vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'sagitta' of https://github.com/rebortg/vyos-documentation

Browse Source
This commit is contained in:
rebortg 2020-12-08 14:57:44 +01:00
commit f6c43343bb
227 changed files with 3228 additions and 2271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
ci/vale/Google/AMPM.yml → .github/styles/Google/AMPM.yml vendored
View File

0
ci/vale/Google/Acronyms.yml → .github/styles/Google/Acronyms.yml vendored
View File

0
ci/vale/Google/Colons.yml → .github/styles/Google/Colons.yml vendored
View File

0
ci/vale/Google/Contractions.yml → .github/styles/Google/Contractions.yml vendored
View File

0
ci/vale/Google/DateFormat.yml → .github/styles/Google/DateFormat.yml vendored
View File

0
ci/vale/Google/Ellipses.yml → .github/styles/Google/Ellipses.yml vendored
View File

0
ci/vale/Google/EmDash.yml → .github/styles/Google/EmDash.yml vendored
View File

0
ci/vale/Google/EnDash.yml → .github/styles/Google/EnDash.yml vendored
View File

0
ci/vale/Google/Exclamation.yml → .github/styles/Google/Exclamation.yml vendored
View File

0
ci/vale/Google/FirstPerson.yml → .github/styles/Google/FirstPerson.yml vendored
View File

0
ci/vale/Google/Gender.yml → .github/styles/Google/Gender.yml vendored
View File

0
ci/vale/Google/GenderBias.yml → .github/styles/Google/GenderBias.yml vendored
View File

0
ci/vale/Google/HeadingPunctuation.yml → .github/styles/Google/HeadingPunctuation.yml vendored
View File

0
ci/vale/Google/Headings.yml → .github/styles/Google/Headings.yml vendored
View File

0
ci/vale/Google/Hyphens.yml → .github/styles/Google/Hyphens.yml vendored
View File

0
ci/vale/Google/Latin.yml → .github/styles/Google/Latin.yml vendored
View File

0
ci/vale/Google/LyHyphens.yml → .github/styles/Google/LyHyphens.yml vendored
View File

0
ci/vale/Google/OptionalPlurals.yml → .github/styles/Google/OptionalPlurals.yml vendored
View File

0
ci/vale/Google/Ordinal.yml → .github/styles/Google/Ordinal.yml vendored
View File

0
ci/vale/Google/OxfordComma.yml → .github/styles/Google/OxfordComma.yml vendored
View File

0
ci/vale/Google/Parens.yml → .github/styles/Google/Parens.yml vendored
View File

0
ci/vale/Google/Passive.yml → .github/styles/Google/Passive.yml vendored
View File

0
ci/vale/Google/Periods.yml → .github/styles/Google/Periods.yml vendored
View File

0
ci/vale/Google/Quotes.yml → .github/styles/Google/Quotes.yml vendored
View File

0
ci/vale/Google/Ranges.yml → .github/styles/Google/Ranges.yml vendored
View File

0
ci/vale/Google/Semicolons.yml → .github/styles/Google/Semicolons.yml vendored
View File

0
ci/vale/Google/Slang.yml → .github/styles/Google/Slang.yml vendored
View File

0
ci/vale/Google/Spacing.yml → .github/styles/Google/Spacing.yml vendored
View File

0
ci/vale/Google/Spelling.yml → .github/styles/Google/Spelling.yml vendored
View File

0
ci/vale/Google/Units.yml → .github/styles/Google/Units.yml vendored
View File

0
ci/vale/Google/Will.yml → .github/styles/Google/Will.yml vendored
View File

0
ci/vale/Google/WordList.yml → .github/styles/Google/WordList.yml vendored
View File

0
ci/vale/Google/meta.json → .github/styles/Google/meta.json vendored
View File

0
ci/vale/Google/vocab.txt → .github/styles/Google/vocab.txt vendored
View File

0
ci/vale/VyOS/Terminology.yml → .github/styles/VyOS/Terminology.yml vendored
View File

57
ci/vyos-linter.py → .github/vyos-linter.py vendored
View File

@ -1,6 +1,8 @@
import os
import re
import ipaddress
import sys
import ast
IPV4SEG = r'(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])'
IPV4ADDR = r'(?:(?:' + IPV4SEG + r'\.){3,3}' + IPV4SEG + r')'
@ -33,7 +35,7 @@ def lint_mac(cnt, line):
u_mac = re.search(r'((00)[:-](53)([:-][0-9A-F]{2}){4})', mac, re.I)
m_mac = re.search(r'((90)[:-](10)([:-][0-9A-F]{2}){4})', mac, re.I)
if u_mac is None and m_mac is None:
return f"MAC-Address Error Line {cnt}: {mac}"
return (f"Use MAC reserved for Documentation (RFC7042): {mac}", cnt, 'error')
def lint_ipv4(cnt, line):
@ -42,7 +44,7 @@ def lint_ipv4(cnt, line):
ip = ipaddress.ip_address(ip.group().strip(' '))
# https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address.is_private
if ip.is_private is False and ip.is_multicast is False:
return f"IPv4 Error Line {cnt}: {ip}"
return (f"Use IPv4 reserved for Documentation (RFC 5737) or private Space: {ip}", cnt, 'error')
def lint_ipv6(cnt, line):
@ -51,7 +53,7 @@ def lint_ipv6(cnt, line):
ip = ipaddress.ip_address(ip.group().strip(' '))
# https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address.is_private
if ip.is_private is False and ip.is_multicast is False:
return f"IPv6 Error Line {cnt}: {ip}"
return (f"Use IPv6 reserved for Documentation (RFC 3849) or private Space: {ip}", cnt, 'error')
def lint_AS(cnt, line):
@ -63,7 +65,7 @@ def lint_AS(cnt, line):
def lint_linelen(cnt, line):
if len(line) > 80:
return f"Line {cnt} too long: len={len(line)}"
return (f"Line too long: len={len(line)}", cnt, 'warning')
def handle_file(path, file):
@ -99,10 +101,53 @@ def handle_file(path, file):
print('')
return False
def handle_file_action(filepath):
errors = []
try:
with open(filepath) as fp:
line = fp.readline()
cnt = 1
while line:
err_mac = lint_mac(cnt, line.strip())
err_ip4 = lint_ipv4(cnt, line.strip())
err_ip6 = lint_ipv6(cnt, line.strip())
err_len = lint_linelen(cnt, line.strip())
if err_mac:
errors.append(err_mac)
if err_ip4:
errors.append(err_ip4)
if err_ip6:
errors.append(err_ip6)
if err_len:
errors.append(err_len)
line = fp.readline()
cnt += 1
finally:
fp.close()
if len(errors) > 0:
'''
"::{$type} file={$filename},line={$line},col=$column::{$log}"
'''
print(f"File: {filepath}")
for error in errors:
print(f"::{error[2]} file={filepath},line={error[1]}::{error[0]}")
print('')
return False
def main():
bool_error = True
# TODO: path and/or files via cli arg
print('start')
try:
files = ast.literal_eval(sys.argv[1])
for file in files:
print(file)
if file[-4:] == ".rst":
if handle_file_action(file) is False:
bool_error = False
except Exception as e:
print(e)
for root, dirs, files in os.walk("../docs"):
path = root.split(os.sep)
for file in files:
@ -113,5 +158,5 @@ def main():
if __name__ == "__main__":
if main() is False:
if main() == False:
exit(1)

32
.github/workflows/main.yml vendored Normal file
View File

@ -0,0 +1,32 @@
name: Linting
on:
pull_request:
jobs:
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: File Changes
id: file_changes
uses: trilom/file-changes-action@v1.2.3
- name: Vale
uses: errata-ai/vale-action@v1.3.0
with:
files: '${{ steps.file_changes.outputs.files_modified }}'
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: run python based linter
run: python .github/vyos-linter.py '${{ steps.file_changes.outputs.files_modified }}'
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

3
.gitignore vendored
View File

@ -1,3 +1,6 @@
# Sphinx
_build/
# python virtualenv
venv/
ENV/

4
.gitmodules vendored Normal file
View File

@ -0,0 +1,4 @@
[submodule "docs/_include/vyos-1x"]
path = docs/_include/vyos-1x
url = https://github.com/vyos/vyos-1x
branch = current

3
.readthedocs.yml
View File

@ -22,3 +22,6 @@ python:
version: 3.7
install:
- requirements: requirements.txt
submodules:
include: all

16
Pipfile Normal file
View File

@ -0,0 +1,16 @@
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"
[packages]
sphinx-rtd-theme = "*"
docutils = "*"
lxml = "*"
sphinx-notfound-page = "*"
Sphinx = ">=1.4.3"
[dev-packages]
[requires]
python_version = "3.9"

1
docker/Dockerfile
View File

@ -33,6 +33,7 @@ RUN pip3 install Sphinx
RUN pip3 install sphinx-rtd-theme
RUN pip3 install sphinx-autobuild
RUN pip3 install sphinx-notfound-page
RUN pip3 install lxml
# Cleanup

1
docs/.gitignore vendored
View File

@ -1 +0,0 @@
_build/

351
docs/_ext/testcoverage.py Normal file
View File

@ -0,0 +1,351 @@
'''
generate json with all commands from xml for vyos documentation coverage
'''
import sys
import os
import json
import re
import logging
from io import BytesIO
from lxml import etree as ET
import shutil
default_constraint_err_msg = "Invalid value"
validator_dir = ""
input_data = [
{
"kind": "cfgcmd",
"input_dir": "_include/vyos-1x/interface-definitions/",
"schema_file": "_include/vyos-1x/schema/interface_definition.rng",
"files": []
},
{
"kind": "opcmd",
"input_dir": "_include/vyos-1x/op-mode-definitions/",
"schema_file": "_include/vyos-1x/schema/op-mode-definition.rng",
"files": []
}
]
node_data = {
'cfgcmd': {},
'opcmd': {},
}
def get_properties(p):
props = {}
props['valueless'] = False
try:
if p.find("valueless") is not None:
props['valueless'] = True
except:
pass
if p is None:
return props
# Get the help string
try:
props["help"] = p.find("help").text
except:
pass
# Get value help strings
try:
vhe = p.findall("valueHelp")
vh = []
for v in vhe:
vh.append( (v.find("format").text, v.find("description").text) )
props["val_help"] = vh
except:
props["val_help"] = []
# Get the constraint statements
error_msg = default_constraint_err_msg
# Get the error message if it's there
try:
error_msg = p.find("constraintErrorMessage").text
except:
pass
vce = p.find("constraint")
vc = []
if vce is not None:
# The old backend doesn't support multiple validators in OR mode
# so we emulate it
regexes = []
regex_elements = vce.findall("regex")
if regex_elements is not None:
regexes = list(map(lambda e: e.text.strip(), regex_elements))
if "" in regexes:
print("Warning: empty regex, node will be accepting any value")
validator_elements = vce.findall("validator")
validators = []
if validator_elements is not None:
for v in validator_elements:
v_name = os.path.join(validator_dir, v.get("name"))
# XXX: lxml returns None for empty arguments
v_argument = None
try:
v_argument = v.get("argument")
except:
pass
if v_argument is None:
v_argument = ""
validators.append("{0} {1}".format(v_name, v_argument))
regex_args = " ".join(map(lambda s: "--regex \\\'{0}\\\'".format(s), regexes))
validator_args = " ".join(map(lambda s: "--exec \\\"{0}\\\"".format(s), validators))
validator_script = '${vyos_libexec_dir}/validate-value.py'
validator_string = "exec \"{0} {1} {2} --value \\\'$VAR(@)\\\'\"; \"{3}\"".format(validator_script, regex_args, validator_args, error_msg)
props["constraint"] = validator_string
# Get the completion help strings
try:
che = p.findall("completionHelp")
ch = ""
for c in che:
scripts = c.findall("script")
paths = c.findall("path")
lists = c.findall("list")
# Current backend doesn't support multiple allowed: tags
# so we get to emulate it
comp_exprs = []
for i in lists:
comp_exprs.append("echo \"{0}\"".format(i.text))
for i in paths:
comp_exprs.append("/bin/cli-shell-api listNodes {0}".format(i.text))
for i in scripts:
comp_exprs.append("sh -c \"{0}\"".format(i.text))
comp_help = " && ".join(comp_exprs)
props["comp_help"] = comp_help
except:
props["comp_help"] = []
# Get priority
try:
props["priority"] = p.find("priority").text
except:
pass
# Get "multi"
if p.find("multi") is not None:
props["multi"] = True
# Get "valueless"
if p.find("valueless") is not None:
props["valueless"] = True
return props
def process_node(n, f):
props_elem = n.find("properties")
children = n.find("children")
command = n.find("command")
children_nodes = []
owner = n.get("owner")
node_type = n.tag
name = n.get("name")
props = get_properties(props_elem)
if node_type != "node":
if "valueless" not in props.keys():
props["type"] = "txt"
if node_type == "tagNode":
props["tag"] = "True"
if node_type == "node" and children is not None:
inner_nodes = children.iterfind("*")
index_child = 0
for inner_n in inner_nodes:
children_nodes.append(process_node(inner_n, f))
index_child = index_child + 1
if node_type == "tagNode" and children is not None:
inner_nodes = children.iterfind("*")
index_child = 0
for inner_n in inner_nodes:
children_nodes.append(process_node(inner_n, f))
index_child = index_child + 1
else:
# This is a leaf node
pass
if command is not None:
test_command = True
else:
test_command = False
node = {
'name': name,
'type': node_type,
'children': children_nodes,
'props': props,
'command': test_command,
'filename': f
}
return node
def create_commands(data, parent_list=[], level=0):
result = []
command = {
'name': [],
'help': None,
'tag_help': [],
'level': level,
'no_childs': False,
'filename': None
}
command['filename'] = data['filename']
command['name'].extend(parent_list)
command['name'].append(data['name'])
if data['type'] == 'tagNode':
command['name'].append("<" + data['name'] + ">")
if 'val_help' in data['props'].keys():
for val_help in data['props']['val_help']:
command['tag_help'].append(val_help)
if len(data['children']) == 0:
command['no_childs'] = True
if data['command']:
command['no_childs'] = True
try:
help_text = data['props']['help']
command['help'] = re.sub(r"[\n\t]*", "", help_text)
except:
command['help'] = ""
command['valueless'] = data['props']['valueless']
if 'children' in data.keys():
children_bool = True
for child in data['children']:
result.extend(create_commands(child, command['name'], level + 1))
if command['no_childs']:
result.append(command)
return result
def include_file(line, input_dir):
string = ""
if "#include <include" in line.strip():
include_filename = line.strip().split('<')[1][:-1]
with open(input_dir + include_filename) as ifp:
iline = ifp.readline()
while iline:
string = string + include_file(iline.strip(), input_dir)
iline = ifp.readline()
else:
string = line
return string
def get_working_commands():
for entry in input_data:
for (dirpath, dirnames, filenames) in os.walk(entry['input_dir']):
entry['files'].extend(filenames)
break
for f in entry['files']:
string = ""
with open(entry['input_dir'] + f) as fp:
line = fp.readline()
while line:
string = string + include_file(line.strip(), entry['input_dir'])
line = fp.readline()
try:
xml = ET.parse(BytesIO(bytes(string, 'utf-8')))
except Exception as e:
print("Failed to load interface definition file {0}".format(f))
print(e)
sys.exit(1)
try:
relaxng_xml = ET.parse(entry['schema_file'])
validator = ET.RelaxNG(relaxng_xml)
if not validator.validate(xml):
print(validator.error_log)
print("Interface definition file {0} does not match the schema!".format(f))
sys.exit(1)
except Exception as e:
print("Failed to load the XML schema {0}".format(entry['schema_file']))
print(e)
sys.exit(1)
root = xml.getroot()
nodes = root.iterfind("*")
for n in nodes:
node_data[entry['kind']][f] = process_node(n, f)
# build config tree and sort
config_tree_new = {
'cfgcmd': {},
'opcmd': {},
}
for kind in node_data:
for entry in node_data[kind]:
node_0 = node_data[kind][entry]['name']
if node_0 not in config_tree_new[kind].keys():
config_tree_new[kind][node_0] = {
'name': node_0,
'type': node_data[kind][entry]['type'],
'props': node_data[kind][entry]['props'],
'children': [],
'command': node_data[kind][entry]['command'],
'filename': node_data[kind][entry]['filename'],
}
config_tree_new[kind][node_0]['children'].extend(node_data[kind][entry]['children'])
result = {
'cfgcmd': [],
'opcmd': [],
}
for kind in config_tree_new:
for e in config_tree_new[kind]:
result[kind].extend(create_commands(config_tree_new[kind][e]))
for cmd in result['cfgcmd']:
cmd['cmd'] = " ".join(cmd['name'])
for cmd in result['opcmd']:
cmd['cmd'] = " ".join(cmd['name'])
return result
if __name__ == "__main__":
res = get_working_commands()
print(json.dumps(res))
#print(res['cfgcmd'][0])

