chore: bump to NethSecurity 8.8

avahi.rst

@@ -0,0 +1,38 @@
+.. _avahi-section:
+
+=======================
+Avahi (mDNS reflector)
+=======================
+
+Multicast DNS (mDNS) allows devices to discover services on a local network without a centralized DNS server, using multicast traffic within the ``.local`` domain.
+A typical use case is IoT network segmentation: when IoT devices live in a dedicated network, control devices like smartphones and PCs rely on mDNS for discovery.
+However, mDNS traffic does not cross network boundaries, so an mDNS reflector such as Avahi is required to bridge the gap and allow service discovery across network segments.
+
+On NethSecurity, the ``avahi-nodbus-daemon`` package is available in the official repositories but is not installed by default.
+
+.. note::
+   Starting from version 8.7.2, extra packages are automatically reinstalled after system upgrade.
+   For earlier versions and for additional information, refer to this documentation: :ref:`restore_extra_packages-section`.
+
+Installation
+============
+
+Install the package with::
+
+    apk update
+    apk add avahi-nodbus-daemon
+
+Configuration
+=============
+
+By default, the mDNS reflector functionality is disabled. To enable it:
+
+1. Edit the Avahi daemon configuration file: ::
+
+     sed -i 's/^enable\-reflector\=no$/enable\-reflector\=yes/g' /etc/avahi/avahi-daemon.conf
+
+2. Restart the Avahi daemon to apply the changes: ::
+
+     /etc/init.d/avahi-daemon restart
+
+After enabling the reflector, mDNS traffic will be reflected across network interfaces, allowing service discovery to work between different network segments.

checkmk.rst

@@ -20,7 +20,14 @@ If you only need the upstream agent, install ``checkmk-agent`` alone.
 Install the packages
 --------------------
 
-Install the agent and the optional NethSecurity checks from the command line::
+Install the agent and the optional NethSecurity checks from the command line.
+
+If you are running NethSecurity 8.8, use::
+
+    apk update
+    apk add ns-checkmk-utils
+
+If you are running NethSecurity 8.7.2 or older, use::
 
     opkg update
     opkg install ns-checkmk-utils

controller.rst

@@ -221,7 +221,7 @@ Metrics
 
 Each unit exports two types of metrics:
 
-- system operating metrics (CPU, memory, disk, network): these metrics are collected using `Netdata <https://www.netdata.cloud/>`_
+- system operating metrics (CPU, memory, disk, network): these metrics are collected using `Telegraf <https://www.influxdata.com/time-series-platform/telegraf/>`_
   and stored in `Prometheus <https://prometheus.io/>`_. As soon as a unit is connected, the controller starts scraping the metrics.
   These metrics are available to everyone regardless of the subscription status.
 - firewall metrics (traffic, security, VPN): these metrics are sent from the unit to controller at fixed intervals.
@@ -241,6 +241,13 @@ Users can access the dashboard by clicking on the :guilabel:`Open metrics` link
 By default, only the admin user can access the metrics dashboard. If you want to allow other users to access the metrics dashboard,
 you can create a new role and assign it to the user directly from the Grafana web interface.
 
+.. note::
+
+   Starting from NethSecurity 8.8, Netdata is not installed by default on units.
+   If you have configured custom dashboards that rely on Netdata metrics, you can reinstall it manually on the unit.
+
+   See :ref:`legacy Netdata section <legacy_netdata-section>` for more information on how to resinstall it.
+
 .. _grafana-section:
 
 Grafana
@@ -263,7 +270,7 @@ See the `official documentation <https://grafana.com/docs/grafana/latest/>`_ for
 Prometheus metrics
 ^^^^^^^^^^^^^^^^^^
 
-Prometheus metrics are collected using Netdata and stored in a Prometheus database.
+Prometheus metrics are collected using Telegraf by default. When Netdata is installed manually, Prometheus also scrapes metrics from it.
 
 Metrics exported for each unit includes the following labels:
 

dns_dhcp.rst

@@ -96,6 +96,11 @@ Dynamic leases
 Dynamic leases represents IP addresses that are currently in use and have been allocated to devices on the network.
 This tab shows all currently active leases.
 
