1.2.0/release notes

From VyOS Wiki
Jump to: navigation, search

Overview

1.2.0 (Crux) is a feature expansion release following the 1.1.x line (helium).

New features

Wireguard support

See Wireguard.

Interfaces

Support for changing the ethertype of the QinQ interface between 0x88A8 (802.1ad) and 0x8100 (802.1q) for compatibility with different implementations:

set interfaces ethernet eth0 vif-s 42 ethertype <0x88A8|0x8100>

Support for dhcp-interface option for the local end of GRE/IPIP/etc. tunnels:

set interfaces tunnel tun0 dhcp-interface eth0

Support for 6rd tunnels:

set interfaces tunnel tun0 encapsulation sit
set interfaces tunnel tun0 6rd-prefix 2001:db8::/64

Support for proxy-arp-pvlan on VLAN interfaces:

set interfaces ethernet eth0 vif 40 ip proxy-arp-pvlan 

Routing

Experimental support for IPv6 policy routing:

set protocols static table 10 route6 ::/0 next-hop 2001:db8::1

set policy ipv6-route Foo rule 10 set table 10

set interfaces ethernet eth0 policy ipv6-route Foo

Static routes support dhcp-interface option:

set protocols static route 192.0.2.0/24 dhcp-interface eth0

Fixed command for matching IPv6 next-hop in route-maps:

set policy route-map Foo rule 10 match ipv6 nextop 2001:db8::1

Dynamic DNS

Support for afraid.org:

set service dns dynamic interface eth0 service afraid host-name mydomain.example.com
set service dns dynamic interface eth0 service afraid login jrandomhacker
set service dns dynamic interface eth0 service afraid password qwerty

Support for DDNS updates from behind NAT:

set service dns dynamic interface eth0 use-web url http://dyndns.example.com/?user=jrandomhacker&password=qwerty&domain=mydomain.example.com

Support for RFC2136:

set service dns dynamic interface eth0 rfc2136

Support for custom dyndns services:

set service dns dynamic interface eth0 service ExampleDNS host-name mydomain.example.com
set service dns dynamic interface eth0 service ExampleDNS server dydns.example.com
set service dns dynamic interface eth0 service ExampleDNS protocol dyndns2 # or another, see the completion
...

mDNS repeater

set service mdns-repeater interface eth0

Broadcast relay

set service bcast-relay id 1 interface eth0 # interface to relay to
set service bcast-relay id 1 address 192.0.2.1 # source address
set service bcast-relay id 1 port 5000
set service bcast-relay id 1 description "some service"

DNS forwarding

Support for multiple servers in domain overrides:

vyos@vyos# set service dns forwarding domain example.com server 192.0.2.10
vyos@vyos# set service dns forwarding domain example.com server 192.0.2.20

vyos@vyos-current-test# show service dns 
+forwarding {
+    domain example.com {
+        server 192.0.2.10
+        server 192.0.2.20
+    }
+}

IPv6 name servers are now allowed:

set service dns forwarding name-server 2001:db8:ff::50

Operational mode command to restart the dnsmasq service:

run restart dns forwarding

NAT

Support for NPTv6:

set nat nptv6 rule 10 outbound-interface eth0
set nat nptv6 rule 10 source prefix 2001:db8:aa::/64
set nat nptv6 rule 10 translation prefix 2001:db8:bb::/64

SSH

Support for new ciphers: aes128-gcm, aes256-gcm, chacha20-poly1305, 3des-cbc.

A command for (re)-generating the SSH server key pair:

run generate ssh-server-key

Support for user and group access control is a work in progress and the CLI for it is likely to change.

High availability

VRRP now uses a new, more flexible syntax that takes VRRP out of interfaces into its own "high-availability vrrp" subtree. The new syntax is documented here: VRRP.

On upgrade, the old syntax will be automatically converted to the new syntax. Since VRRP group names are now informational and the VRID is defined by the "vrid" option under groups, old groups will be named $intf-$vrid, for example "eth0.10-10".