239
docs/_ext/vyos.py
View File

@ -1,25 +1,41 @@
import re
import io
import json
import os
from docutils import io, nodes, utils, statemachine
from docutils.utils.error_reporting import SafeString, ErrorString
from docutils.parsers.rst.roles import set_classes
from docutils.parsers.rst import Directive, directives
from docutils.parsers.rst import Directive, directives, states
from sphinx.util.docutils import SphinxDirective
from testcoverage import get_working_commands
def setup(app):
app.add_config_value(
'vyos_phabricator_url',
'https://phabricator.vyos.net/', ''
'https://phabricator.vyos.net/',
'html'
)
app.add_config_value(
'vyos_working_commands',
get_working_commands(),
'html'
)
app.add_config_value(
'vyos_coverage',
{
'cfgcmd': [0,len(app.config.vyos_working_commands['cfgcmd'])],
'opcmd': [0,len(app.config.vyos_working_commands['opcmd'])]
},
'html'
)
app.add_role('vytask', vytask_role)
app.add_role('cfgcmd', cmd_role)
app.add_role('opcmd', cmd_role)
print(app.config.vyos_phabricator_url)
app.add_node(
inlinecmd,
html=(inlinecmd.visit_span, inlinecmd.depart_span),
@ -46,9 +62,11 @@ def setup(app):
text=(CmdHeader.visit_div, CmdHeader.depart_div)
)
app.add_node(CfgcmdList)
app.add_node(CfgcmdListCoverage)
app.add_directive('cfgcmdlist', CfgcmdlistDirective)
app.add_node(OpcmdList)
app.add_node(OpcmdListCoverage)
app.add_directive('opcmdlist', OpcmdlistDirective)
app.add_directive('cfgcmd', CfgCmdDirective)
@ -56,15 +74,17 @@ def setup(app):
app.add_directive('cmdinclude', CfgInclude)
app.connect('doctree-resolved', process_cmd_nodes)
class CfgcmdList(nodes.General, nodes.Element):
pass
class OpcmdList(nodes.General, nodes.Element):
pass
import json
class CfgcmdListCoverage(nodes.General, nodes.Element):
pass
class OpcmdListCoverage(nodes.General, nodes.Element):
pass
class CmdHeader(nodes.General, nodes.Element):
@ -153,7 +173,7 @@ class inlinecmd(nodes.inline):
#self.literal_whitespace -= 1
class CfgInclude(Directive):
class CfgInclude(SphinxDirective):
required_arguments = 1
optional_arguments = 0
final_argument_whitespace = True
@ -169,10 +189,15 @@ class CfgInclude(Directive):
'var8': str,
'var9': str
}
standard_include_path = os.path.join(os.path.dirname(states.__file__),
'include')
def run(self):
### Copy from include directive docutils
"""Include a file as part of the content of this reST file."""
rel_filename, filename = self.env.relfn2path(self.arguments[0])
self.arguments[0] = filename
self.env.note_included(filename)
if not self.state.document.settings.file_insertion_enabled:
raise self.warning('"%s" directive disabled.' % self.name)
source = self.state_machine.input_lines.source(
@ -199,9 +224,9 @@ class CfgInclude(Directive):
'Cannot encode input file path "%s" '
'(wrong locale?).' %
(self.name, SafeString(path)))
except IOError:
raise self.severe(u'Problems with "%s" directive path.' %
(self.name))
except IOError as error:
raise self.severe(u'Problems with "%s" directive path:\n%s.' %
(self.name, error))
startline = self.options.get('start-line', None)
endline = self.options.get('end-line', None)
try:
@ -277,7 +302,6 @@ class CfgInclude(Directive):
return codeblock.run()
new_include_lines = []
for line in include_lines:
for i in range(10):
value = self.options.get(f'var{i}','')
@ -285,22 +309,41 @@ class CfgInclude(Directive):
line = re.sub('\s?{{\s?var' + str(i) + '\s?}}',value,line)
else:
line = re.sub('{{\s?var' + str(i) + '\s?}}',value,line)
new_include_lines.append(line)
self.state_machine.insert_input(new_include_lines, path)
return []
class CfgcmdlistDirective(Directive):
has_content = False
required_arguments = 0
option_spec = {
'show-coverage': directives.flag
}
def run(self):
return [CfgcmdList('')]
cfglist = CfgcmdList()
cfglist['coverage'] = False
if 'show-coverage' in self.options:
cfglist['coverage'] = True
return [cfglist]
class OpcmdlistDirective(Directive):
has_content = False
required_arguments = 0
option_spec = {
'show-coverage': directives.flag
}
def run(self):
return [OpcmdList('')]
oplist = OpcmdList()
oplist['coverage'] = False
if 'show-coverage' in self.options:
oplist['coverage'] = True
return [oplist]
class CmdDirective(SphinxDirective):
@ -309,6 +352,7 @@ class CmdDirective(SphinxDirective):
custom_class = ''
def run(self):
title_list = []
content_list = []
title_text = ''
@ -386,7 +430,134 @@ class CfgCmdDirective(CmdDirective):
custom_class = 'cfg'
def process_cmd_node(app, cmd, fromdocname):
def strip_cmd(cmd):
cmd = re.sub('set','',cmd)
cmd = re.sub('\s\|\s','',cmd)
cmd = re.sub('<\S*>','',cmd)
cmd = re.sub('\[\S\]','',cmd)
cmd = re.sub('\s+','',cmd)
return cmd
def build_row(app, fromdocname, rowdata):
row = nodes.row()
for cell in rowdata:
entry = nodes.entry()
row += entry
if isinstance(cell, list):
for item in cell:
if isinstance(item, dict):
entry += process_cmd_node(app, item, fromdocname, '')
else:
entry += nodes.paragraph(text=item)
elif isinstance(cell, bool):
if cell:
entry += nodes.paragraph(text="")
entry['classes'] = ['coverage-ok']
else:
entry += nodes.paragraph(text="")
entry['classes'] = ['coverage-fail']
else:
entry += nodes.paragraph(text=cell)
return row
def process_coverage(app, fromdocname, doccmd, xmlcmd, cli_type):
coverage_list = {}
int_docs = 0
int_xml = 0
for cmd in doccmd:
coverage_item = {
'doccmd': None,
'xmlcmd': None,
'doccmd_item': None,
'xmlcmd_item': None,
'indocs': False,
'inxml': False,
'xmlfilename': None
}
coverage_item['doccmd'] = cmd['cmd']
coverage_item['doccmd_item'] = cmd
coverage_item['indocs'] = True
int_docs += 1
coverage_list[strip_cmd(cmd['cmd'])] = dict(coverage_item)
for cmd in xmlcmd:
strip = strip_cmd(cmd['cmd'])
if strip not in coverage_list.keys():
coverage_item = {
'doccmd': None,
'xmlcmd': None,
'doccmd_item': None,
'xmlcmd_item': None,
'indocs': False,
'inxml': False,
'xmlfilename': None
}
coverage_item['xmlcmd'] = cmd['cmd']
coverage_item['xmlcmd_item'] = cmd
coverage_item['inxml'] = True
coverage_item['xmlfilename'] = cmd['filename']
int_xml += 1
coverage_list[strip] = dict(coverage_item)
else:
#print("===BEGIN===")
#print(cmd)
#print(coverage_list[strip])
#print(strip)
#print("===END====")
coverage_list[strip]['xmlcmd'] = cmd['cmd']
coverage_list[strip]['xmlcmd_item'] = cmd
coverage_list[strip]['inxml'] = True
coverage_list[strip]['xmlfilename'] = cmd['filename']
int_xml += 1
table = nodes.table()
tgroup = nodes.tgroup(cols=3)
table += tgroup
header = (f'{int_docs}/{len(coverage_list)} in Docs', f'{int_xml}/{len(coverage_list)} in XML', 'Command')
colwidths = (1, 1, 8)
table = nodes.table()
tgroup = nodes.tgroup(cols=len(header))
table += tgroup
for colwidth in colwidths:
tgroup += nodes.colspec(colwidth=colwidth)
thead = nodes.thead()
tgroup += thead
thead += build_row(app, fromdocname, header)
tbody = nodes.tbody()
tgroup += tbody
for entry in sorted(coverage_list):
body_text_list = []
if coverage_list[entry]['indocs']:
body_text_list.append(coverage_list[entry]['doccmd_item'])
else:
body_text_list.append('Not documented yet')
if coverage_list[entry]['inxml']:
body_text_list.append("------------------")
body_text_list.append(str(coverage_list[entry]['xmlfilename']) + ":")
body_text_list.append(coverage_list[entry]['xmlcmd'])
else:
body_text_list.append('Nothing found in XML Definitions')
tbody += build_row(app, fromdocname,
(
coverage_list[entry]['indocs'],
coverage_list[entry]['inxml'],
body_text_list
)
)
return table
def process_cmd_node(app, cmd, fromdocname, cli_type):
para = nodes.paragraph()
newnode = nodes.reference('', '')
innernode = cmd['cmdnode']
@ -401,22 +572,46 @@ def process_cmd_node(app, cmd, fromdocname):
def process_cmd_nodes(app, doctree, fromdocname):
try:
env = app.builder.env
for node in doctree.traverse(CfgcmdList):
content = []
if node.attributes['coverage']:
node.replace_self(
process_coverage(
app,
fromdocname,
env.vyos_cfgcmd,
app.config.vyos_working_commands['cfgcmd'],
'cfgcmd'
)
)
else:
for cmd in sorted(env.vyos_cfgcmd, key=lambda i: i['cmd']):
content.append(process_cmd_node(app, cmd, fromdocname))
content.append(process_cmd_node(app, cmd, fromdocname, 'cfgcmd'))
node.replace_self(content)
for node in doctree.traverse(OpcmdList):
content = []
if node.attributes['coverage']:
node.replace_self(
process_coverage(
app,
fromdocname,
env.vyos_opcmd,
app.config.vyos_working_commands['opcmd'],
'opcmd'
)
)
else:
for cmd in sorted(env.vyos_opcmd, key=lambda i: i['cmd']):
content.append(process_cmd_node(app, cmd, fromdocname))
content.append(process_cmd_node(app, cmd, fromdocname, 'opcmd'))
node.replace_self(content)
except Exception as inst:
print(inst)
def vytask_role(name, rawtext, text, lineno, inliner, options={}, content=[]):
app = inliner.document.settings.env.app

0
docs/common-references.rst → docs/_include/common-references.txt
View File

0
docs/draw.io/pbr_example_1.drawio → docs/_include/draw.io/pbr_example_1.drawio
View File

0
docs/draw.io/vpn_s2s_ikev2.drawio → docs/_include/draw.io/vpn_s2s_ikev2.drawio
View File

8
docs/_include/interface-common-with-dhcp.txt
View File

@ -1,18 +1,18 @@
.. cmdinclude:: ../_include/interface-address-with-dhcp.txt
.. cmdinclude:: /_include/interface-address-with-dhcp.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
.. cmdinclude:: ../_include/interface-common.txt
.. cmdinclude:: /_include/interface-common.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
**DHCP(v6)**
.. cmdinclude:: ../_include/interface-dhcp-options.txt
.. cmdinclude:: /_include/interface-dhcp-options.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
.. cmdinclude:: ../_include/interface-dhcpv6-options.txt
.. cmdinclude:: /_include/interface-dhcpv6-options.txt
:var0: {{ var0 }}
:var1: {{ var1 }}

4
docs/_include/interface-common-without-dhcp.txt
View File

@ -1,7 +1,7 @@
.. cmdinclude:: ../_include/interface-address.txt
.. cmdinclude:: /_include/interface-address.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
.. cmdinclude:: ../_include/interface-common.txt
.. cmdinclude:: /_include/interface-common.txt
:var0: {{ var0 }}
:var1: {{ var1 }}

14
docs/_include/interface-common.txt
View File

@ -1,24 +1,24 @@
.. cmdinclude:: ../_include/interface-description.txt
.. cmdinclude:: /_include/interface-description.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
.. cmdinclude:: ../_include/interface-disable.txt
.. cmdinclude:: /_include/interface-disable.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
.. cmdinclude:: ../_include/interface-disable-flow-control.txt
.. cmdinclude:: /_include/interface-disable-flow-control.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
.. cmdinclude:: ../_include/interface-disable-link-detect.txt
.. cmdinclude:: /_include/interface-disable-link-detect.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
.. cmdinclude:: ../_include/interface-mac.txt
.. cmdinclude:: /_include/interface-mac.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
.. cmdinclude:: ../_include/interface-mtu.txt
.. cmdinclude:: /_include/interface-mtu.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
@ -30,6 +30,6 @@
:var0: {{ var0 }}
:var1: {{ var1 }}
.. cmdinclude:: ../_include/interface-vrf.txt
.. cmdinclude:: /_include/interface-vrf.txt
:var0: {{ var0 }}
:var1: {{ var1 }}

20
docs/_include/interface-vlan-8021ad.txt
View File

@ -1,4 +1,4 @@
.. include:: ../_include/need_improvement.txt
.. include:: /_include/need_improvement.txt
IEEE 802.1ad_ was an Ethernet networking standard informally known as QinQ as
an amendment to IEEE standard 802.1q VLAN interfaces as described above.
@ -28,7 +28,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
(service tag with Ethernet Type = 0x88a8).
.. cmdinclude:: ../_include/interface-address-with-dhcp.txt
.. cmdinclude:: /_include/interface-address-with-dhcp.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif-s
@ -38,7 +38,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
:var6: <vlan-id>
:var7: 20
.. cmdinclude:: ../_include/interface-description.txt
.. cmdinclude:: /_include/interface-description.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif-s
@ -48,7 +48,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
:var6: <vlan-id>
:var7: 20
.. cmdinclude:: ../_include/interface-disable.txt
.. cmdinclude:: /_include/interface-disable.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif-s
@ -58,7 +58,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
:var6: <vlan-id>
:var7: 20
.. cmdinclude:: ../_include/interface-disable-link-detect.txt
.. cmdinclude:: /_include/interface-disable-link-detect.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif-s
@ -68,7 +68,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
:var6: <vlan-id>
:var7: 20
.. cmdinclude:: ../_include/interface-mac.txt
.. cmdinclude:: /_include/interface-mac.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif-s
@ -78,7 +78,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
:var6: <vlan-id>
:var7: 20
.. cmdinclude:: ../_include/interface-mtu.txt
.. cmdinclude:: /_include/interface-mtu.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif-s
@ -108,7 +108,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
:var6: <vlan-id>
:var7: 20
.. cmdinclude:: ../_include/interface-vrf.txt
.. cmdinclude:: /_include/interface-vrf.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif-s
@ -120,7 +120,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
**DHCP(v6)**
.. cmdinclude:: ../_include/interface-dhcp-options.txt
.. cmdinclude:: /_include/interface-dhcp-options.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif-s
@ -130,7 +130,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
:var6: <vlan-id>
:var7: 20
.. cmdinclude:: ../_include/interface-dhcpv6-options.txt
.. cmdinclude:: /_include/interface-dhcpv6-options.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif-s

18
docs/_include/interface-vlan-8021q.txt
View File

@ -29,42 +29,42 @@ term used for this is ``vif``.
.. note:: Only 802.1Q-tagged packets are accepted on Ethernet vifs.
.. cmdinclude:: ../_include/interface-address-with-dhcp.txt
.. cmdinclude:: /_include/interface-address-with-dhcp.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif
:var3: <vlan-id>
:var4: 10
.. cmdinclude:: ../_include/interface-description.txt
.. cmdinclude:: /_include/interface-description.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif
:var3: <vlan-id>
:var4: 10
.. cmdinclude:: ../_include/interface-disable.txt
.. cmdinclude:: /_include/interface-disable.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif
:var3: <vlan-id>
:var4: 10
.. cmdinclude:: ../_include/interface-disable-link-detect.txt
.. cmdinclude:: /_include/interface-disable-link-detect.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif
:var3: <vlan-id>
:var4: 10
.. cmdinclude:: ../_include/interface-mac.txt
.. cmdinclude:: /_include/interface-mac.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif
:var3: <vlan-id>
:var4: 10
.. cmdinclude:: ../_include/interface-mtu.txt
.. cmdinclude:: /_include/interface-mtu.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif
@ -85,7 +85,7 @@ term used for this is ``vif``.
:var3: <vlan-id>
:var4: 10
.. cmdinclude:: ../_include/interface-vrf.txt
.. cmdinclude:: /_include/interface-vrf.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif
@ -94,14 +94,14 @@ term used for this is ``vif``.
**DHCP(v6)**
.. cmdinclude:: ../_include/interface-dhcp-options.txt
.. cmdinclude:: /_include/interface-dhcp-options.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif
:var3: <vlan-id>
:var4: 10
.. cmdinclude:: ../_include/interface-dhcpv6-options.txt
.. cmdinclude:: /_include/interface-dhcpv6-options.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
:var2: vif

