. A local zone have no interfaces and
+   Define the zone as a local zone. A local zone has no interfaces and
    will be applied to the router itself.
 
 .. cfgcmd:: set zone-policy zone <name> default-action [drop | reject]
@@ -493,7 +495,7 @@ first.
 .. cfgcmd::  set zone-policy zone <name> from <name> firewall ipv6-name
    <rule-set>
 
-   You apply a rule-set always to a zone from a other zone, it is recommended
+   You apply a rule-set always to a zone from an other zone, it is recommended
    to create one rule-set for each zone pair.
 
    .. code-block:: none
@@ -577,7 +579,7 @@ Rule-set overview
 
 .. opcmd:: show firewall summary
 
-   This will show you a summary about rule-sets and groups
+   This will show you a summary of rule-sets and groups
 
    .. code-block:: none
 
@@ -630,7 +632,7 @@ Rule-set overview
    
 .. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
 
-   This command will give an overview about a rule in a single rule-set
+   This command will give an overview of a rule in a single rule-set
 
 .. opcmd:: show firewall group <name>
 
@@ -658,7 +660,7 @@ Rule-set overview
 
 .. opcmd:: show firewall [name | ipv6name] <name>
 
-   This command will give an overview about a single rule-set
+   This command will give an overview of a single rule-set.
 
 .. opcmd:: show firewall [name | ipv6name] <name> statistics
 
@@ -666,7 +668,7 @@ Rule-set overview
 
 .. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
 
-   This command will give an overview about a rule in a single rule-set
+   This command will give an overview of a rule in a single rule-set.
 
 
 Zone-Policy Overview
@@ -674,7 +676,7 @@ Zone-Policy Overview
 
 .. opcmd:: show zone-policy zone <name>
 
-   Use this command to get an overview about a zone
+   Use this command to get an overview of a zone.
 
    .. code-block:: none
 
@@ -695,7 +697,7 @@ Show Firewall log
 
 .. opcmd:: show log firewall [name | ipv6name] <name>
 
-   Show the logs of a specific Rule-Set
+   Show the logs of a specific Rule-Set.
 
 .. note::
    At the moment it not possible to look at the whole firewall log with VyOS

docs/installation/install.rst

@@ -35,7 +35,7 @@ Building from source
 ----------------------
 
 Non-subscribers can always get the LTS release by building it from source.
-Instruction can be found in the :ref:`build` section of this manual. VyOS
+Instructions can be found in the :ref:`build` section of this manual. VyOS
 source code repository is available for everyone at
 https://github.com/vyos/vyos-build.
 
@@ -58,11 +58,11 @@ https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
 Download Verification
 ---------------------
 
-LTS images are signed by VyOS lead package-maintainer private key. With
+LTS images are signed by the VyOS lead package-maintainer private key. With
 the official public key, the authenticity of the package can be
 verified. :abbr:`GPG (GNU Privacy Guard)` is used for verification.
 
-.. note:: This subsection only applies e applies to LTS images, for
+.. note:: This subsection only applies to LTS images, for
    Rolling images please jump to :ref:`live_installation`.
 
 Preparing for the verification
@@ -190,7 +190,7 @@ it in your hard drive. **With your downloaded VyOS .iso file you can
 create a bootable USB drive that will let you boot into a fully
 functional VyOS system**. Once you have tested it, you can either decide
 to begin a :ref:`permanent_installation` in your hard drive or power
-your system off, remove the USB drive, and leave everythng as it was.
+your system off, remove the USB drive, and leave everything as it was.
 
 
 If you have a GNU+Linux system, you can create your VyOS bootable USB

docs/operation/information.rst

@@ -94,3 +94,60 @@ For additional details you can refer to https://phabricator.vyos.net/T2490.
     usb0b2.4p1.1     Quad_RS232-HS       Future Technology Devices International, Ltd
     usb0b2.4p1.2     Quad_RS232-HS       Future Technology Devices International, Ltd
     usb0b2.4p1.3     Quad_RS232-HS       Future Technology Devices International, Ltd
+
+.. _information_version:
+
+########
+Version
+########
+
+.. opcmd:: show version
+
+  Return the current running VyOS version and build information. This includes
+  also the name of the release train which is ``crux`` on VyOS 1.2, ``equuleus``
+  on VyOS 1.3 and ``sagitta`` on VyOS 1.4.
+
+  .. code-block:: none
+  
+    vyos@vyos:~$ show version  
+
+    Version:          VyOS 1.4-rolling-202106270801
+    Release Train:    sagitta
+
+    Built by:         autobuild@vyos.net
+    Built on:         Sun 27 Jun 2021 09:50 UTC
+    Build UUID:       ab43e735-edcb-405a-9f51-f16a1b104e52
+    Build Commit ID:  f544d75eab758f
+
+    Architecture:     x86_64
+    Boot via:         installed image
+    System type:      KVM guest
+
+    Hardware vendor:  QEMU
+    Hardware model:   Standard PC (i440FX + PIIX, 1996)
+    Hardware S/N:     
+    Hardware UUID:    Unknown
+
+    Copyright:        VyOS maintainers and contributors
+
+.. opcmd:: show version kernel
+
+  Return version number of the Linux Kernel used in this release.
+
+  .. code-block:: none
+
+    vyos@vyos:~$ show version kernel
+    5.10.46-amd64-vyos
+
+.. opcmd:: show version frr
+
+  Return version number of FRR (Free Range Routing - https://frrouting.org/)
+  used in this release. This is the routing control plane and a successor to GNU
+  Zebra and Quagga.
+
+    .. code-block:: none
+
+      vyos@vyos:~$ show version frr
+      FRRouting 7.5.1-20210625-00-gf07d935a2 (vyos).
+      Copyright 1996-2005 Kunihiro Ishiguro, et al.
+