OpenVPN

A command for generating remote side config for a tunnel:

run show remote-config openvpn vtunX

IPsec

Support for including a custom secrets and config files:

set vpn ipsec include-ipsec-secrets /config/auth/ipsec.secrets
set vpn ipsec include-ipsec-conf /config/ipsec/mytunnel.conf

New ciphers for IKEv2: ChaCha20-Poly1305

Idle timeout and ESP lifetime options in L2TP/IPsec server.

QoS

Support for HFSC scheduler: CLI analogous to the shaper.

TCP flag matching:

set traffic-policy shaper Foo class 1 match Bar ip tcp <syn|ack>

fq_codel queueing discipline:

set traffic-policy fq-codel Foo codel-quantum <0-4294967295> # Number of bytes used as 'deficit' (default 1514)
set traffic-policy fq-codel Foo flows <0-4294967295> # Number of flows (default 1024)
set traffic-policy fq-codel Foo queue-limit <1-11000> # Queue size in packets (default 10240)
set traffic-policy fq-codel Foo interval <0-4294967295> # Interval (milliseconds) used to measure the delay (default 100)
set traffic-policy fq-codel Foo target <0-4294967295> # Acceptable minimum queue delay (milliseconds)

PPPoE server

PPPoE server was imported from EdgeOS.

An example:

# show service pppoe-server 
 access-concentrator MyISP
 authentication {
     local-users {
         username jrandomhacker {
             password qwerty
             static-ip 192.0.2.10
         }
     }
     mode local
 }
 client-ip-pool {
     start 192.0.2.100
     stop 192.0.2.200
 }
 dns-servers {
     server-1 203.0.113.10
     server-2 203.0.113.20
 }
 interface eth0
 local-ip 192.0.2.1
 service-name MyISP

RADIUS authentication is also supported, all in all, the options are very similar to PPTP and L2TP servers.

DHCP server

Support for dynamic hostfile updates:

set service dhcp-server hostfile-update <enable|disable>

Misc

Simple CLI for iperf (always uses TCP/5001 for now):

run monitor bandwidth-test accept

run monitor bandwidth-test initiate 192.0.2.1

The "run show tech-support" command strips private information from the config now.

Web proxy

An option to modify the outgoing address:

set service webproxy outgoing-address 203.0.113.14

New op mode commands for monitoring web proxy logs:

run monitor webproxy access-log
run monitor webproxy cache-log

BGP large communities

set policy large-community-list Foo rule 10 action permit
set policy large-community-list Foo rule 10 regex 4000000:33333
set policy large-community-list Foo rule 20 action deny
set policy large-community-list Foo rule 20 regex '^$'

set policy route-map Bar rule 10 action permit
set policy route-map Bar rule 10 match large-community large-community-list Foo

Scripting

Script execution

Scripts run from VRRP transition script options, load balancing, and cron jobs now automatically use the correct GID to prevent config permissions issues.

Persistent pre/post-commit hook scripts can now be stored in /config/commit/pre-hooks.d and /config/commit/post-hooks.d

Custom post-upgrade scripts can be stored in /config/scripts/post-update.d

Built-in environment variables

The following environment variables are now available: vyos_prefix, vyos_datarootdir, vyos_bindir, vyos_sbindir, vyos_libdir, vyos_libexecdir, vyos_datadir, vyos_op_templates, vyos_cfg_templates, vyos_configdir. They should always be used instead of old vyatta_* equivalents or hardcoded paths for forward compatibility.

Python API for reading the config

The Python module for reading VyOS config is now included in the image and can be used by VyOS features written in Python as well as user scripts. It supports Python3.

Example:

vyos@vyos# python3
>>> import vyos.config

>>> c = vyos.config.Config()

>>> c.return_value("system host-name")
'vyos'

>>> c.list_nodes("interfaces ethernet")
['eth0']

The most essential functions of Vyatta::Config are supported.

Python API for migration scripts

See [1] for an example.

Upgrade notes

If you are upgrading from a release prior to 1.1.0, it is recommended to first upgrade to 1.1.8 before upgrading to 1.2.0. Upgrading directly from older releases may result in a non-bootable image.