1
docs/_include/vyos-1x Submodule

@ -0,0 +1 @@
Subproject commit 64d6e689a8274845a49e6931eda6cda04615de42

74
docs/_static/css/custom.css vendored
View File

@ -10,8 +10,45 @@ span.cfgcmd {
font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;
}
.opcmd-heading,
span.cfgcmd:before {
content: "#";
margin-right: 0px;
}
td p a.cmdlink span.cfgcmd:before,
td p a.cmdlink span.opcmd:before {
content: "";
}
td p a.cmdlink,
td p a.cmdlink {
margin-left: 0px;
}
tr td p {
margin-bottom:0px
}
span.opcmd:before {
content: "$";
margin-right: 0px;
}
.cfgcmd-heading {
display: inline-block;
margin: 6px 0;
font-size: 90%;
line-height: normal;
background: #f0d481;
color: #2980B9;
border-top: solid 3px #6ab0de;
border-top-width: 3px;
border-top-style: solid;
border-top-color: #FF9302;
padding: 6px;
}
.opcmd-heading {
display: inline-block;
margin: 6px 0;
font-size: 90%;
@ -34,7 +71,7 @@ span.cfgcmd {
.cfgcmd-heading .cmdlink:after,
.opcmd-heading .cmdlink:after {
.opcmd-heading .cmdlink:after{
content: "";
font-family: FontAwesome
}
@ -97,21 +134,44 @@ a.cmdlink span:hover{
}
.wy-side-nav-search {
background-color : #FF0000 !important;
background-color : #ffffff !important;
}
.wy-side-nav-search img {
background-color : #FF0000 !important;
background-color : #ffffff !important;
}
.wy-side-nav-search > div.version {
color : rgba(255, 255, 255, 0.7) !important;
color : #000000 !important;
}
.wy-side-nav-search>a,
.wy-side-nav-search .wy-dropdown>a {
color:#000000;
font-size:100%;
font-weight:bold;
display:inline-block;
padding:4px 6px;
margin-bottom:.809em
}
.wy-nav-top {
background-color : #FF0000 !important;
background-color : #ffffff !important;
}
.wy-nav-top img {
background-color : #FF0000 !important;
background-color : #000000 !important;
}
.rst-content table.docutils:not(.field-list) tr:nth-child(2n-1) td.coverage-ok,
.rst-content table.docutils td.coverage-ok {
background-color: green;
color: black;
}
.rst-content table.docutils:not(.field-list) tr:nth-child(2n-1) td.coverage-fail,
.rst-content table.docutils td.coverage-fail {
background-color: red;
color: black;
}

BIN
docs/_static/images/vyos-logo.png vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 116 KiB

After

Width:  |  Height:  |  Size: 67 KiB

435
docs/appendix/release-notes.rst
View File

@ -1,435 +0,0 @@
.. _release-notes:
#############
Release Notes
#############
******************
Version 1.2 - Crux
******************
1.2.6-S1
========
1.2.6-S1 is a security release release made in September 2020.
Resolved issues
---------------
VyOS 1.2.6 release was found to be suspectible to CVE-2020-10995. It's a low-
impact vulnerability in the PowerDNS recursor that allows an attacker to cause
performance degradation via a specially crafted authoritative DNS server reply.
* :vytask:`2899` remote syslog server migration error on update
1.2.6
=====
1.2.6 is a maintenance release made in September 2020.
Resolved issues
---------------
* :vytask:`103` DHCP server prepends shared network name to hostnames
* :vytask:`125` Missing PPPoE interfaces in l2tp configuration
* :vytask:`1194` cronjob is being setup even if not saved
* :vytask:`1205` module pcspkr missing
* :vytask:`1219` Redundant active-active configuration, asymmetric routing and
conntrack-sync cache
* :vytask:`1220` Show transceiver information from plugin modules, e.g SFP+,
QSFP
* :vytask:`1221` BGP - Default route injection is not processed by the specific
route-map
* :vytask:`1241` Remove of policy route throws CLI error
* :vytask:`1291` Under certain conditions the VTI will stay forever down
* :vytask:`1463` Missing command `show ip bgp scan` appears in command
completion
* :vytask:`1575` `show snmp mib ifmib` crashes with IndexError
* :vytask:`1699` Default net.ipv6.route.max_size 32768 is too low
* :vytask:`1729` PIM (Protocol Independent Multicast) implementation
* :vytask:`1901` Semicolon in values is interpreted as a part of the shell
command by validators
* :vytask:`1934` Change default hostname when deploy from OVA without params.
* :vytask:`1938` syslog doesn't start automatically
* :vytask:`1949` Multihop IPv6 BFD is unconfigurable
* :vytask:`1953` DDNS service name validation rejects valid service names
* :vytask:`1956` PPPoE server: support PADO-delay
* :vytask:`1973` Allow route-map to match on BGP local preference value
* :vytask:`1974` Allow route-map to set administrative distance
* :vytask:`1982` Increase rotation for atop.acct
* :vytask:`1983` Expose route-map when BGP routes are programmed in to FIB
* :vytask:`1985` pppoe: Enable ipv6 modules without configured ipv6 pools
* :vytask:`2000` strongSwan does not install routes to table 220 in certain
cases
* :vytask:`2021` OSPFv3 doesn't support decimal area syntax
* :vytask:`2062` Wrong dhcp-server static route subnet bytes
* :vytask:`2091` swanctl.conf file is not generated properly is more than one
IPsec profile is used
* :vytask:`2131` Improve syslog remote host CLI definition
* :vytask:`2224` Update Linux Kernel to v4.19.114
* :vytask:`2286` IPoE server vulnerability
* :vytask:`2303` Unable to delete the image version that came from OVA
* :vytask:`2305` Add release name to "show version" command
* :vytask:`2311` Statically configured name servers may not take precedence
over ones from DHCP
* :vytask:`2327` Unable to create syslog server entry with different port
* :vytask:`2332` Backport node option for a syslog server
* :vytask:`2342` Bridge l2tpv3 + ethX errors
* :vytask:`2344` PPPoE server client static IP assignment silently fails
* :vytask:`2385` salt-minion: improve completion helpers
* :vytask:`2389` BGP community-list unknown command
* :vytask:`2398` op-mode "dhcp client leases interface" completion helper
misses interfaces
* :vytask:`2402` Live ISO should warn when configuring that changes won't
persist
* :vytask:`2443` NHRP: Add debugging information to syslog
* :vytask:`2448` `monitor protocol bgp` subcommands fail with 'command
incomplete'
* :vytask:`2458` Update FRR to 7.3.1
* :vytask:`2476` Bond member description change leads to network outage
* :vytask:`2478` login radius: use NAS-IP-Address if defined source address
* :vytask:`2482` Update PowerDNS recursor to 4.3.1 for CVE-2020-10995
* :vytask:`2517` vyos-container: link_filter: No such file or directory
* :vytask:`2526` Wake-On-Lan CLI implementation
* :vytask:`2528` "update dns dynamic" throws FileNotFoundError excepton
* :vytask:`2536` "show log dns forwarding" still refers to dnsmasq
* :vytask:`2538` Update Intel NIC drivers to recent release (preparation for
Kernel >=5.4)
* :vytask:`2545` Show physical device offloading capabilities for specified
ethernet interface
* :vytask:`2563` Wrong interface binding for Dell VEP 1445
* :vytask:`2605` SNMP service is not disabled by default
* :vytask:`2625` Provide generic Library for package builds
* :vytask:`2686` FRR: BGP: large-community configuration is not applied
properly after upgrading FRR to 7.3.x series
* :vytask:`2701` `vpn ipsec pfs enable` doesn't work with IKE groups
* :vytask:`2728` Protocol option ignored for IPSec peers in transport mode
* :vytask:`2734` WireGuard: fwmark CLI definition is inconsistent
* :vytask:`2757` "show system image version" contains additional new-line
character breaking output
* :vytask:`2797` Update Linux Kernel to v4.19.139
* :vytask:`2822` Update Linux Kernel to v4.19.141
* :vytask:`2829` PPPoE server: mppe setting is implemented as node instead of
leafNode
* :vytask:`2831` Update Linux Kernel to v4.19.142
* :vytask:`2852` rename dynamic dns interface breaks ddclient.cache permissions
* :vytask:`2853` Intel QAT acceleration does not work
1.2.5
=====
1.2.5 is a maintenance release made in April 2020.
Resolved issues
---------------
* :vytask:`1020` OSPF Stops distributing default route after a while
* :vytask:`1228` pppoe default-route force option not working (Rel 1.2.0-rc11)
* :vytask:`1301` bgp peer-groups don't work when "no-ipv4-unicast" is enabled.
* :vytask:`1341` Adding rate-limiter for pppoe server users
* :vytask:`1376` Incorrect DHCP lease counting
* :vytask:`1392` Large firewall rulesets cause the system to lose configuration
and crash at startup
* :vytask:`1416` 2 dhcp server run in failover mode can't sync hostname with
each other
* :vytask:`1452` accel-pppoe - add vendor option to shaper
* :vytask:`1490` BGP configuration (is lost|not applied) when updating 1.1.8 ->
1.2.1
* :vytask:`1780` Adding ipsec ike closeaction
* :vytask:`1803` Unbind NTP while it's not requested...
* :vytask:`1821` "authentication mode radius" has no effect for PPPoE server
* :vytask:`1827` Increase default gc_thresh
* :vytask:`1828` Missing completion helper for "set system syslog host
192.0.2.1 facility all protocol"
* :vytask:`1832` radvd adding feature DNSSL branch.example.com example.com to
existing package
* :vytask:`1837` PPPoE unrecognized option 'replacedefaultroute'
* :vytask:`1851` wireguard - changing the pubkey on an existing peer seems to
destroy the running config.
* :vytask:`1858` l2tp: Delete depricated outside-nexthop and add gateway-address
* :vytask:`1864` Lower IPSec DPD timeout lower limit from 10s -> 2s
* :vytask:`1879` Extend Dynamic DNS XML definition value help strings and
validators
* :vytask:`1881` Execute permissions are removed from custom SNMP scripts at
commit time
* :vytask:`1884` Keeping VRRP transition-script native behaviour and adding
stop-script
* :vytask:`1891` Router announcements broken on boot
* :vytask:`1900` Enable SNMP for VRRP.
* :vytask:`1902` Add redistribute non main table in bgp
* :vytask:`1909` Incorrect behaviour of static routes with overlapping networks
* :vytask:`1913` "system ipv6 blacklist" command has no effect
* :vytask:`1914` IPv6 multipath hash policy does not apply
* :vytask:`1917` Update WireGuard to Debian release 0.0.20191219-1
* :vytask:`1934` Change default hostname when deploy from OVA without params.
* :vytask:`1935` NIC identification and usage problem in Hyper-V environments
* :vytask:`1936` pppoe-server CLI control features
* :vytask:`1964` SNMP Script-extensions allows names with spaces, but commit
fails
* :vytask:`1967` BGP parameter "enforce-first-as" does not work anymore
* :vytask:`1970` Correct adding interfaces on boot
* :vytask:`1971` Missing modules in initrd.img for PXE boot
* :vytask:`1998` Update FRR to 7.3
* :vytask:`2001` Error when router reboot
* :vytask:`2032` Monitor bandwidth bits
* :vytask:`2059` Set source-validation on bond vif don't work
* :vytask:`2066` PPPoE interface can be created multiple times - last wins
* :vytask:`2069` PPPoE-client does not works with service-name option
* :vytask:`2077` ISO build from crux branch is failing
* :vytask:`2079` Update Linux Kernel to v4.19.106
* :vytask:`2087` Add maxfail 0 option to pppoe configuration.
* :vytask:`2100` BGP route adverisement wih checks rib
* :vytask:`2120` "reset vpn ipsec-peer" doesn't work with named peers
* :vytask:`2197` Cant add vif-s interface into a bridge
* :vytask:`2228` WireGuard does not allow ports < 1024 to be used
* :vytask:`2252` HTTP API add system image can return '504 Gateway Time-out'
* :vytask:`2272` Set system flow-accounting disable-imt has syntax error
* :vytask:`2276` PPPoE server vulnerability
1.2.4
=====
1.2.4 is a maintenance release made in December 2019.
Resolved issues
---------------
* :vytask:`T258` Can not configure wan load-balancing on vyos-1.2
* :vytask:`T818` SNMP v3 - remove required engineid from user node
* :vytask:`T1030` Upgrade ddclient from 3.8.2 to 3.9.0 (support Cloudflare
API v4)
* :vytask:`T1183` BFD Support via FRR
* :vytask:`T1299` Allow SNMPd to be extended with custom scripts
* :vytask:`T1351` accel-pppoe adding CIDR based IP pool option
* :vytask:`T1391` In route-map set community additive
* :vytask:`T1394` syslog systemd and host_name.py race condition
* :vytask:`T1401` Copying files with the FTP protocol fails if the password
contains special characters
* :vytask:`T1421` OpenVPN client push-route stopped working, needs added quotes
to fix
* :vytask:`T1430` Add options for custom DHCP client-id and hostname
* :vytask:`T1447` Python subprocess called without import in host_name.py
* :vytask:`T1470` improve output of "show dhcpv6 server leases"
* :vytask:`T1485` Enable 'AdvIntervalOpt' option in for radvd.conf
* :vytask:`T1496` Separate rolling release and LTS kernel builds
* :vytask:`T1560` "set load-balancing wan rule 0" causes segfault and prevents
load balancing from starting
* :vytask:`T1568` strip-private command improvement for additional masking of
IPv6 and MAC address
* :vytask:`T1578` completion offers "show table", but show table does not exist
* :vytask:`T1593` Support ip6gre
* :vytask:`T1597` /usr/sbin/rsyslogd after deleting "system syslog"
* :vytask:`T1638` vyos-hostsd not setting system domain name
* :vytask:`T1678` hostfile-update missing line feed
* :vytask:`T1694` NTPd: Do not listen on all interfaces by default
* :vytask:`T1701` Delete domain-name and domain-search won't work
* :vytask:`T1705` High CPU usage by bgpd when snmp is active
* :vytask:`T1707` DHCP static mapping and exclude address not working
* :vytask:`T1708` Update Rolling Release Kernel to 4.19.76
* :vytask:`T1709` Update WireGuard to 0.0.20190913
* :vytask:`T1716` Update Intel NIC drivers to recent versions
* :vytask:`T1726` Update Linux Firmware binaries to a more recent version
2019-03-14 -> 2019-10-07
* :vytask:`T1728` Update Linux Kernel to 4.19.79
* :vytask:`T1737` SNMP tab completion missing
* :vytask:`T1738` Copy SNMP configuration from node to node raises exception
* :vytask:`T1740` Broken OSPFv2 virtual-link authentication
* :vytask:`T1742` NHRP unable to commit.
* :vytask:`T1745` dhcp-server commit fails with "DHCP range stop address x must
be greater or equal to the range start address y!" when static mapping has
same IP as range stop
* :vytask:`T1749` numeric validator doesn't support multiple ranges
* :vytask:`T1769` Remove complex SNMPv3 Transport Security Model (TSM)
* :vytask:`T1772` <regex> constraints in XML are partially broken
* :vytask:`T1778` Kilobits/Megabits difference in configuration Vyos/FRR
* :vytask:`T1780` Adding ipsec ike closeaction
* :vytask:`T1786` disable-dhcp-nameservers is missed in current host_name.py
implementation
* :vytask:`T1788` Intel QAT (QuickAssist Technology ) implementation
* :vytask:`T1792` Update WireGuard to Debian release 0.0.20191012-1
* :vytask:`T1800` Update Linux Kernel to v4.19.84
* :vytask:`T1809` Wireless: SSID scan does not work in AP mode
* :vytask:`T1811` Upgrade from 1.1.8: Config file migration failed: module=l2tp
* :vytask:`T1812` DHCP: hostnames of clients not resolving after update v1.2.3
-> 1.2-rolling
* :vytask:`T1819` Reboot kills SNMPv3 configuration
* :vytask:`T1822` Priority inversion wireless interface dhcpv6
* :vytask:`T1825` Improve DHCP configuration error message
* :vytask:`T1836` import-conf-mode-commands in vyos-1x/scripts fails to create
an XML
* :vytask:`T1839` LLDP shows "VyOS unknown" instead of "VyOS"
* :vytask:`T1841` PPP ipv6-up.d direcotry missing
* :vytask:`T1893` igmp-proxy: Do not allow adding unknown interface
* :vytask:`T1903` Implementation udev predefined interface naming
* :vytask:`T1904` update eth1 and eth2 link files for the vep4600
1.2.3
=====
1.2.3 is a maintenance and feature backport release made in September 2019.
New features
------------
* HTTP API
* :vytask:`T1524` "set service dns forwarding allow-from <IPv4 net|IPv6 net>"
option for limiting queries to specific client networks
* :vytask:`T1503` Functions for checking if a commit is in progress
* :vytask:`T1543` "set system contig-mangement commit-archive source-address"
option
* :vytask:`T1554` Intel NIC drivers now support receive side scaling and
multiqueue
Resolved issues
---------------
* :vytask:`T1209` OSPF max-metric values over 100 no longer causes commit
errors
* :vytask:`T1333` Fixes issue with DNS forwarding not performing recursive
lookups on domain specific forwarders
* :vytask:`T1362` Special characters in VRRP passwords are handled correctly
* :vytask:`T1377` BGP weight is applied properly
* :vytask:`T1420` Fixed permission for log files
* :vytask:`T1425` Wireguard interfaces now support /31 addresses
* :vytask:`T1428` Wireguard correctly handles firewall marks
* :vytask:`T1439` DHCPv6 static mappings now work correctly
* :vytask:`T1450` Flood ping commands now works correctly
* :vytask:`T1460` Op mode "show firewall" commands now support counters longer
than 8 digits (T1460)
* :vytask:`T1465` Fixed priority inversion in VTI commands
* :vytask:`T1468` Fixed remote-as check in the BGP route-reflector-client option
* :vytask:`T1472` It's now possible to re-create VRRP groups with RFC
compatibility mode enabled
* :vytask:`T1527` Fixed a typo in DHCPv6 server help strings
* :vytask:`T1529` Unnumbered BGP peers now support VLAN interfaces
* :vytask:`T1530` Fixed "set system syslog global archive file" command
* :vytask:`T1531` Multiple fixes in cluster configuration scripts
* :vytask:`T1537` Fixed missing help text for "service dns"
* :vytask:`T1541` Fixed input validation in DHCPv6 relay options
* :vytask:`T1551` It's now possible to create a QinQ interface and a firewall
assigned to it in one commit
* :vytask:`T1559` URL filtering now uses correct rule database path and works
again
* :vytask:`T1579` "show log vpn ipsec" command works again
* :vytask:`T1576` "show arp interface <intf>" command works again
* :vytask:`T1605` Fixed regression in L2TP/IPsec server
* :vytask:`T1613` Netflow/sFlow captures IPv6 traffic correctly
* :vytask:`T1616` "renew dhcpv6" command now works from op mode
* :vytask:`T1642` BGP remove-private-as option iBGP vs eBGP check works
correctly now
* :vytask:`T1540`, :vytask:`T1360`, :vytask:`T1264`, :vytask:`T1623` Multiple
improvements in name servers and hosts configuration handling
Internals
---------
``/etc/resolv.conf`` and ``/etc/hosts`` files are now managed by the
*vyos-hostsd* service that listens on a ZMQ socket for update messages.
1.2.2
=====
1.2.2 is a maintenance release made in July 2019.
New features
------------
* Options for per-interface MSS clamping.
* BGP extended next-hop capability
* Relaxed BGP multipath option
* Internal and external options for "remote-as" (accept any AS as long as it's
the same to this router or different, respectively)
* "Unnumbered" (interface-based) BGP peers
* BGP no-prepend option
* Additive BGP community option
* OSPFv3 network type option
* Custom arguments for VRRP scripts
* A script for querying values from config files
Resolved issues
---------------
* Linux kernel 4.19.54, including a fix for the TCP SACK vulnerability
* :vytask:`T1371` VRRP health-check scripts now can use arguments
* :vytask:`T1497` DNS server addresses coming from a DHCP server are now
correctly propagated to resolv.conf
* :vytask:`T1469` Domain-specific name servers in DNS forwarding are now used
for recursive queries
* :vytask:`T1433` ``run show dhcpv6 server leases`` now display leases correctly
* :vytask:`T1461` Deleting ``firewall options`` node no longer causes errors
* :vytask:`T1458` Correct hostname is sent to remote syslog again
* :vytask:`T1438` Board serial number from DMI is correctly displayed in
``show version``
* :vytask:`T1358`, :vytask:`T1355`, :vytask:`T1294` Multiple corrections in
remote syslog config
* :vytask:`T1255` Fixed missing newline in ``/etc/hosts``
* :vytask:`T1174` ``system domain-name`` is correctly included in
``/etc/resolv.conf``
* :vytask:`T1465` Fixed priority inversion in ``interfaces vti vtiX ip``
settings
* :vytask:`T1446` Fixed errors when installing with RAID1 on UEFI machines
* :vytask:`T1387` Fixed an error on disabling an interfaces that has no address
* :vytask:`T1367` Fixed deleting VLAN interface with non-default MTU
* :vytask:`T1505` vyos.config ``return_effective_values()`` function now
correctly returns a list rather than a string
1.2.1
=====
VyOS 1.2.1 is a maintenance release made in April 2019.
Resolved issues
---------------
* Package updates: kernel 4.19.32, open-vm-tools 10.3, latest Intel NIC drivers
* :vytask:`T1326` The kernel now includes drivers for various USB serial
adapters, which allows people to add a serial console to a machine without
onboard RS232, or connect to something else from the router
* The collection of network card firmware is now much more extensive
* :vytask:`T1271` VRRP now correctly uses a virtual rather than physical MAC
addresses in the RFC-compliant mode
* :vytask:`T1330` DHCP WPAD URL option works correctly again
* :vytask:`T1312` Many to many NAT rules now can use source/destination and
translation networks of non-matching size. If 1:1 network bits translation is
desired, it's now users responsibility to check if prefix length matches.
* :vytask:`T1290` IPv6 network prefix translation is fixed
* :vytask:`T1308` Non-alphanumeric characters such as ``>`` can now be safely
used in PPPoE passwords
* :vytask:`T1305` ``show | commands`` no longer fails when a config section ends
with a leaf node such as ``timezone`` in ``show system | commands``
* :vytask:`T1235` ``show | commands`` correctly works in config mode now
* :vytask:`T1298` VTI is now compatible with the DHCP-interface IPsec option
* :vytask:`T1277` ``show dhcp server statistics`` command was broken in latest
Crux
* :vytask:`T1261` An issue with TFTP server refusing to listen on addresses
other than loopback was fixed
* :vytask:`T1224` Template issue that might cause UDP broadcast relay fail to
start is fixed
* :vytask:`T1067` VXLAN value validation is improved
* :vytask:`T1211` Blank hostnames in DHCP updates no longer can crash DNS
forwarding
* :vytask:`T1322` Correct configuration is now generated for DHCPv6 relays with
more than one upstream interface
* :vytask:`T1234` ``relay-agents-packets`` option works correctly now
* :vytask:`T1231` Dynamic DNS data is now cleaned on configuration change
* :vytask:`T1282` Remote Syslog can now use a fully qualified domain name
* :vytask:`T1279` ACPI power off works again
* :vytask:`T1247` Negation in WAN load balancing rules works again
* :vytask:`T1218` FRR staticd now starts on boot correctly
* :vytask:`T1296` The installer now correctly detects SD card devices
* :vytask:`T1225` Wireguard peers can be disabled now
* :vytask:`T1217` The issue with Wireguard interfaces impossible to delete
is fixed
* :vytask:`T1160` Unintended IPv6 access is fixed in SNMP configuration
* :vytask:`T1060` It's now possible to exclude hosts from the transparent
web proxy
* :vytask:`T484` An issue with rules impossible to delete from the zone-based
firewall is fixed
Earlier releases
================
Release notes for legacy versions (1.1.x, 1.0.x) can be found in the
`archived wiki <https://web.archive.org/web/20200212180711/https://wiki.vyos.net/wiki/Category:Release_notes>`_.