+.. note::
+   When :ref:`storage-section` is configured, dnsmasq stores the lease file in
+   ``/mnt/data/dnsmasq/dhcp.leases``, so dynamic leases survive reboots.
+   Otherwise it keeps using ``/tmp/dhcp.leases``.
+
 Default Configuration
 ---------------------
 

dns_over_http.rst

@@ -10,8 +10,9 @@ DNS over HTTPS (DoH) is a protocol for encrypting DNS queries over HTTPS, enhanc
 This feature allows you to configure upstream DNS servers that support the DoH protocol.
 The ``https-dns-proxy`` package provides a local DNS-to-HTTPS proxy that forwards DNS queries to a remote DoH provider.
 
-This document provides instructions for installing and configuring the DoH upstream servers that provide
-filtering and are based in the EU, but you can use any DoH provider that suits your needs.
+This document provides instructions for configuring DoH upstream servers that
+provide filtering and are based in the EU, but you can use any DoH provider
+that suits your needs.
 This configuration only applies to the upstream servers of the firewall: clients will continue to send DNS requests to the firewall in plaintext on port 53.
 
 A list of DoH providers that support European locations and filtering are available on the
@@ -28,20 +29,28 @@ Some popular alternatives include:
 Installation
 ============
 
-The ``https-dns-proxy`` package is not included in default NethSecurity images, so you will need to install it manually: ::
+Since NethSecurity 8.8, the ``https-dns-proxy`` package is included in NethSecurity image, so no
+separate installation step is required.
+
+On NethSecurity 8.7, the package is not included in default NethSecurity image, so you will need to install it manually: ::
 
   opkg update
   opkg install https-dns-proxy
 
 Configuration
 =============
 
-By default, the package includes two providers (Cloudflare and Google).
-To use a custom DoH provider, you'll need to:
+By default, the package includes two providers (Cloudflare and Google), listens
+on ``127.0.0.1:5053`` and ``127.0.0.1:5054``, and keeps
+``dnsmasq_config_update`` set to ``-`` so it does not modify the firewall DNS
+configuration automatically.
+
+To start using the proxy, you need to:
 
 1. Remove the default providers (optional)
 2. Add your preferred DoH provider configuration
-3. Commit and apply the configuration
+3. Choose the ``dnsmasq_config_update`` value to use
+4. Commit the configuration and enable the service
 
 Configuration steps
 -------------------
@@ -65,9 +74,16 @@ In this example, we will configure the DNS4EU (joindns4.eu) DoH provider.
 
 The ``bootstrap_dns`` parameter is optional, if not provided, the system will use Google and Cloudflare DNS for bootstrap.
 
-3. Apply the configuration, https-dns-proxy will automatically use the local DoH proxy as upstream DNS: ::
+3. Enable integration with ``dnsmasq`` and start the service: ::
+
+     uci set https-dns-proxy.config.dnsmasq_config_update='*'
+     uci commit https-dns-proxy
+     /etc/init.d/https-dns-proxy enable
+     /etc/init.d/https-dns-proxy start
 
-     reload_config
+   The value ``*`` updates all ``dnsmasq`` instances. If you need a more
+   specific integration, set ``dnsmasq_config_update`` to the instance name or
+   index you want to manage.
 
 Verification
 ^^^^^^^^^^^^
@@ -100,18 +116,13 @@ Run the following commands via SSH or terminal: ::
 Image update
 ------------
 
-The ``https-dns-proxy`` package overrides the default DNS configuration,
-so if you update your NethSecurity image, the system will not be able to connect to Internet
-and restore the package.
+The package is included in the image, so it does not need to be reinstalled
+after an upgrade.
 
-To overcome this issue, you can temporarily stop the DoH proxy before updating the image: ::
+However, NethSecurity treats ``dnsmasq_config_update='-'`` as the disabled
+state. If that value is still set during an image upgrade, the first-boot
+defaults script can disable ``https-dns-proxy`` again.
 
-  service https-dns-proxy stop
-
-This will restore the default DNS configuration and allow the system to connect to the Internet
-after image update. Once the update is complete, you can restart the DoH proxy: ::
-
-  service https-dns-proxy restart
 
 Blocking other DoH providers
 ----------------------------

firewall_rules.rst

@@ -44,6 +44,8 @@ Fill in the following fields for the new rule:
   * ``Accept``: accept the network traffic.
   * ``Reject``: block the traffic and notify the sender host.
   * ``Drop``: block the traffic, packets are dropped and no notification is sent to the sender host.
+  * ``Don't track``: bypass connection tracking for matching traffic. This action is available only in
+    ``Forward rules`` and ``Input rules``, requires a source zone, and is not available in ``Output rules``.
 * ``Rule position``: decide whether to add the rule to the bottom or top of the rule list.
 * ``Logging``: indicate whether traffic matching this rule should be logged. The log entry will include the rule name as a prefix.
   By default, logging is limited to 1 entry per second. See the :ref:`logging-limits` section for instructions on changing this limit.