Compatibility notes

Telnet server

Telnet server is no longer included in VyOS. It may be re-implemented with different packages if anyone can provide a good reason to do so.

Firewall

p2p filtering is no longer available. We may reimplement it in the future based on better solutions if there's demand for it.

Installation

The "install system" command is no longer available. It has been deprecated ever since image-based installation was introduced in 2010.

Package repositories

The "system package" command family was removed. The only supported upgrade method is image upgrade, and it's easy to build images with custom packages if required. You can still edit the /etc/apt/sources.list file at your own risk.

Removed commands

The "run reset vrrp master" command was removed due to its fragile implementation and unfortunate interaction with preemption. You can force transition by disabling VRRP groups.

Syntax changes

DNS forwarding

The "service dns forwarding listen-on" is now deprecated and superseded by "service dns forwarding listen-address". It will continue to work with a warning, but may produce unexpected results, such as listening only on some of the addresses. For best results, specify addresses to listen on with the new "listen-address" option.

BGP

BGP now uses "address-family ipv4-unicast" for all address-family specific options. IPv4-specific global options such as "network" are also under "protocols bgp ... address-family ipv4-unicast" now. Example:

 bgp 64793 {
     address-family {
         ipv4-unicast {
             aggregate-address 203.0.113.0/24 {
                 as-set
                 summary-only
             }
             network 203.0.113.0/25 {
             }
         }
     }
     neighbor 192.0.2.10 {
         address-family {
             ipv4-unicast {
                 allowas-in {
                     number 10
                 }
                 as-override
                 attribute-unchanged {
                     as-path
                     med
                     next-hop
                 }
                 capability {
                     orf {
                         prefix-list {
                             receive
                             send
                         }
                     }
                 }
                 default-originate {
                     route-map Test
                 }
                 filter-list {
                     export 10
                     import 10
                 }
                 maximum-prefix 100
                 prefix-list {
                     export Test
                     import Test
                 }
                 remove-private-as
                 route-map {
                     export Test
                     import Test
                 }
                 route-server-client
                 soft-reconfiguration {
                     inbound
                 }
                 unsuppress-map Test
                 weight 23
             }
         }
         capability {
             dynamic
         }
         remote-as 64600
     }
  }
}

Automated migration from the old BGP syntax is provided.

DHCP server

The syntax of the range declaration is now:

service dhcp-server shared-network-name Foo subnet 192.0.2.0/24 range Bar start 192.0.2.100
service dhcp-server shared-network-name Foo subnet 192.0.2.0/24 range Bar stop 192.0.2.200

The change was made for ease of changing the start address, and for consistency with other similar options.

Additionally, the following nodes are now valueless rather than boolean: authoritative, ip-forwarding enable.

Automated migration is provided for those options.

Operational mode commands

Traffic dump

The syntax of the "run monitor interfaces ... traffic" has changed.

The new syntax is:

run monitor traffic interface $intfName

CLI changes

  • smp_affinity option is now called smp-affinity for consistency with everything else (automated migration is provided)
  • GRE key option now supports the full range (0-4294967295)
  • "load" command now supports HTTP protocol and HTTP/301 redirects
  • "commit-archive" now supports SFTP option

Behaviour changes

  • VyOS no longer acts as an NTP server by default. You can enable it with "set system ntp server allow-access"
  • Commit now fails on DHCPv6 client configuration errors (e.g. trying to set mutually exclusive options)
  • Default STP priority for bridges is now 32768
  • Installation-time password setup is now using SHA512 instead of MD5.
  • BGP no longer enables IPv4 address family for peers with IPv4 addresses if "no-default-ipv4-unicast" option is set.

SNMP sysDescr and OID

SNMP sysDescr is now "VyOS $version" rather than "Vyatta $version". LibreNMS and Observium already include necessary changes to correctly recognize VyOS as what it is. Other monitoring systems may need to be reconfigured and/or updated to be made aware of this.

Also, VyOS now uses its own PEN/OID 44641 instead of the old Vyatta one. Most SNMP tools rely only on sysDescr, but those that don't may stop recognizing VyOS without necessary updates.