12
docs/appendix/virtual/index.rst
View File

@ -1,12 +0,0 @@
.. _virtual:
Running on Virtual Environments
===============================
.. toctree::
:maxdepth: 2
libvirt
vyos-on-vmware
vyos-on-gns3

173
docs/appendix/vyos-on-clouds.rst
View File

@ -1,173 +0,0 @@
.. _vyos-on-clouds:
Running on Clouds
#################
Amazon AWS
**********
Deploy VM
---------
Deploy VyOS on Amazon :abbr:`AWS (Amazon Web Services)`
1. Click to ``Instances`` and ``Launch Instance``
.. figure:: /_static/images/cloud-aws-01.png
2. On the marketplace search "VyOS"
.. figure:: /_static/images/cloud-aws-02.png
3. Choose the instance type. Minimum recommendation start from ``m3.medium``
.. figure:: /_static/images/cloud-aws-03.png
4. Configure instance for your requirements. Select number of instances / network / subnet
.. figure:: /_static/images/cloud-aws-04.png
5. Additional storage. You can remove additional storage ``/dev/sdb``. First root device will be ``/dev/xvda``. You can skeep this step.
.. figure:: /_static/images/cloud-aws-05.png
6. Configure Security Group. It's recommended that you configure ssh access only from certain address sources. Or permit any (by default).
.. figure:: /_static/images/cloud-aws-06.png
7. Select SSH key pair and click ``Launch Instances``
.. figure:: /_static/images/cloud-aws-07.png
8. Find out your public IP address.
.. figure:: /_static/images/cloud-aws-08.png
9. Connect to the instance by SSH key.
.. code-block:: none
ssh -i ~/.ssh/amazon.pem vyos@203.0.113.3
vyos@ip-192-0-2-10:~$
References
----------
https://console.aws.amazon.com/
Azure
*****
Deploy VM
---------
Deploy VyOS on Azure.
1. Go to the Azure services and Click to **Add new Virtual machine**
2. Choose vm name, resource group, region and click **Browse all public and private images**
.. figure:: /_static/images/cloud-azure-01.png
3. On the marketplace search ``VyOS``
.. figure:: /_static/images/cloud-azure-02.png
4. Generate new SSH key pair or use existing.
.. figure:: /_static/images/cloud-azure-03.png
5. Define network, subnet, Public IP. Or it will be created by default.
.. figure:: /_static/images/cloud-azure-04.png
6. Click ``Review + create``. After fiew second your deployment will be complete
.. figure:: /_static/images/cloud-azure-05.png
7. Click to your new vm and find out your Public IP address.
.. figure:: /_static/images/cloud-azure-06.png
8. Connect to the instance by SSH key.
.. code-block:: none
ssh -i ~/.ssh/vyos_azure vyos@203.0.113.3
vyos@vyos-doc-r1:~$
Add interface
-------------
If instance was deployed with one **eth0** ``WAN`` interface and want to add new one.
To add new interface an example **eth1** ``LAN`` you need shutdown the instance. Attach the interface in the Azure portal and then start the instance.
.. NOTE:: Azure does not allow you attach interface when the instance in the **Running** state.
References
----------
https://azure.microsoft.com
Google Cloud Platform
*********************
Deploy VM
---------
To deploy VyOS on GCP (Google Cloud Platform)
1. Generate SSH key pair type **ssh-rsa** from the host that will connect to VyOS.
Example:
.. code-block:: none
ssh-keygen -t rsa -f ~/.ssh/vyos_gcp -C "vyos@mypc"
.. NOTE:: In name "vyos@mypc" The first value must be "**vyos**". Because default user is vyos and google api uses this option.
2. Open GCP console and navigate to the menu **Metadata**. Choose **SSH Keys** and click ``edit``.
.. figure:: /_static/images/cloud-gcp-01.png
Click **Add item** and paste your public ssh key. Click ``Save``.
.. figure:: /_static/images/cloud-gcp-02.png
2. On marketplace search "VyOS"
3. Change Deployment name/Zone/Machine type and click ``Deploy``
.. figure:: /_static/images/cloud-gcp-03.png
4. After fiew seconds click to ``instance``
.. figure:: /_static/images/cloud-gcp-04.png
5. Find out your external IP address
.. figure:: /_static/images/cloud-gcp-05.png
6. Connect to the instance. SSH key was generated in the first step.
.. code-block:: none
ssh -i ~/.ssh/vyos_gcp vyos@203.0.113.3
vyos@vyos-r1-vm:~$
References
----------
https://console.cloud.google.com/
Oracle
*****************
References
----------
https://www.oracle.com/cloud/

0
docs/appendix/command-scripting.rst → docs/automation/command-scripting.rst
View File

15
docs/automation/index.rst Normal file
View File

@ -0,0 +1,15 @@
###############
VyOS Automation
###############
* Ansible
* Saltstack
* HTTP-API
* startup scripts
.. toctree::
:maxdepth: 1
command-scripting

52
docs/changelog/1.2.1.rst Normal file
View File

@ -0,0 +1,52 @@
1.2.1
=====
VyOS 1.2.1 is a maintenance release made in April 2019.
Resolved issues
---------------
* Package updates: kernel 4.19.32, open-vm-tools 10.3, latest Intel NIC drivers
* :vytask:`T1326` The kernel now includes drivers for various USB serial
adapters, which allows people to add a serial console to a machine without
onboard RS232, or connect to something else from the router
* The collection of network card firmware is now much more extensive
* :vytask:`T1271` VRRP now correctly uses a virtual rather than physical MAC
addresses in the RFC-compliant mode
* :vytask:`T1330` DHCP WPAD URL option works correctly again
* :vytask:`T1312` Many to many NAT rules now can use source/destination and
translation networks of non-matching size. If 1:1 network bits translation is
desired, it's now users responsibility to check if prefix length matches.
* :vytask:`T1290` IPv6 network prefix translation is fixed
* :vytask:`T1308` Non-alphanumeric characters such as ``>`` can now be safely
used in PPPoE passwords
* :vytask:`T1305` ``show | commands`` no longer fails when a config section ends
with a leaf node such as ``timezone`` in ``show system | commands``
* :vytask:`T1235` ``show | commands`` correctly works in config mode now
* :vytask:`T1298` VTI is now compatible with the DHCP-interface IPsec option
* :vytask:`T1277` ``show dhcp server statistics`` command was broken in latest
Crux
* :vytask:`T1261` An issue with TFTP server refusing to listen on addresses
other than loopback was fixed
* :vytask:`T1224` Template issue that might cause UDP broadcast relay fail to
start is fixed
* :vytask:`T1067` VXLAN value validation is improved
* :vytask:`T1211` Blank hostnames in DHCP updates no longer can crash DNS
forwarding
* :vytask:`T1322` Correct configuration is now generated for DHCPv6 relays with
more than one upstream interface
* :vytask:`T1234` ``relay-agents-packets`` option works correctly now
* :vytask:`T1231` Dynamic DNS data is now cleaned on configuration change
* :vytask:`T1282` Remote Syslog can now use a fully qualified domain name
* :vytask:`T1279` ACPI power off works again
* :vytask:`T1247` Negation in WAN load balancing rules works again
* :vytask:`T1218` FRR staticd now starts on boot correctly
* :vytask:`T1296` The installer now correctly detects SD card devices
* :vytask:`T1225` Wireguard peers can be disabled now
* :vytask:`T1217` The issue with Wireguard interfaces impossible to delete
is fixed
* :vytask:`T1160` Unintended IPv6 access is fixed in SNMP configuration
* :vytask:`T1060` It's now possible to exclude hosts from the transparent
web proxy
* :vytask:`T484` An issue with rules impossible to delete from the zone-based
firewall is fixed

46
docs/changelog/1.2.2.rst Normal file
View File

@ -0,0 +1,46 @@
1.2.2
=====
1.2.2 is a maintenance release made in July 2019.
New features
------------
* Options for per-interface MSS clamping.
* BGP extended next-hop capability
* Relaxed BGP multipath option
* Internal and external options for "remote-as" (accept any AS as long as it's
the same to this router or different, respectively)
* "Unnumbered" (interface-based) BGP peers
* BGP no-prepend option
* Additive BGP community option
* OSPFv3 network type option
* Custom arguments for VRRP scripts
* A script for querying values from config files
Resolved issues
---------------
* Linux kernel 4.19.54, including a fix for the TCP SACK vulnerability
* :vytask:`T1371` VRRP health-check scripts now can use arguments
* :vytask:`T1497` DNS server addresses coming from a DHCP server are now
correctly propagated to resolv.conf
* :vytask:`T1469` Domain-specific name servers in DNS forwarding are now used
for recursive queries
* :vytask:`T1433` ``run show dhcpv6 server leases`` now display leases correctly
* :vytask:`T1461` Deleting ``firewall options`` node no longer causes errors
* :vytask:`T1458` Correct hostname is sent to remote syslog again
* :vytask:`T1438` Board serial number from DMI is correctly displayed in
``show version``
* :vytask:`T1358`, :vytask:`T1355`, :vytask:`T1294` Multiple corrections in
remote syslog config
* :vytask:`T1255` Fixed missing newline in ``/etc/hosts``
* :vytask:`T1174` ``system domain-name`` is correctly included in
``/etc/resolv.conf``
* :vytask:`T1465` Fixed priority inversion in ``interfaces vti vtiX ip``
settings
* :vytask:`T1446` Fixed errors when installing with RAID1 on UEFI machines
* :vytask:`T1387` Fixed an error on disabling an interfaces that has no address
* :vytask:`T1367` Fixed deleting VLAN interface with non-default MTU
* :vytask:`T1505` vyos.config ``return_effective_values()`` function now
correctly returns a list rather than a string