index.rst

@@ -110,6 +110,7 @@ NethSecurity administrator manual
    :maxdepth: 2
    :caption: Advanced (CLI)
 
+   avahi
    ddns
    dns_over_http
    smtp
@@ -120,6 +121,7 @@ NethSecurity administrator manual
    ups
    wol
    checkmk
+   victoria_logs
    uci
 
 .. toctree::

install.rst

@@ -134,11 +134,17 @@ QEMU guest agent
 QEMU guest agent is not part of the NethSecurity image but can be installed from the command line.
 The agent can work when the virtual machine is running on KVM, Proxmox, or other QEMU-based hypervisors.
 
-First, make sure the virtual machine is running, then connect to the machine using SSH or the Proxmox console and
-execute the following commands: ::
+First, make sure the virtual machine is running, then connect to the machine using SSH or the Proxmox console.
 
-  opkg update
-  opkg install qemu-ga
+If you are running NethSecurity 8.8, use::
+
+    apk update
+    apk add qemu-ga
+
+If you are running NethSecurity 8.7.2 or older, use::
+
+    opkg update
+    opkg install qemu-ga
 
 After the installation, start the service: ::
 
@@ -180,11 +186,17 @@ VMware open-vm-tools
 VMware open-vm-tools are not part of the NethSecurity image but can be installed from the command line.
 The tools can work only when the virtual machine is running on VMWare hypervisors.
 
-First make sure the virtual machine is running, then connect to the machine using SSH or the VMWare console and
-execute the following commands: ::
+First, make sure the virtual machine is running, then connect to the machine using SSH or the VMWare console.
+
+If you are running NethSecurity 8.8, use::
+
+    apk update
+    apk add open-vm-tools
+
+If you are running NethSecurity 8.7.2 or older, use::
 
-  opkg update
-  opkg install open-vm-tools
+    opkg update
+    opkg install open-vm-tools
 
 After the installation, start the service: ::
 

logs.rst

@@ -65,10 +65,16 @@ The daemon polls for new lines every 10 seconds, detects log rotation automatica
 
 The package is not included by default on NethSecurity 8.7.2 or earlier, but it is available in the package repository and can be
 manually installed.
-Install it with: ::
 
-  opkg update
-  opkg install ns-clm
+If you are running NethSecurity 8.8, use::
+
+    apk update
+    apk add ns-clm
+
+If you are running NethSecurity 8.7.2 or older, use::
+
+    opkg update
+    opkg install ns-clm
 
 The UCI configuration is stored in ``/etc/config/ns-clm``:
 

migration.rst

@@ -291,7 +291,7 @@ The following features are not migrated to NethSecurity:
 - Web proxy (Squid) and filter (ufdbGuard), replaced by :doc:`Content Filtering <content_filter>` and :ref:`dpi_filter-section`
 - IPS (Suricata) and IPS alerts (EveBox), replaced by :ref:`intrusion_prevention_system-section`
 - UPS monitoring (NUT), available only from command line with :doc:`UPS (NUT) <ups>`
-- System statistics (Collectd), replaced by Netdata in :ref:`real_time_monitoring-section`
+- System statistics (Collectd), replaced by Telegraf and VictoriaMetrics page in :ref:`historical_monitoring-section` 
 - Reports (Dante), replaced by controller metrics in :ref:`controller_metrics-section`
 - Bandwidth monitor (ntopng), built-in bandwidth monitoring is available in :ref:`real_time_monitoring-section` and through :ref:`controller_metrics-section`
 - Fail2ban, it is replaced by Threat shield :ref:`brute force attempt block feature <brute_force-section>`
@@ -301,7 +301,7 @@ The following features are not migrated to NethSecurity:
 
 Custom Zones
 ============
-Custom zones are rarely used in NethServer 7 and tipically for very specific tasks. 
+Custom zones are rarely used in NethServer 7 and typically for very specific tasks. 
 They are required to define a network segment with firewall rules different from those of the primary interface or, more commonly, to correctly manage traffic coming from a network other than the one to which the interface is connected.
 These zones allow for defining specific behavior for that network segment and ensure correct routing in complex environments (e.g., a port forwarding rule with a remote host destination via MPLS or a VPN tunnel).