Deprecated features

Configs from Vyatta Core releases older than VC 6.5

Since 1.0.0, VyOS has been theoretically capable of loading configs from any Vyatta Community/Core release down to Vyatta 1.0. VyOS 1.2.0 will be the last release to support backwards compatibility with old versions.

Starting with VyOS 1.3.0, only config files from VyOS 1.0.0 or newer and Vyatta Core 6.5 (released in 2012) or newer will be supported. The reasons for it are lack of real testing of that compatibility, rarity of such old versions, and need for config migration system overhaul.

Release history

1.2.0-rc1

1.2.0-rc1 was released on 2018 October the 08th and after a series of subsequent release candidates is expected to become the next LTS release.

Known issues

Some people report an issue with routers responding to all ARP requests when VTI is enabled (T852).

DMVPN is reported to not always work in hub mode (T848).

Resolved issues

Note: During development of the 1.2.0 release, VyOS moved from Bugzilla to Phabricator.

The list of issues resolved in or scheduled for this release since the migration can be viewed using this query: https://phabricator.vyos.net/search/query/ysLEzUbOmo4I/

The old Bugzilla installation is kept accessible in read only mode for historical reasons. Below is the list of resolved issues that were created during the Bugzilla time or weren't assigned issue numbers at all.

Task ID Severity Title Contributor
<none> New build system implementation Enhancement Daniil Baturin, Kim Hagen
<none> Porting the system to Debian Jessie Kim Hagen, Alex Harpin, Tom Jepp, Mihail Vasiliev, Daniil Baturin
Bug #411 Minor Loading SSH key with spaces in comment fails Jared R. Baldridge
Bug #287 Enhancement Add dynamic dns support for afraid.org/freedns Alex Harpin
Bug #467 Minor ToS inherit not turned on by default on tunnels (IPIP, GRE) Kim Hagen
Bug #352 Enhancement Support for changing the ethertype value of vif-s Kim Hagen
Bug #455 Enhancement Support for DDNS update from behind NAT (using the web update) Alex Harpin
Bug #408 Enhancement Support for multiple servers in DNS forwarding domain overrides Alex Harpin
Bug #486 Minor Do not add unnecessary blank search domains Alex Harpin
Bug #356 Enhancement Use a new PEN instead of the old Vyatta PEN for SNMP OID Daniil Baturin
Bug #492 Minor Fail commit on DHCPv6 client configuration errors Daniil Baturin
Bug #389 Enhancement Add support for RFC 2136 Benjamin Beret
Bug #94 Enhancement Make VyOS listening for NTP client requests optional Alex Harpin, Daniil Baturin
Bug #106 Major Ensure grub is installed to the raid slave members Alex Harpin
Bug #507 Enhancement Accept custom dyndns services Benjamin Beret
Bug #512 Minor Set Default STP priority to 32768 Benjamin Beret
Bug #541 Major Load l2tp_ip6 module so L2TPv3 over IPv6 can work Daniil Baturin
<none> Enhancement Allow dhcp interface for the local end of a tunnel Carl Byington
<none> Enhancement DHCP bound/reboot must ignore old values Carl Byington
Bug #476 Enhancement Prevent deletion of system based post-hook symlinks Alex Harpin
Bug #579 Enhancement Use sha-512 instead of md5 for installation password Alex Harpin
Bug #18 Enhancement Rename smp_affinity to smp-affinity Alex Harpin
Bug #495 Minor Enable usb autosuspend to reduce cpu usage on kvm Alex Harpin
Bug #619 Enhancement Add restart option to vyatta-dns-forwarding.pl Alex Harpin
Bug #631 Enhancement Add 6rd tunnel support Seamus Caveney
T262 Enhancement Allow full integer range for GRE tunnel key Helge Sychla
<none> Major Fix vyatta-dns-forwarding.pl after merged pull request #53 Lauris BH
T167 Major "set service ssh allow-root" does not function Ewald van Geffen
<none> Enhancement Fix to generate correct NTP config when specifying ipv6 servers. sayo
Bug #456 Enhancement Add simple CLI for iperf Daniil Baturin