62
docs/changelog/1.2.3.rst Normal file
View File

@ -0,0 +1,62 @@
1.2.3
=====
1.2.3 is a maintenance and feature backport release made in September 2019.
New features
------------
* HTTP API
* :vytask:`T1524` "set service dns forwarding allow-from <IPv4 net|IPv6 net>"
option for limiting queries to specific client networks
* :vytask:`T1503` Functions for checking if a commit is in progress
* :vytask:`T1543` "set system contig-mangement commit-archive source-address"
option
* :vytask:`T1554` Intel NIC drivers now support receive side scaling and
multiqueue
Resolved issues
---------------
* :vytask:`T1209` OSPF max-metric values over 100 no longer causes commit
errors
* :vytask:`T1333` Fixes issue with DNS forwarding not performing recursive
lookups on domain specific forwarders
* :vytask:`T1362` Special characters in VRRP passwords are handled correctly
* :vytask:`T1377` BGP weight is applied properly
* :vytask:`T1420` Fixed permission for log files
* :vytask:`T1425` Wireguard interfaces now support /31 addresses
* :vytask:`T1428` Wireguard correctly handles firewall marks
* :vytask:`T1439` DHCPv6 static mappings now work correctly
* :vytask:`T1450` Flood ping commands now works correctly
* :vytask:`T1460` Op mode "show firewall" commands now support counters longer
than 8 digits (T1460)
* :vytask:`T1465` Fixed priority inversion in VTI commands
* :vytask:`T1468` Fixed remote-as check in the BGP route-reflector-client option
* :vytask:`T1472` It's now possible to re-create VRRP groups with RFC
compatibility mode enabled
* :vytask:`T1527` Fixed a typo in DHCPv6 server help strings
* :vytask:`T1529` Unnumbered BGP peers now support VLAN interfaces
* :vytask:`T1530` Fixed "set system syslog global archive file" command
* :vytask:`T1531` Multiple fixes in cluster configuration scripts
* :vytask:`T1537` Fixed missing help text for "service dns"
* :vytask:`T1541` Fixed input validation in DHCPv6 relay options
* :vytask:`T1551` It's now possible to create a QinQ interface and a firewall
assigned to it in one commit
* :vytask:`T1559` URL filtering now uses correct rule database path and works
again
* :vytask:`T1579` "show log vpn ipsec" command works again
* :vytask:`T1576` "show arp interface <intf>" command works again
* :vytask:`T1605` Fixed regression in L2TP/IPsec server
* :vytask:`T1613` Netflow/sFlow captures IPv6 traffic correctly
* :vytask:`T1616` "renew dhcpv6" command now works from op mode
* :vytask:`T1642` BGP remove-private-as option iBGP vs eBGP check works
correctly now
* :vytask:`T1540`, :vytask:`T1360`, :vytask:`T1264`, :vytask:`T1623` Multiple
improvements in name servers and hosts configuration handling
Internals
---------
``/etc/resolv.conf`` and ``/etc/hosts`` files are now managed by the
*vyos-hostsd* service that listens on a ZMQ socket for update messages.

65
docs/changelog/1.2.4.rst Normal file
View File

@ -0,0 +1,65 @@
1.2.4
=====
1.2.4 is a maintenance release made in December 2019.
Resolved issues
---------------
* :vytask:`T258` Can not configure wan load-balancing on vyos-1.2
* :vytask:`T818` SNMP v3 - remove required engineid from user node
* :vytask:`T1030` Upgrade ddclient from 3.8.2 to 3.9.0 (support Cloudflare API v4)
* :vytask:`T1183` BFD Support via FRR
* :vytask:`T1299` Allow SNMPd to be extended with custom scripts
* :vytask:`T1351` accel-pppoe adding CIDR based IP pool option
* :vytask:`T1391` In route-map set community additive
* :vytask:`T1394` syslog systemd and host_name.py race condition
* :vytask:`T1401` Copying files with the FTP protocol fails if the password contains special characters
* :vytask:`T1421` OpenVPN client push-route stopped working, needs added quotes to fix
* :vytask:`T1430` Add options for custom DHCP client-id and hostname
* :vytask:`T1447` Python subprocess called without import in host_name.py
* :vytask:`T1470` improve output of "show dhcpv6 server leases"
* :vytask:`T1485` Enable 'AdvIntervalOpt' option in for radvd.conf
* :vytask:`T1496` Separate rolling release and LTS kernel builds
* :vytask:`T1560` "set load-balancing wan rule 0" causes segfault and prevents load balancing from starting
* :vytask:`T1568` strip-private command improvement for additional masking of IPv6 and MAC address
* :vytask:`T1578` completion offers "show table", but show table does not exist
* :vytask:`T1593` Support ip6gre
* :vytask:`T1597` /usr/sbin/rsyslogd after deleting "system syslog"
* :vytask:`T1638` vyos-hostsd not setting system domain name
* :vytask:`T1678` hostfile-update missing line feed
* :vytask:`T1694` NTPd: Do not listen on all interfaces by default
* :vytask:`T1701` Delete domain-name and domain-search won't work
* :vytask:`T1705` High CPU usage by bgpd when snmp is active
* :vytask:`T1707` DHCP static mapping and exclude address not working
* :vytask:`T1708` Update Rolling Release Kernel to 4.19.76
* :vytask:`T1709` Update WireGuard to 0.0.20190913
* :vytask:`T1716` Update Intel NIC drivers to recent versions
* :vytask:`T1726` Update Linux Firmware binaries to a more recent version 2019-03-14 -> 2019-10-07
* :vytask:`T1728` Update Linux Kernel to 4.19.79
* :vytask:`T1737` SNMP tab completion missing
* :vytask:`T1738` Copy SNMP configuration from node to node raises exception
* :vytask:`T1740` Broken OSPFv2 virtual-link authentication
* :vytask:`T1742` NHRP unable to commit.
* :vytask:`T1745` dhcp-server commit fails with "DHCP range stop address x must be greater or equal to the range start address y!" when static mapping has same IP as range stop
* :vytask:`T1749` numeric validator doesn't support multiple ranges
* :vytask:`T1769` Remove complex SNMPv3 Transport Security Model (TSM)
* :vytask:`T1772` <regex> constraints in XML are partially broken
* :vytask:`T1778` Kilobits/Megabits difference in configuration Vyos/FRR
* :vytask:`T1780` Adding ipsec ike closeaction
* :vytask:`T1786` disable-dhcp-nameservers is missed in current host_name.py implementation
* :vytask:`T1788` Intel QAT (QuickAssist Technology ) implementation
* :vytask:`T1792` Update WireGuard to Debian release 0.0.20191012-1
* :vytask:`T1800` Update Linux Kernel to v4.19.84
* :vytask:`T1809` Wireless: SSID scan does not work in AP mode
* :vytask:`T1811` Upgrade from 1.1.8: Config file migration failed: module=l2tp
* :vytask:`T1812` DHCP: hostnames of clients not resolving after update v1.2.3 -> 1.2-rolling
* :vytask:`T1819` Reboot kills SNMPv3 configuration
* :vytask:`T1822` Priority inversion wireless interface dhcpv6
* :vytask:`T1825` Improve DHCP configuration error message
* :vytask:`T1836` import-conf-mode-commands in vyos-1x/scripts fails to create an xml
* :vytask:`T1839` LLDP shows "VyOS unknown" instead of "VyOS"
* :vytask:`T1841` PPP ipv6-up.d direcotry missing
* :vytask:`T1893` igmp-proxy: Do not allow adding unknown interface
* :vytask:`T1903` Implementation udev predefined interface naming
* :vytask:`T1904` update eth1 and eth2 link files for the vep4600

60
docs/changelog/1.2.5.rst Normal file
View File

@ -0,0 +1,60 @@
1.2.5
=====
1.2.5 is a maintenance release made in April 2020.
Resolved issues
---------------
* :vytask:`1020` OSPF Stops distributing default route after a while
* :vytask:`1228` pppoe default-route force option not working (Rel 1.2.0-rc11)
* :vytask:`1301` bgp peer-groups don't work when "no-ipv4-unicast" is enabled.
* :vytask:`1341` Adding rate-limiter for pppoe server users
* :vytask:`1376` Incorrect DHCP lease counting
* :vytask:`1392` Large firewall rulesets cause the system to lose configuration and crash at startup
* :vytask:`1416` 2 dhcp server run in failover mode can't sync hostname with each other
* :vytask:`1452` accel-pppoe - add vendor option to shaper
* :vytask:`1490` BGP configuration (is lost|not applied) when updating 1.1.8 -> 1.2.1
* :vytask:`1780` Adding ipsec ike closeaction
* :vytask:`1803` Unbind NTP while it's not requested...
* :vytask:`1821` "authentication mode radius" has no effect for PPPoE server
* :vytask:`1827` Increase default gc_thresh
* :vytask:`1828` Missing completion helper for "set system syslog host 192.0.2.1 facility all protocol"
* :vytask:`1832` radvd adding feature DNSSL branch.example.com example.com to existing package
* :vytask:`1837` PPPoE unrecognized option 'replacedefaultroute'
* :vytask:`1851` wireguard - changing the pubkey on an existing peer seems to destroy the running config.
* :vytask:`1858` l2tp: Delete depricated outside-nexthop and add gateway-address
* :vytask:`1864` Lower IPSec DPD timeout lower limit from 10s -> 2s
* :vytask:`1879` Extend Dynamic DNS XML definition value help strings and validators
* :vytask:`1881` Execute permissions are removed from custom SNMP scripts at commit time
* :vytask:`1884` Keeping VRRP transition-script native behaviour and adding stop-script
* :vytask:`1891` Router announcements broken on boot
* :vytask:`1900` Enable SNMP for VRRP.
* :vytask:`1902` Add redistribute non main table in bgp
* :vytask:`1909` Incorrect behaviour of static routes with overlapping networks
* :vytask:`1913` "system ipv6 blacklist" command has no effect
* :vytask:`1914` IPv6 multipath hash policy does not apply
* :vytask:`1917` Update WireGuard to Debian release 0.0.20191219-1
* :vytask:`1934` Change default hostname when deploy from OVA without params.
* :vytask:`1935` NIC identification and usage problem in Hyper-V environments
* :vytask:`1936` pppoe-server CLI control features
* :vytask:`1964` SNMP Script-extensions allows names with spaces, but commit fails
* :vytask:`1967` BGP parameter "enforce-first-as" does not work anymore
* :vytask:`1970` Correct adding interfaces on boot
* :vytask:`1971` Missing modules in initrd.img for PXE boot
* :vytask:`1998` Update FRR to 7.3
* :vytask:`2001` Error when router reboot
* :vytask:`2032` Monitor bandwidth bits
* :vytask:`2059` Set source-validation on bond vif don't work
* :vytask:`2066` PPPoE interface can be created multiple times - last wins
* :vytask:`2069` PPPoE-client does not works with service-name option
* :vytask:`2077` ISO build from crux branch is failing
* :vytask:`2079` Update Linux Kernel to v4.19.106
* :vytask:`2087` Add maxfail 0 option to pppoe configuration.
* :vytask:`2100` BGP route adverisement wih checks rib
* :vytask:`2120` "reset vpn ipsec-peer" doesn't work with named peers
* :vytask:`2197` Cant add vif-s interface into a bridge
* :vytask:`2228` WireGuard does not allow ports < 1024 to be used
* :vytask:`2252` HTTP API add system image can return '504 Gateway Time-out'
* :vytask:`2272` Set system flow-accounting disable-imt has syntax error
* :vytask:`2276` PPPoE server vulnerability

106
docs/changelog/1.2.6.rst Normal file
View File

@ -0,0 +1,106 @@
1.2.6-S1
========
1.2.6-S1 is a security release release made in September 2020.
Resolved issues
---------------
VyOS 1.2.6 release was found to be suspectible to CVE-2020-10995. It's a low-
impact vulnerability in the PowerDNS recursor that allows an attacker to cause
performance degradation via a specially crafted authoritative DNS server reply.
* :vytask:`2899` remote syslog server migration error on update
1.2.6
=====
1.2.6 is a maintenance release made in September 2020.
Resolved issues
---------------
* :vytask:`103` DHCP server prepends shared network name to hostnames
* :vytask:`125` Missing PPPoE interfaces in l2tp configuration
* :vytask:`1194` cronjob is being setup even if not saved
* :vytask:`1205` module pcspkr missing
* :vytask:`1219` Redundant active-active configuration, asymmetric routing and
conntrack-sync cache
* :vytask:`1220` Show transceiver information from plugin modules, e.g SFP+,
QSFP
* :vytask:`1221` BGP - Default route injection is not processed by the specific
route-map
* :vytask:`1241` Remove of policy route throws CLI error
* :vytask:`1291` Under certain conditions the VTI will stay forever down
* :vytask:`1463` Missing command `show ip bgp scan` appears in command
completion
* :vytask:`1575` `show snmp mib ifmib` crashes with IndexError
* :vytask:`1699` Default net.ipv6.route.max_size 32768 is too low
* :vytask:`1729` PIM (Protocol Independent Multicast) implementation
* :vytask:`1901` Semicolon in values is interpreted as a part of the shell
command by validators
* :vytask:`1934` Change default hostname when deploy from OVA without params.
* :vytask:`1938` syslog doesn't start automatically
* :vytask:`1949` Multihop IPv6 BFD is unconfigurable
* :vytask:`1953` DDNS service name validation rejects valid service names
* :vytask:`1956` PPPoE server: support PADO-delay
* :vytask:`1973` Allow route-map to match on BGP local preference value
* :vytask:`1974` Allow route-map to set administrative distance
* :vytask:`1982` Increase rotation for atop.acct
* :vytask:`1983` Expose route-map when BGP routes are programmed in to FIB
* :vytask:`1985` pppoe: Enable ipv6 modules without configured ipv6 pools
* :vytask:`2000` strongSwan does not install routes to table 220 in certain
cases
* :vytask:`2021` OSPFv3 doesn't support decimal area syntax
* :vytask:`2062` Wrong dhcp-server static route subnet bytes
* :vytask:`2091` swanctl.conf file is not generated properly is more than one
IPsec profile is used
* :vytask:`2131` Improve syslog remote host CLI definition
* :vytask:`2224` Update Linux Kernel to v4.19.114
* :vytask:`2286` IPoE server vulnerability
* :vytask:`2303` Unable to delete the image version that came from OVA
* :vytask:`2305` Add release name to "show version" command
* :vytask:`2311` Statically configured name servers may not take precedence
over ones from DHCP
* :vytask:`2327` Unable to create syslog server entry with different port
* :vytask:`2332` Backport node option for a syslog server
* :vytask:`2342` Bridge l2tpv3 + ethX errors
* :vytask:`2344` PPPoE server client static IP assignment silently fails
* :vytask:`2385` salt-minion: improve completion helpers
* :vytask:`2389` BGP community-list unknown command
* :vytask:`2398` op-mode "dhcp client leases interface" completion helper
misses interfaces
* :vytask:`2402` Live ISO should warn when configuring that changes won't
persist
* :vytask:`2443` NHRP: Add debugging information to syslog
* :vytask:`2448` `monitor protocol bgp` subcommands fail with 'command
incomplete'
* :vytask:`2458` Update FRR to 7.3.1
* :vytask:`2476` Bond member description change leads to network outage
* :vytask:`2478` login radius: use NAS-IP-Address if defined source address
* :vytask:`2482` Update PowerDNS recursor to 4.3.1 for CVE-2020-10995
* :vytask:`2517` vyos-container: link_filter: No such file or directory
* :vytask:`2526` Wake-On-Lan CLI implementation
* :vytask:`2528` "update dns dynamic" throws FileNotFoundError excepton
* :vytask:`2536` "show log dns forwarding" still refers to dnsmasq
* :vytask:`2538` Update Intel NIC drivers to recent release (preparation for
Kernel >=5.4)
* :vytask:`2545` Show physical device offloading capabilities for specified
ethernet interface
* :vytask:`2563` Wrong interface binding for Dell VEP 1445
* :vytask:`2605` SNMP service is not disabled by default
* :vytask:`2625` Provide generic Library for package builds
* :vytask:`2686` FRR: BGP: large-community configuration is not applied
properly after upgrading FRR to 7.3.x series
* :vytask:`2701` `vpn ipsec pfs enable` doesn't work with IKE groups
* :vytask:`2728` Protocol option ignored for IPSec peers in transport mode
* :vytask:`2734` WireGuard: fwmark CLI definition is inconsistent
* :vytask:`2757` "show system image version" contains additional new-line
character breaking output
* :vytask:`2797` Update Linux Kernel to v4.19.139
* :vytask:`2822` Update Linux Kernel to v4.19.141
* :vytask:`2829` PPPoE server: mppe setting is implemented as node instead of
leafNode
* :vytask:`2831` Update Linux Kernel to v4.19.142
* :vytask:`2852` rename dynamic dns interface breaks ddclient.cache permissions
* :vytask:`2853` Intel QAT acceleration does not work

18
docs/changelog/index.rst Normal file
View File

@ -0,0 +1,18 @@
.. _release-notes:
#########
Changelog
#########
.. toctree::
:maxdepth: 1
:includehidden:
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1

750
docs/cli.rst
View File

@ -1,19 +1,18 @@
.. _cli:
###
CLI
###
#####################
Comand Line Interface
#####################
The VyOS :abbr:`CLI (Command-Line Interface)` comprises an operational and a
configuration mode.
Operational Mode
================
################
Operational mode allows for commands to perform operational system tasks and
view system and service status, while configuration mode allows for the
modification of system configuration. The list of all operational level commands
is available at :ref:`operational_level_commands`.
modification of system configuration.
The CLI provides a built-in help system. In the CLI the ``?`` key may be used
to display available commands. The ``TAB`` key can be used to auto-complete
@ -73,10 +72,7 @@ When viewing in page mode the following commands are available:
in the event that the output has lines which exceed the terminal size.
Configuration Mode
==================
The list of all operational level commands is available at
:ref:`configuration_level_commands`.
##################
To enter configuration mode use the ``configure`` command:
@ -97,3 +93,737 @@ To enter configuration mode use the ``configure`` command:
See the configuration section of this document for more information on
configuration mode.
.. _configuration-overview:
######################
Configuration Overview
######################
VyOS makes use of a unified configuration file for the entire system's
configuration: ``/config/config.boot``. This allows easy template
creation, backup, and replication of system configuration. A system can
thus also be easily cloned by simply copying the required configuration
files.
Terminology
###########
live
A VyOS system has three major types of configurations:
* **Active** or **running configuration** is the system configuration
that is loaded and currently active (used by VyOS). Any change in
the configuration will have to be committed to belong to the
active/running configuration.
* **Working configuration** is the one that is currently being modified
in configuration mode. Changes made to the working configuration do
not go into effect until the changes are committed with the
:cfgcmd:`commit` command. At which time the working configuration will
become the active or running configuration.
* **Saved configuration** is the one saved to a file using the
:cfgcmd:`save` command. It allows you to keep safe a configuration for
future uses. There can be multiple configuration files. The default or
"boot" configuration is saved and loaded from the file
``/config/config.boot``.
Seeing and navigating the configuration
=======================================
.. opcmd:: show configuration
View the current active configuration, also known as the running
configuration, from the operational mode.
.. code-block:: none
vyos@vyos:~$ show configuration
interfaces {
ethernet eth0 {
address dhcp
hw-id 00:53:00:00:aa:01
}
loopback lo {
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
login {
user vyos {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
By default, the configuration is displayed in a hierarchy like the above
example, this is only one of the possible ways to display the
configuration. When the configuration is generated and the device is
configured, changes are added through a collection of :cfgcmd:`set` and
:cfgcmd:`delete` commands.
.. opcmd:: show configuration commands
Get a collection of all the set commands required which led to the
running configuration.
.. code-block:: none
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 hw-id '00:53:dd:44:3b:0f'
set interfaces loopback 'lo'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyos authentication encrypted-password '$6$Vt68...QzF0'
set system login user vyos level 'admin'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
Both these ``show`` commands should be executed when in operational
mode, they do not work directly in configuration mode. There is a
special way on how to :ref:`run_opmode_from_config_mode`.
.. hint:: Use the ``show configuration commands | strip-private``
command when you want to hide private data. You may want to do so if
you want to share your configuration on the `forum`_.
.. _`forum`: https://forum.vyos.io
The config mode
---------------
When entering the configuration mode you are navigating inside a tree
structure, to enter configuration mode enter the command
:opcmd:`configure` when in operational mode.
.. code-block:: none
vyos@vyos$ configure
[edit]
vyos@vyos#
.. note:: When going into configuration mode, prompt changes from
``$`` to ``#``.
All commands executed here are relative to the configuration level you
have entered. You can do everything from the top level, but commands
will be quite lengthy when manually typing them.
The current hierarchy level can be changed by the :cfgcmd:`edit`
command.
.. code-block:: none
[edit]
vyos@vyos# edit interfaces ethernet eth0
[edit interfaces ethernet eth0]
vyos@vyos#
You are now in a sublevel relative to ``interfaces ethernet eth0``, all
commands executed from this point on are relative to this sublevel. Use
eithe the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top
of the hierarchy. You can also use the :cfgcmd:`up` command to move only
one level up at a time.
.. cfgcmd:: show
The :cfgcmd:`show` command within configuration mode will show the
working configuration indicating line changes with ``+`` for additions,
``>`` for replacements and ``-`` for deletions.
**Example:**
.. code-block:: none
vyos@vyos:~$ configure
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
description MY_OLD_DESCRIPTION
disable
hw-id 00:53:dd:44:3b:03
}
loopback lo {
}
[edit]
vyos@vyos# set interfaces ethernet eth0 address dhcp
[edit]
vyos@vyos# set interfaces ethernet eth0 description MY_NEW_DESCRIPTION
[edit]
vyos@vyos# delete interfaces ethernet eth0 disable
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
+ address dhcp
> description MY_NEW_DESCRIPTION
- disable
hw-id 00:53:dd:44:3b:03
}
loopback lo {
}
It is also possible to display all `set` commands within configuration
mode using :cfgcmd:`show | commands`
.. code-block:: none
vyos@vyos# show interfaces ethernet eth0 | commands
set address dhcp
set hw-id 00:53:ad:44:3b:03
These commands are also relative to the level you are inside and only
relevant configuration blocks will be displayed when entering a
sub-level.
.. code-block:: none
[edit interfaces ethernet eth0]
vyos@vyos# show
address dhcp
hw-id 00:53:ad:44:3b:03
Exiting from the configuration mode is done via the :cfgcmd:`exit`
command from the top level, executing :cfgcmd:`exit` from within a
sub-level takes you back to the top level.
.. code-block:: none
[edit interfaces ethernet eth0]
vyos@vyos# exit
[edit]
vyos@vyos# exit
Warning: configuration changes have not been saved.
Editing the configuration
=========================
The configuration can be edited by the use of :cfgcmd:`set` and
:cfgcmd:`delete` commands from within configuration mode.
.. cfgcmd:: set
Use this command to set the value of a parameter or to create a new
element.
Configuration commands are flattened from the tree into 'one-liner'
commands shown in :opcmd:`show configuration commands` from operation
mode. Commands are relative to the level where they are executed and all
redundant information from the current level is removed from the command
entered.
.. code-block:: none
[edit]
vyos@vyos# set interface ethernet eth0 address 192.0.2.100/24
.. code-block:: none
[edit interfaces ethernet eth0]
vyos@vyos# set address 203.0.113.6/24
These two commands above are essentially the same, just executed from
different levels in the hierarchy.
.. cfgcmd:: delete
To delete a configuration entry use the :cfgcmd:`delete` command,
this also deletes all sub-levels under the current level you've
specified in the :cfgcmd:`delete` command. Deleting an entry will
also result in the element reverting back to its default value if one
exists.
.. code-block:: none
[edit interfaces ethernet eth0]
vyos@vyos# delete address 192.0.2.100/24
.. cfgcmd:: commit
Any change you do on the configuration, will not take effect until
committed using the :cfgcmd:`commit` command in configuration mode.
.. code-block:: none
vyos@vyos# commit
[edit]
vyos@vyos# exit
Warning: configuration changes have not been saved.
vyos@vyos:~$
.. _save:
.. cfgcmd:: save
Use this command to preserve configuration changes upon reboot. By
default it is stored at */config/config.boot*. In the case you want
to store the configuration file somewhere else, you can add a local
path, an SCP address, an FTP address or a TFTP address.
.. code-block:: none
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
.. code-block:: none
vyos@vyos# save [tab]
Possible completions:
<Enter> Save to system config file
<file> Save to file on local machine
scp://<user>:<passwd>@<host>:/<file> Save to file on remote machine
ftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
tftp://<host>/<file> Save to file on remote machine
vyos@vyos# save tftp://192.168.0.100/vyos-test.config.boot
Saving configuration to 'tftp://192.168.0.100/vyos-test.config.boot'...
######################################################################## 100.0%
Done
.. cfgcmd:: exit [discard]
Configuration mode can not be exited while uncommitted changes exist.
To exit configuration mode without applying changes, the
:cfgcmd:`exit discard` command must be used.
All changes in the working config will thus be lost.
.. code-block:: none
vyos@vyos# exit
Cannot exit: configuration modified.
Use 'exit discard' to discard the changes and exit.
[edit]
vyos@vyos# exit discard
.. cfgcmd:: commit-confirm <minutes>
Use this command to temporarily commit your changes and set the
number of minutes available for validation. ``confirm`` must
be entered within those minutes, otherwise the system will reboot
into the previous configuration. The default value is 10 minutes.
What if you are doing something dangerous? Suppose you want to setup
a firewall, and you are not sure there are no mistakes that will lock
you out of your system. You can use confirmed commit. If you issue
the ``commit-confirm`` command, your changes will be commited, and if
you don't issue issue the ``confirm`` command in 10 minutes, your
system will reboot into previous config revision.
.. code-block:: none
vyos@router# set interfaces ethernet eth0 firewall local name FromWorld
vyos@router# commit-confirm
commit confirm will be automatically reboot in 10 minutes unless confirmed
Proceed? [confirm]y
[edit]
vyos@router# confirm
[edit]
.. note:: A reboot because you did not enter ``confirm`` will not
take you necessarily to the *saved configuration*, but to the
point before the unfortunate commit.
.. cfgcmd:: copy
Copy a configuration element.
You can copy and remove configuration subtrees. Suppose you set up a
firewall ruleset ``FromWorld`` with one rule that allows traffic from
specific subnet. Now you want to setup a similar rule, but for
different subnet. Change your edit level to
``firewall name FromWorld`` and use ``copy rule 10 to rule 20``, then
modify rule 20.
.. code-block:: none
vyos@router# show firewall name FromWorld
default-action drop
rule 10 {
action accept
source {
address 203.0.113.0/24
}
}
[edit]
vyos@router# edit firewall name FromWorld
[edit firewall name FromWorld]
vyos@router# copy rule 10 to rule 20
[edit firewall name FromWorld]
vyos@router# set rule 20 source address 198.51.100.0/24
[edit firewall name FromWorld]
vyos@router# commit
[edit firewall name FromWorld]
.. cfgcmd:: rename
Rename a configuration element.
You can also rename config subtrees:
.. code-block:: none
vyos@router# rename rule 10 to rule 5
[edit firewall name FromWorld]
vyos@router# commit
[edit firewall name FromWorld]
Note that ``show`` command respects your edit level and from this
level you can view the modified firewall ruleset with just ``show``
with no parameters.
.. code-block:: none
vyos@router# show
default-action drop
rule 5 {
action accept
source {
address 203.0.113.0/24
}
}
rule 20 {
action accept
source {
address 198.51.100.0/24
}
}
.. cfgcmd:: comment <config node> "comment text"
Add comment as an annotation to a configuration node.
The ``comment`` command allows you to insert a comment above the
``<config node>`` configuration section. When shown, comments are
enclosed with ``/*`` and ``*/`` as open/close delimiters. Comments
need to be commited, just like other config changes.
To remove an existing comment from your current configuration,
specify an empty string enclosed in double quote marks (``""``) as
the comment text.
Example:
.. code-block:: none
vyos@vyos# comment firewall all-ping "Yes I know this VyOS is cool"
vyos@vyos# commit
vyos@vyos# show
firewall {
/* Yes I know this VyOS is cool */
all-ping enable
broadcast-ping disable
...
}
.. note:: An important thing to note is that since the comment is
added on top of the section, it will not appear if the ``show
<section>`` command is used. With the above example, the `show
firewall` command would return starting after the ``firewall
{`` line, hiding the comment.
.. _run_opmode_from_config_mode:
Access opmode from config mode
==============================
When inside configuration mode you are not directly able to execute
operational commands.
.. cfgcmd:: run
Access to these commands are possible through the use of the
``run [command]`` command. From this command you will have access to
everything accessible from operational mode.
Command completion and syntax help with ``?`` and ``[tab]`` will also
work.
.. code-block:: none
[edit]
vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 0.0.0.0/0 u/u
Managing configurations
=======================
VyOS comes with an integrated versioning system for the system
configuration. It automatically maintains a backup of every previous
configuration which has been committed to the system. The configurations
are versioned locally for rollback but they can also be stored on a
remote host for archiving/backup reasons.
Local Archive
-------------
Revisions are stored on disk. You can view, compare and rollback them to
any previous revisions if something goes wrong.
.. opcmd:: show system commit
View all existing revisions on the local system.
.. code-block:: none
vyos@vyos:~$ show system commit
0 2015-03-30 08:53:03 by vyos via cli
1 2015-03-30 08:52:20 by vyos via cli
2 2015-03-26 21:26:01 by root via boot-config-loader
3 2015-03-26 20:43:18 by root via boot-config-loader
4 2015-03-25 11:06:14 by root via boot-config-loader
5 2015-03-25 01:04:28 by root via boot-config-loader
6 2015-03-25 00:16:47 by vyos via cli
7 2015-03-24 23:43:45 by root via boot-config-loader
.. cfgcmd:: set system config-management commit-revisions <N>
You can specify the number of revisions stored on disk. N can be in
the range of 0 - 65535. When the number of revisions exceeds the
configured value, the oldest revision is removed. The default setting
for this value is to store 100 revisions locally.
Compare configurations
----------------------
VyOS lets you compare different configurations.
.. cfgcmd:: compare <saved | N> <M>
Use this command to spot what the differences are between different
configurations.
.. code-block:: none
vyos@vyos# compare [tab]
Possible completions:
<Enter> Compare working & active configurations
saved Compare working & saved configurations
<N> Compare working with revision N
<N> <M> Compare revision N with M
Revisions:
0 2013-12-17 20:01:37 root by boot-config-loader
1 2013-12-13 15:59:31 root by boot-config-loader
2 2013-12-12 21:56:22 vyos by cli
3 2013-12-12 21:55:11 vyos by cli
4 2013-12-12 21:27:54 vyos by cli
5 2013-12-12 21:23:29 vyos by cli
6 2013-12-12 21:13:59 root by boot-config-loader
7 2013-12-12 16:25:19 vyos by cli
8 2013-12-12 15:44:36 vyos by cli
9 2013-12-12 15:42:07 root by boot-config-loader
10 2013-12-12 15:42:06 root by init
The command :cfgcmd:`compare` allows you to compare different type of
configurations. It also lets you compare different revisions through
the :cfgcmd:`compare N M` command, where N and M are revision
numbers. The output will describe how the configuration N is when
compared to M indicating with a plus sign (``+``) the additional
parts N has when compared to M, and indicating with a minus sign
(``-``) the lacking parts N misses when compared to M.
.. code-block:: none
vyos@vyos# compare 0 6
[edit interfaces]
+dummy dum1 {
+ address 10.189.0.1/31
+}
[edit interfaces ethernet eth0]
+vif 99 {
+ address 10.199.0.1/31
+}
-vif 900 {
- address 192.0.2.4/24
-}
.. opcmd:: show system commit diff <number>
Show commit revision difference.
The command above also lets you see the difference between two commits.
By default the difference with the running config is shown.
.. code-block:: none
vyos@router# run show system commit diff 4
[edit system]
+ipv6 {
+ disable-forwarding
+}
This means four commits ago we did ``set system ipv6 disable-forwarding``.
Rollback Changes
----------------
You can rollback configuration changes using the rollback command. This
will apply the selected revision and trigger a system reboot.
.. cfgcmd:: rollback <N>
Rollback to revision N (currently requires reboot)
.. code-block:: none
vyos@vyos# compare 1
[edit system]
>host-name vyos-1
[edit]
vyos@vyos# rollback 1
Proceed with reboot? [confirm][y]
Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2013):
The system is going down for reboot NOW!
Remote Archive
--------------
VyOS can upload the configuration to a remote location after each call
to :cfgcmd:`commit`. You will have to set the commit-archive location.
TFTP, FTP, SCP and SFTP servers are supported. Every time a
:cfgcmd:`commit` is successfull the ``config.boot`` file will be copied
to the defined destination(s). The filename used on the remote host will
be ``config.boot-hostname.YYYYMMDD_HHMMSS``.
.. cfgcmd:: set system config-management commit-archive location <URI>
Specify remote location of commit archive as any of the below
:abbr:`URI (Uniform Resource Identifier)`
* ``scp://<user>:<passwd>@<host>:/<dir>``
* ``sftp://<user>:<passwd>@<host>/<dir>``
* ``ftp://<user>:<passwd>@<host>/<dir>``
* ``tftp://<host>/<dir>``
.. note:: The number of revisions don't affect the commit-archive.
.. note:: You may find VyOS not allowing the secure connection because
it cannot verify the legitimacy of the remote server. You can use
the workaround below to quickly add the remote host's SSH
fingerprint to your ``~/.ssh/known_hosts`` file:
.. code-block:: none
vyos@vyos# ssh-keyscan <host> >> ~/.ssh/known_hosts
Saving and loading manually
---------------------------
You can use the ``save`` and ``load`` commands if you want to manually
manage specific configuration files.
When using the save_ command, you can add a specific location where
to store your configuration file. And, when needed it, you will be able
to load it with the ``load`` command:
.. cfgcmd:: load <URI>
Use this command to load a configuration which will replace the
running configuration. Define the location of the configuration file
to be loaded. You can use a path to a local file, an SCP address, an
SFTP address, an FTP address, an HTTP address, an HTTPS address or a
TFTP address.
.. code-block:: none
vyos@vyos# load
Possible completions:
<Enter> Load from system config file
<file> Load from file on local machine
scp://<user>:<passwd>@<host>:/<file> Load from file on remote machine
sftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
ftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
http://<host>/<file> Load from file on remote machine
https://<host>/<file> Load from file on remote machine
tftp://<host>/<file> Load from file on remote machine
Restore Default
---------------
In the case you want to completely delete your configuration and restore
the default one, you can enter the following command in configuration
mode:
.. code-block:: none
load /opt/vyatta/etc/config.boot.default
You will be asked if you want to continue. If you accept, you will have
to use :cfgcmd:`commit` if you want to make the changes active.
Then you may want to :cfgcmd:`save` in order to delete the saved
configuration too.
.. note:: If you are remotely connected, you will lose your connection.
You may want to copy first the config, edit it to ensure
connectivity, and load the edited config.