Bug #459 Enhancement remove unused reboot configuration nodes Alex Harpin
Bug #460 Enhancement Update the system poweroff cli command to be script based Alex Harpin
Bug #461 Enhancement Replace 'show shutdown' with 'show poweroff' and use script Alex Harpin
Bug #567 Minor Make strip-private remove usernames and SSH keys Alex Harpin
Bug #610 Enhancement Skip unknown interfaces in "show interfaces counters/detail" Alex Harpin
Bug #619 Enhancement Implemented a DNS forwarder restart command - "restart dns forwarding" Tom Jepp
T Major "monitor firewall name <name>" does not monitor any firewall-log-entry Ewald van Geffen
T283 Enhancement Add CLI command to regenerate SSH server host keys Chris Freas
Bug #387 Enhancement Add initial support for NPTv6 Benjamin Beret
Bug #493 Enhancement Only create nat object for testing changed or added rules Alex Harpin
Bug #434 Enhancement Allow OpenVPN clients to connect without requiring options Alex Harpin
Bug #428 Enhancement Add support for HFSC scheduler in VyOS QoS Benjamin Beret
Bug #513 Enhancement TCP SYN, TCP ACK, max-len matching in QoS rules Benjamin Beret
Bug #446 Enhancement add fq_codel queueing discipline Carl Byington
<none> Enhancement Add kludge to setup IPv6 routes for policy routing. William Steve Applegate
<none> Enhancement Allow dhcp-interface for the next-hop on static routes Carl Byington
Bug #581 Major Set source-validation node priority after interface Alex Harpin
T132 Enhancement Allow to configure a route-map to apply to local routes Sylvain Munaut
<none> Enhancement Add Border Gateway Protocol extommunities support on route-map parameter. Elizandro Pacheco
<none> Enhancement Initial porting of the IPsec configuration scripts to StrongSWAN 5.x Jeff Leung, Ryan Riske, C.J. Collier, Kim Hagen
Bug #359 Enhancement Validate peer address for vti based vpn connections Alex Harpin
Bug #213 Enhancement Validate local address for vti based vpn connections Alex Harpin
<none> Enhancement Allow the user to include a custom ipsec.secrets file. Jeff Leung
<none> Enhancement Add ChaCha20 Poly1305 cipher as an available cipher for IKE exchanges. Jeff Leung
T137 Major Fix VTI interface configuration to set both ikey and okey Sylvain Munaut
T126 Minor charon listening on ALL interfaces Tania Dziubenko
<none> Enhancement Idle timeout and ESP lifetime options in L2TP/IPsec Carl Byington
T189 Major ipsec/l2tp in Vyos current doesn't start Kim Hagen
<none> Major Replace "--vyatta-workaround" keepalived option with upstream version "--release-vips" Kim Hagen
Bug #511 Enhancement Add dynamic hostfile-updates Brian Hart, bradd, itsmarcos, ruudboon, chibby85
Bug #602 Disable p2p option in firewall config Alex Harpin
Bug #623 Enhancement Check rules for errors before processing them Alex Harpin
Bug #628 Enhancement Update network-group check to allow "this" (0.0.0.0/8) network Alex Harpin
Bug #538 Enhancement Add scripts for running user commit hooks. Daniil Baturin
Bug #509 Trivial Fix formatting issue with top level cli merge command Alex Harpin
Bug #564 Minor Remove unused unionfs mounts following unclean config exits Alex Harpin
Bug #593 Minor Double quoted config values ending in \ are not reboot safe Alex Harpin
Bug #584 Enhancement Allow sftp as copy and commit-archive location destination. Leon Messner
<none> Enhancement Implement a Python counterpart of the Perl Vyatta::Config Daniil Baturin, Tania Dziubenko, Christian Poessinger
Bug #501 Enhancement Use 'intercept' instead of 'transparent' in squid.conf Alex Harpin
Bug #503 Enhancement Add monitoring of the squid access and cache logs Alex Harpin
Bug #596 Enhancement An option to set outgoing webproxy address Maciej Pasiak, Alex Harpin, Daniil Baturin
Bug #441 Minor Ensure the load balancing daemon is stopped Alex Harpin