7
docs/command-list-configuration.rst
View File

@ -1,7 +0,0 @@
.. _configuration_level_commands:
********************************
Configuration Level Command List
********************************
.. cfgcmdlist::

7
docs/command-list-operation.rst
View File

@ -1,7 +0,0 @@
.. _operational_level_commands:
******************************
Operational Level Command List
******************************
.. opcmdlist::

6
docs/conf.py
View File

@ -26,10 +26,10 @@ copyright = u'2020, VyOS maintainers and contributors'
author = u'VyOS maintainers and contributors'
# The short X.Y version
version = u'1.3'
version = u'1.4'
# The full version, including alpha/beta/rc tags
release = u'1.3.x (equuleus)'
release = u'1.4.x (sagitta)'
# -- General configuration ---------------------------------------------------
@ -70,7 +70,7 @@ language = None
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
# This pattern also affects html_static_path and html_extra_path .
exclude_patterns = [u'_build', 'Thumbs.db', '.DS_Store']
exclude_patterns = [u'_build', 'Thumbs.db', '.DS_Store', '_include/vyos-1x']
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'

0
docs/appendix/examples/azure-vpn-bgp.rst → docs/configexamples/azure-vpn-bgp.rst
View File

0
docs/appendix/examples/azure-vpn-dual-bgp.rst → docs/configexamples/azure-vpn-dual-bgp.rst
View File

0
docs/appendix/examples/bgp-ipv6-unnumbered.rst → docs/configexamples/bgp-ipv6-unnumbered.rst
View File

0
docs/appendix/examples/dhcp-relay-through-gre-bridge.rst → docs/configexamples/dhcp-relay-through-gre-bridge.rst
View File

0
docs/appendix/examples/ha.rst → docs/configexamples/ha.rst
View File

0
docs/appendix/examples/index.rst → docs/configexamples/index.rst
View File

0
docs/appendix/examples/ospf-unnumbered.rst → docs/configexamples/ospf-unnumbered.rst
View File

0
docs/appendix/examples/tunnelbroker-ipv6.rst → docs/configexamples/tunnelbroker-ipv6.rst
View File

0
docs/appendix/examples/wan-load-balancing.rst → docs/configexamples/wan-load-balancing.rst
View File

0
docs/appendix/examples/zone-policy.rst → docs/configexamples/zone-policy.rst
View File

730
docs/configuration-overview.rst
View File

@ -1,730 +0,0 @@
.. _configuration-overview:
######################
Configuration Overview
######################
VyOS makes use of a unified configuration file for the entire system's
configuration: ``/config/config.boot``. This allows easy template
creation, backup, and replication of system configuration. A system can
thus also be easily cloned by simply copying the required configuration
files.
Terminology
===========
live
A VyOS system has three major types of configurations:
* **Active** or **running configuration** is the system configuration
that is loaded and currently active (used by VyOS). Any change in
the configuration will have to be committed to belong to the
active/running configuration.
* **Working configuration** is the one that is currently being modified
in configuration mode. Changes made to the working configuration do
not go into effect until the changes are committed with the
:cfgcmd:`commit` command. At which time the working configuration will
become the active or running configuration.
* **Saved configuration** is the one saved to a file using the
:cfgcmd:`save` command. It allows you to keep safe a configuration for
future uses. There can be multiple configuration files. The default or
"boot" configuration is saved and loaded from the file
``/config/config.boot``.
Seeing and navigating the configuration
=======================================
.. opcmd:: show configuration
View the current active configuration, also known as the running
configuration, from the operational mode.
.. code-block:: none
vyos@vyos:~$ show configuration
interfaces {
ethernet eth0 {
address dhcp
hw-id 00:53:00:00:aa:01
}
loopback lo {
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
login {
user vyos {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
By default, the configuration is displayed in a hierarchy like the above
example, this is only one of the possible ways to display the
configuration. When the configuration is generated and the device is
configured, changes are added through a collection of :cfgcmd:`set` and
:cfgcmd:`delete` commands.
.. opcmd:: show configuration commands
Get a collection of all the set commands required which led to the
running configuration.
.. code-block:: none
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 hw-id '00:53:dd:44:3b:0f'
set interfaces loopback 'lo'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyos authentication encrypted-password '$6$Vt68...QzF0'
set system login user vyos level 'admin'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
Both these ``show`` commands should be executed when in operational
mode, they do not work directly in configuration mode. There is a
special way on how to :ref:`run_opmode_from_config_mode`.
.. hint:: Use the ``show configuration commands | strip-private``
command when you want to hide private data. You may want to do so if
you want to share your configuration on the `forum`_.
.. _`forum`: https://forum.vyos.io
The config mode
---------------
When entering the configuration mode you are navigating inside a tree
structure, to enter configuration mode enter the command
:opcmd:`configure` when in operational mode.
.. code-block:: none
vyos@vyos$ configure
[edit]
vyos@vyos#
.. note:: When going into configuration mode, prompt changes from
``$`` to ``#``.
All commands executed here are relative to the configuration level you
have entered. You can do everything from the top level, but commands
will be quite lengthy when manually typing them.
The current hierarchy level can be changed by the :cfgcmd:`edit`
command.
.. code-block:: none
[edit]
vyos@vyos# edit interfaces ethernet eth0
[edit interfaces ethernet eth0]
vyos@vyos#
You are now in a sublevel relative to ``interfaces ethernet eth0``, all
commands executed from this point on are relative to this sublevel. Use
eithe the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top
of the hierarchy. You can also use the :cfgcmd:`up` command to move only
one level up at a time.
.. cfgcmd:: show
The :cfgcmd:`show` command within configuration mode will show the
working configuration indicating line changes with ``+`` for additions,
``>`` for replacements and ``-`` for deletions.
**Example:**
.. code-block:: none
vyos@vyos:~$ configure
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
description MY_OLD_DESCRIPTION
disable
hw-id 00:53:dd:44:3b:03
}
loopback lo {
}
[edit]
vyos@vyos# set interfaces ethernet eth0 address dhcp
[edit]
vyos@vyos# set interfaces ethernet eth0 description MY_NEW_DESCRIPTION
[edit]
vyos@vyos# delete interfaces ethernet eth0 disable
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
+ address dhcp
> description MY_NEW_DESCRIPTION
- disable
hw-id 00:53:dd:44:3b:03
}
loopback lo {
}
It is also possible to display all `set` commands within configuration
mode using :cfgcmd:`show | commands`
.. code-block:: none
vyos@vyos# show interfaces ethernet eth0 | commands
set address dhcp
set hw-id 00:53:ad:44:3b:03
These commands are also relative to the level you are inside and only
relevant configuration blocks will be displayed when entering a
sub-level.
.. code-block:: none
[edit interfaces ethernet eth0]
vyos@vyos# show
address dhcp
hw-id 00:53:ad:44:3b:03
Exiting from the configuration mode is done via the :cfgcmd:`exit`
command from the top level, executing :cfgcmd:`exit` from within a
sub-level takes you back to the top level.
.. code-block:: none
[edit interfaces ethernet eth0]
vyos@vyos# exit
[edit]
vyos@vyos# exit
Warning: configuration changes have not been saved.
Editing the configuration
=========================
The configuration can be edited by the use of :cfgcmd:`set` and
:cfgcmd:`delete` commands from within configuration mode.
.. cfgcmd:: set
Use this command to set the value of a parameter or to create a new
element.
Configuration commands are flattened from the tree into 'one-liner'
commands shown in :opcmd:`show configuration commands` from operation
mode. Commands are relative to the level where they are executed and all
redundant information from the current level is removed from the command
entered.
.. code-block:: none
[edit]
vyos@vyos# set interface ethernet eth0 address 192.0.2.100/24
.. code-block:: none
[edit interfaces ethernet eth0]
vyos@vyos# set address 203.0.113.6/24
These two commands above are essentially the same, just executed from
different levels in the hierarchy.
.. cfgcmd:: delete
To delete a configuration entry use the :cfgcmd:`delete` command,
this also deletes all sub-levels under the current level you've
specified in the :cfgcmd:`delete` command. Deleting an entry will
also result in the element reverting back to its default value if one
exists.
.. code-block:: none
[edit interfaces ethernet eth0]
vyos@vyos# delete address 192.0.2.100/24
.. cfgcmd:: commit
Any change you do on the configuration, will not take effect until
committed using the :cfgcmd:`commit` command in configuration mode.
.. code-block:: none
vyos@vyos# commit
[edit]
vyos@vyos# exit
Warning: configuration changes have not been saved.
vyos@vyos:~$
.. _save:
.. cfgcmd:: save
Use this command to preserve configuration changes upon reboot. By
default it is stored at */config/config.boot*. In the case you want
to store the configuration file somewhere else, you can add a local
path, an SCP address, an FTP address or a TFTP address.
.. code-block:: none
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
.. code-block:: none
vyos@vyos# save [tab]
Possible completions:
<Enter> Save to system config file
<file> Save to file on local machine
scp://<user>:<passwd>@<host>:/<file> Save to file on remote machine
ftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
tftp://<host>/<file> Save to file on remote machine
vyos@vyos# save tftp://192.168.0.100/vyos-test.config.boot
Saving configuration to 'tftp://192.168.0.100/vyos-test.config.boot'...
######################################################################## 100.0%
Done
.. cfgcmd:: exit [discard]
Configuration mode can not be exited while uncommitted changes exist.
To exit configuration mode without applying changes, the
:cfgcmd:`exit discard` command must be used.
All changes in the working config will thus be lost.
.. code-block:: none
vyos@vyos# exit
Cannot exit: configuration modified.
Use 'exit discard' to discard the changes and exit.
[edit]
vyos@vyos# exit discard
.. cfgcmd:: commit-confirm <minutes>
Use this command to temporarily commit your changes and set the
number of minutes available for validation. ``confirm`` must
be entered within those minutes, otherwise the system will reboot
into the previous configuration. The default value is 10 minutes.
What if you are doing something dangerous? Suppose you want to setup
a firewall, and you are not sure there are no mistakes that will lock
you out of your system. You can use confirmed commit. If you issue
the ``commit-confirm`` command, your changes will be commited, and if
you don't issue issue the ``confirm`` command in 10 minutes, your
system will reboot into previous config revision.
.. code-block:: none
vyos@router# set interfaces ethernet eth0 firewall local name FromWorld
vyos@router# commit-confirm
commit confirm will be automatically reboot in 10 minutes unless confirmed
Proceed? [confirm]y
[edit]
vyos@router# confirm
[edit]
.. note:: A reboot because you did not enter ``confirm`` will not
take you necessarily to the *saved configuration*, but to the
point before the unfortunate commit.
.. cfgcmd:: copy
Copy a configuration element.
You can copy and remove configuration subtrees. Suppose you set up a
firewall ruleset ``FromWorld`` with one rule that allows traffic from
specific subnet. Now you want to setup a similar rule, but for
different subnet. Change your edit level to
``firewall name FromWorld`` and use ``copy rule 10 to rule 20``, then
modify rule 20.
.. code-block:: none
vyos@router# show firewall name FromWorld
default-action drop
rule 10 {
action accept
source {
address 203.0.113.0/24
}
}
[edit]
vyos@router# edit firewall name FromWorld
[edit firewall name FromWorld]
vyos@router# copy rule 10 to rule 20
[edit firewall name FromWorld]
vyos@router# set rule 20 source address 198.51.100.0/24
[edit firewall name FromWorld]
vyos@router# commit
[edit firewall name FromWorld]
.. cfgcmd:: rename
Rename a configuration element.
You can also rename config subtrees:
.. code-block:: none
vyos@router# rename rule 10 to rule 5
[edit firewall name FromWorld]
vyos@router# commit
[edit firewall name FromWorld]
Note that ``show`` command respects your edit level and from this
level you can view the modified firewall ruleset with just ``show``
with no parameters.
.. code-block:: none
vyos@router# show
default-action drop
rule 5 {
action accept
source {
address 203.0.113.0/24
}
}
rule 20 {
action accept
source {
address 198.51.100.0/24
}
}
.. cfgcmd:: comment <config node> "comment text"
Add comment as an annotation to a configuration node.
The ``comment`` command allows you to insert a comment above the
``<config node>`` configuration section. When shown, comments are
enclosed with ``/*`` and ``*/`` as open/close delimiters. Comments
need to be commited, just like other config changes.
To remove an existing comment from your current configuration,
specify an empty string enclosed in double quote marks (``""``) as
the comment text.
Example:
.. code-block:: none
vyos@vyos# comment firewall all-ping "Yes I know this VyOS is cool"
vyos@vyos# commit
vyos@vyos# show
firewall {
/* Yes I know this VyOS is cool */
all-ping enable
broadcast-ping disable
...
}
.. note:: An important thing to note is that since the comment is
added on top of the section, it will not appear if the ``show
<section>`` command is used. With the above example, the `show
firewall` command would return starting after the ``firewall
{`` line, hiding the comment.
.. _run_opmode_from_config_mode:
Access opmode from config mode
==============================
When inside configuration mode you are not directly able to execute
operational commands.
.. cfgcmd:: run
Access to these commands are possible through the use of the
``run [command]`` command. From this command you will have access to
everything accessible from operational mode.
Command completion and syntax help with ``?`` and ``[tab]`` will also
work.
.. code-block:: none
[edit]
vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 0.0.0.0/0 u/u
Managing configurations
=======================
VyOS comes with an integrated versioning system for the system
configuration. It automatically maintains a backup of every previous
configuration which has been committed to the system. The configurations
are versioned locally for rollback but they can also be stored on a
remote host for archiving/backup reasons.
Local Archive
-------------
Revisions are stored on disk. You can view, compare and rollback them to
any previous revisions if something goes wrong.
.. opcmd:: show system commit
View all existing revisions on the local system.
.. code-block:: none
vyos@vyos:~$ show system commit
0 2015-03-30 08:53:03 by vyos via cli
1 2015-03-30 08:52:20 by vyos via cli
2 2015-03-26 21:26:01 by root via boot-config-loader
3 2015-03-26 20:43:18 by root via boot-config-loader
4 2015-03-25 11:06:14 by root via boot-config-loader
5 2015-03-25 01:04:28 by root via boot-config-loader
6 2015-03-25 00:16:47 by vyos via cli
7 2015-03-24 23:43:45 by root via boot-config-loader
.. cfgcmd:: set system config-management commit-revisions <N>
You can specify the number of revisions stored on disk. N can be in
the range of 0 - 65535. When the number of revisions exceeds the
configured value, the oldest revision is removed. The default setting
for this value is to store 100 revisions locally.
Compare configurations
----------------------
VyOS lets you compare different configurations.
.. cfgcmd:: compare <saved | N> <M>
Use this command to spot what the differences are between different
configurations.
.. code-block:: none
vyos@vyos# compare [tab]
Possible completions:
<Enter> Compare working & active configurations
saved Compare working & saved configurations
<N> Compare working with revision N
<N> <M> Compare revision N with M
Revisions:
0 2013-12-17 20:01:37 root by boot-config-loader
1 2013-12-13 15:59:31 root by boot-config-loader
2 2013-12-12 21:56:22 vyos by cli
3 2013-12-12 21:55:11 vyos by cli
4 2013-12-12 21:27:54 vyos by cli
5 2013-12-12 21:23:29 vyos by cli
6 2013-12-12 21:13:59 root by boot-config-loader
7 2013-12-12 16:25:19 vyos by cli
8 2013-12-12 15:44:36 vyos by cli
9 2013-12-12 15:42:07 root by boot-config-loader
10 2013-12-12 15:42:06 root by init
The command :cfgcmd:`compare` allows you to compare different type of
configurations. It also lets you compare different revisions through
the :cfgcmd:`compare N M` command, where N and M are revision
numbers. The output will describe how the configuration N is when
compared to M indicating with a plus sign (``+``) the additional
parts N has when compared to M, and indicating with a minus sign
(``-``) the lacking parts N misses when compared to M.
.. code-block:: none
vyos@vyos# compare 0 6
[edit interfaces]
+dummy dum1 {
+ address 10.189.0.1/31
+}
[edit interfaces ethernet eth0]
+vif 99 {
+ address 10.199.0.1/31
+}
-vif 900 {
- address 192.0.2.4/24
-}
.. opcmd:: show system commit diff <number>
Show commit revision difference.
The command above also lets you see the difference between two commits.
By default the difference with the running config is shown.
.. code-block:: none
vyos@router# run show system commit diff 4
[edit system]
+ipv6 {
+ disable-forwarding
+}
This means four commits ago we did ``set system ipv6 disable-forwarding``.
Rollback Changes
----------------
You can rollback configuration changes using the rollback command. This
will apply the selected revision and trigger a system reboot.
.. cfgcmd:: rollback <N>
Rollback to revision N (currently requires reboot)
.. code-block:: none
vyos@vyos# compare 1
[edit system]
>host-name vyos-1
[edit]
vyos@vyos# rollback 1
Proceed with reboot? [confirm][y]
Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2013):
The system is going down for reboot NOW!
Remote Archive
--------------
VyOS can upload the configuration to a remote location after each call
to :cfgcmd:`commit`. You will have to set the commit-archive location.
TFTP, FTP, SCP and SFTP servers are supported. Every time a
:cfgcmd:`commit` is successfull the ``config.boot`` file will be copied
to the defined destination(s). The filename used on the remote host will
be ``config.boot-hostname.YYYYMMDD_HHMMSS``.
.. cfgcmd:: set system config-management commit-archive location <URI>
Specify remote location of commit archive as any of the below
:abbr:`URI (Uniform Resource Identifier)`
* ``scp://<user>:<passwd>@<host>:/<dir>``
* ``sftp://<user>:<passwd>@<host>/<dir>``
* ``ftp://<user>:<passwd>@<host>/<dir>``
* ``tftp://<host>/<dir>``
.. note:: The number of revisions don't affect the commit-archive.
.. note:: You may find VyOS not allowing the secure connection because
it cannot verify the legitimacy of the remote server. You can use
the workaround below to quickly add the remote host's SSH
fingerprint to your ``~/.ssh/known_hosts`` file:
.. code-block:: none
vyos@vyos# ssh-keyscan <host> >> ~/.ssh/known_hosts
Saving and loading manually
---------------------------
You can use the ``save`` and ``load`` commands if you want to manually
manage specific configuration files.
When using the save_ command, you can add a specific location where
to store your configuration file. And, when needed it, you will be able
to load it with the ``load`` command:
.. cfgcmd:: load <URI>
Use this command to load a configuration which will replace the
running configuration. Define the location of the configuration file
to be loaded. You can use a path to a local file, an SCP address, an
SFTP address, an FTP address, an HTTP address, an HTTPS address or a
TFTP address.
.. code-block:: none
vyos@vyos# load
Possible completions:
<Enter> Load from system config file
<file> Load from file on local machine
scp://<user>:<passwd>@<host>:/<file> Load from file on remote machine
sftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
ftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
http://<host>/<file> Load from file on remote machine
https://<host>/<file> Load from file on remote machine
tftp://<host>/<file> Load from file on remote machine
Restore Default
---------------
In the case you want to completely delete your configuration and restore
the default one, you can enter the following command in configuration
mode:
.. code-block:: none
load /opt/vyatta/etc/config.boot.default
You will be asked if you want to continue. If you accept, you will have
to use :cfgcmd:`commit` if you want to make the changes active.
Then you may want to :cfgcmd:`save` in order to delete the saved
configuration too.
.. note:: If you are remotely connected, you will lose your connection.
You may want to copy first the config, edit it to ensure
connectivity, and load the edited config.

114
docs/firewall.rst → docs/configuration/firewall/index.rst
View File

@ -1,10 +1,12 @@
.. _firewall:
########
Firewall
========
########
********
Overview
--------
********
VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet
filtering.
@ -23,8 +25,9 @@ or zone based firewall policy.
OS, is a reference to as `local` with respect to its input interface.
***************
Global settings
---------------
***************
Some firewall settings are global and have a affect on the whole system.
@ -139,8 +142,9 @@ Some firewall settings are global and have a affect on the whole system.
Set the global setting for related connections.
******
Groups
------
******
Firewall groups represent collections of IP addresses, networks, or
ports. Once created, a group can be referenced by firewall rules as
@ -157,7 +161,7 @@ names.
Address Groups
**************
==============
In a **address group** a single IP adresses or IP address ranges are
definded.
@ -181,7 +185,7 @@ definded.
Network Groups
**************
==============
While **network groups** accept IP networks in CIDR notation, specific
IP addresses can be added as a 32-bit prefix. If you foresee the need
@ -206,7 +210,7 @@ recommended.
Port Groups
***********
===========
A **port group** represents only port numbers, not the protocol. Port
groups can be referenced for either TCP or UDP. It is recommended that
@ -231,8 +235,9 @@ filtering unnecessary ports. Ranges of ports can be specified by using
Provide a port group description.
*********
Rule-Sets
----------
*********
A rule-set is a named collection of firewall rules that can be applied
to an interface or zone. Each rule is numbered, has an action to apply
@ -280,7 +285,7 @@ the action of the rule will executed.
If you want to disable a rule but let it in the configuration.
Matching criteria
*****************
=================
There are a lot of matching criteria gainst which the package can be tested.
@ -412,8 +417,9 @@ There are a lot of matching criteria gainst which the package can be tested.
Match against the state of a packet.
***********************************
Applying a Rule-Set to an Interface
-----------------------------------
***********************************
A Rule-Set can be appliend to every inteface:
@ -438,8 +444,9 @@ A Rule-Set can be appliend to every inteface:
several interfaces. An interface can only have one rule-set per chain.
**************************
Zone-based Firewall Policy
--------------------------
**************************
As an alternative to applying policy to an interface directly, a
zone-based firewall can be created to simplify configuration when
@ -452,7 +459,7 @@ An basic introduction to zone-based firewalls can be found `here
and an example at :ref:`examples-zone-policy`.
Define a Zone
*************
=============
To define a zone setup either one with interfaces or a local zone.
@ -476,7 +483,7 @@ To define a zone setup either one with interfaces or a local zone.
Applying a Rule-Set to a Zone
*****************************
=============================
Before you are able to apply a rule-set to a zone you have to create the zones
first.
@ -495,11 +502,12 @@ first.
set zone-policy zone LAN from DMZ firewall name DMZv4-to-LANv4
***********************
Operation-mode Firewall
-----------------------
***********************
Rule-set overview
*****************
=================
.. opcmd:: show firewall
@ -662,7 +670,7 @@ Rule-set overview
Zone-Policy Overview
********************
====================
.. opcmd:: show zone-policy zone <name>
@ -683,7 +691,7 @@ Zone-Policy Overview
Show Firewall log
*****************
=================
.. opcmd:: show log firewall [name | ipv6name] <name>
@ -697,7 +705,7 @@ Show Firewall log
Example Partial Config
----------------------
======================
.. code-block:: none
@ -765,3 +773,73 @@ Example Partial Config
}
}
}
.. _routing-mss-clamp:
****************
TCP-MSS Clamping
****************
As Internet wide PMTU discovery rarely works, we sometimes need to clamp
our TCP MSS value to a specific value. This is a field in the TCP
Options part of a SYN packet. By setting the MSS value, you are telling
the remote side unequivocally 'do not try to send me packets bigger than
this value'.
Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS
value for IPv4 and IPv6.
.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting
in 1452 bytes on a 1492 byte MTU.
IPv4
====
.. cfgcmd:: set firewall options interface <interface> adjust-mss <number-of-bytes>
Use this command to set the maximum segment size for IPv4 transit
packets on a specific interface (500-1460 bytes).
Example
-------
Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and
`1372`
for your WireGuard `wg02` tunnel.
.. code-block:: none
set firewall options interface pppoe0 adjust-mss '1452'
set firewall options interface wg02 adjust-mss '1372'
IPv6
====
.. cfgcmd:: set firewall options interface <interface> adjust-mss6 <number-of-bytes>
Use this command to set the maximum segment size for IPv6 transit
packets on a specific interface (1280-1492 bytes).
Example
-------
Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
`wg02` interface.
.. code-block:: none
set firewall options interface pppoe0 adjust-mss6 '1280'
set firewall options interface wg02 adjust-mss6 '1280'
.. hint:: When doing your byte calculations, you might find useful this
`Visual packet size calculator <https://baturin.org/tools/encapcalc/>`_.

0
docs/high-availability.rst → docs/configuration/highavailability/index.rst
View File

23
docs/configuration/index.rst Normal file
View File

@ -0,0 +1,23 @@
###################
Configuration Guide
###################
The following structure respresent the cli structure.
.. toctree::
:maxdepth: 1
:includehidden:
firewall/index
highavailability/index
interfaces/index
loadbalancing/index
nat/index
policy/index
protocols/index
service/index
system/index
trafficpolicy/index
vpn/index
vrf/index
zonepolicy/index

4
docs/interfaces/bond.rst → docs/configuration/interfaces/bonding.rst
View File

@ -17,7 +17,7 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-common-with-dhcp.txt
.. cmdinclude:: /_include/interface-common-with-dhcp.txt
:var0: bond
:var1: bond0
@ -259,7 +259,7 @@ Bond options
VLAN
====
.. cmdinclude:: ../_include/interface-vlan-8021q.txt
.. cmdinclude:: /_include/interface-vlan-8021q.txt
:var0: bond
:var1: bond0

4
docs/interfaces/bridge.rst → docs/configuration/interfaces/bridge.rst
View File

@ -21,7 +21,7 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-common-with-dhcp.txt
.. cmdinclude:: /_include/interface-common-with-dhcp.txt
:var0: bridge
:var1: br0
@ -116,7 +116,7 @@ links providing fault tolerance if an active link fails.
VLAN
====
.. cmdinclude:: ../_include/interface-vlan-8021q.txt
.. cmdinclude:: /_include/interface-vlan-8021q.txt
:var0: bridge
:var1: br0

8
docs/interfaces/dummy.rst → docs/configuration/interfaces/dummy.rst
View File

@ -25,19 +25,19 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-address.txt
.. cmdinclude:: /_include/interface-address.txt
:var0: dummy
:var1: dum0
.. cmdinclude:: ../_include/interface-description.txt
.. cmdinclude:: /_include/interface-description.txt
:var0: dummy
:var1: dum0
.. cmdinclude:: ../_include/interface-disable.txt
.. cmdinclude:: /_include/interface-disable.txt
:var0: dummy
:var1: dum0
.. cmdinclude:: ../_include/interface-vrf.txt
.. cmdinclude:: /_include/interface-vrf.txt
:var0: dummy
:var1: dum0

6
docs/interfaces/ethernet.rst → docs/configuration/interfaces/ethernet.rst
View File

@ -14,7 +14,7 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-common-with-dhcp.txt
.. cmdinclude:: /_include/interface-common-with-dhcp.txt
:var0: ethernet
:var1: eth0
@ -72,14 +72,14 @@ VLAN
Regular VLANs (802.1q)
----------------------
.. cmdinclude:: ../_include/interface-vlan-8021q.txt
.. cmdinclude:: /_include/interface-vlan-8021q.txt
:var0: ethernet
:var1: eth0
QinQ (802.1ad)
--------------
.. cmdinclude:: ../_include/interface-vlan-8021ad.txt
.. cmdinclude:: /_include/interface-vlan-8021ad.txt
:var0: ethernet
:var1: eth0

2
docs/interfaces/geneve.rst → docs/configuration/interfaces/geneve.rst
View File

@ -39,7 +39,7 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-common-without-dhcp.txt
.. cmdinclude:: /_include/interface-common-without-dhcp.txt
:var0: geneve
:var1: gnv0

17
docs/interfaces/advanced-index.rst → docs/configuration/interfaces/index.rst
View File

@ -1,23 +1,28 @@
.. _advanced_network-interfaces:
##########
Interfaces
##########
##################
Network Interfaces
##################
.. toctree::
:maxdepth: 1
:includehidden:
bond
bonding
bridge
dummy
ethernet
geneve
loopback
l2tpv3
loopback
macsec
openvpn
pppoe
pseudo-ethernet
tunnel
vti
vxlan
wireguard
wireless
wirelessmodem

4
docs/interfaces/l2tpv3.rst → docs/configuration/interfaces/l2tpv3.rst
View File

@ -1,4 +1,4 @@
.. include:: ../_include/need_improvement.txt
.. include:: /_include/need_improvement.txt
.. _l2tpv3-interface:
@ -31,7 +31,7 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-common-without-dhcp.txt
.. cmdinclude:: /_include/interface-common-without-dhcp.txt
:var0: l2tpv3
:var1: l2tpeth0

4
docs/interfaces/loopback.rst → docs/configuration/interfaces/loopback.rst
View File

@ -26,11 +26,11 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-address.txt
.. cmdinclude:: /_include/interface-address.txt
:var0: loopback
:var1: lo
.. cmdinclude:: ../_include/interface-description.txt
.. cmdinclude:: /_include/interface-description.txt
:var0: loopback
:var1: lo

2
docs/interfaces/macsec.rst → docs/configuration/interfaces/macsec.rst
View File

@ -20,7 +20,7 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-common-with-dhcp.txt
.. cmdinclude:: /_include/interface-common-with-dhcp.txt
:var0: macsec
:var1: macsec0

2
docs/vpn/openvpn.rst → docs/configuration/interfaces/openvpn.rst
View File

@ -581,4 +581,4 @@ The following commands let you reset OpenVPN.
.. include:: ../common-references.rst
.. include:: /_include/common-references.txt

8
docs/interfaces/pppoe.rst → docs/configuration/interfaces/pppoe.rst
View File

@ -59,15 +59,15 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-description.txt
.. cmdinclude:: /_include/interface-description.txt
:var0: pppoe
:var1: pppoe0
.. cmdinclude:: ../_include/interface-disable.txt
.. cmdinclude:: /_include/interface-disable.txt
:var0: pppoe
:var1: pppoe0
.. cmdinclude:: ../_include/interface-vrf.txt
.. cmdinclude:: /_include/interface-vrf.txt
:var0: pppoe
:var1: pppoe0
@ -173,7 +173,7 @@ IPv6
Use this command to enable acquisition of IPv6 address using stateless
autoconfig (SLAAC).
.. cmdinclude:: ../_include/interface-dhcpv6-prefix-delegation.txt
.. cmdinclude:: /_include/interface-dhcpv6-prefix-delegation.txt
:var0: pppoe
:var1: pppoe0

4
docs/interfaces/pseudo-ethernet.rst → docs/configuration/interfaces/pseudo-ethernet.rst
View File

@ -45,7 +45,7 @@ Configuration
Common interface configuration
==============================
.. cmdinclude:: ../_include/interface-common-with-dhcp.txt
.. cmdinclude:: /_include/interface-common-with-dhcp.txt
:var0: pseudo-ethernet
:var1: peth0
@ -60,6 +60,6 @@ Pseudo Ethernet/MACVLAN options
VLAN
====
.. cmdinclude:: ../_include/interface-vlan-8021q.txt
.. cmdinclude:: /_include/interface-vlan-8021q.txt
:var0: pseudo-ethernet
:var1: peth0

21
docs/interfaces/tunnel.rst → docs/configuration/interfaces/tunnel.rst
View File

@ -16,7 +16,7 @@ a closer look at the protocols and options currently supported by VyOS.
Common interface configuration
------------------------------
.. cmdinclude:: ../_include/interface-common-without-dhcp.txt
.. cmdinclude:: /_include/interface-common-without-dhcp.txt
:var0: tunnel
:var1: tun0
@ -210,26 +210,7 @@ that are discarding IP protocol 47 or blocking your source/desintation traffic.
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 1.055/1.729/1.989/0.395 ms
Virtual Tunnel Interface (VTI)
------------------------------
Set Virtual Tunnel Interface
.. code-block:: none
set interfaces vti vti0 address 192.168.2.249/30
set interfaces vti vti0 address 2001:db8:2::249/64
Results in:
.. code-block:: none
vyos@vyos# show interfaces vti
vti vti0 {
address 192.168.2.249/30
address 2001:db8:2::249/64
description "Description"
}
.. _`other proposals`: https://www.isc.org/othersoftware/
.. _`Hurricane Electric`: https://tunnelbroker.net/

22
docs/configuration/interfaces/vti.rst Normal file
View File

@ -0,0 +1,22 @@
##############################
Virtual Tunnel Interface (VTI)
##############################
Set Virtual Tunnel Interface
.. code-block:: none
set interfaces vti vti0 address 192.168.2.249/30
set interfaces vti vti0 address 2001:db8:2::249/64
Results in:
.. code-block:: none
vyos@vyos# show interfaces vti
vti vti0 {
address 192.168.2.249/30
address 2001:db8:2::249/64
description "Description"
}

Some files were not shown because too many files have changed in this diff Show More