1.2.0/release notes

From VyOS Wiki
Jump to: navigation, search


1.2.0 (lithium) is a feature expansion release following the 1.1.x line (helium).

1.2.0-rc1 was released on ... and after a series of subsequent release candidates is expected to become the next LTS release.

New features


Support for changing the ethertype of the QinQ interface between 0x88A8 (802.1ad) and 0x8100 (802.1q) for compatibility with different implementations:

set interfaces ethernet eth0 vif-s 42 ethertype <0x88A8|0x8100>

Support for dhcp-interface option for the local end of GRE/IPIP/etc. tunnels:

set interfaces tunnel tun0 dhcp-interface eth0

Support for 6rd tunnels:

set interfaces tunnel tun0 encapsulation sit
set interfaces tunnel tun0 6rd-prefix 2001:db8::/64

Support for proxy-arp-pvlan on VLAN interfaces:

set interfaces ethernet eth0 vif 40 ip proxy-arp-pvlan 


Experimental support for IPv6 policy routing:

set protocols static table 10 route6 ::/0 next-hop 2001:db8::1

set policy ipv6-route Foo rule 10 set table 10

set interfaces ethernet eth0 policy ipv6-route Foo

Static routes support dhcp-interface option:

set protocols static route dhcp-interface eth0

Fixed command for matching IPv6 next-hop in route-maps:

set policy route-map Foo rule 10 match ipv6 nextop 2001:db8::1

Dynamic DNS

Support for afraid.org:

set service dns dynamic interface eth0 service afraid host-name mydomain.example.com
set service dns dynamic interface eth0 service afraid login jrandomhacker
set service dns dynamic interface eth0 service afraid password qwerty

Support for DDNS updates from behind NAT:

set service dns dynamic interface eth0 use-web url http://dyndns.example.com/?user=jrandomhacker&password=qwerty&domain=mydomain.example.com

Support for RFC2136:

set service dns dynamic interface eth0 rfc2136

Support for custom dyndns services:

set service dns dynamic interface eth0 service ExampleDNS host-name mydomain.example.com
set service dns dynamic interface eth0 service ExampleDNS server dydns.example.com
set service dns dynamic interface eth0 service ExampleDNS protocol dyndns2 # or another, see the completion

mDNS repeater

set service mdns-repeater interface eth0

Broadcast relay

set service bcast-relay id 1 interface eth0 # interface to relay to
set service bcast-relay id 1 address # source address
set service bcast-relay id 1 port 5000
set service bcast-relay id 1 description "some service"

DNS forwarding

Support for multiple servers in domain overrides:

vyos@vyos# set service dns forwarding domain example.com server
vyos@vyos# set service dns forwarding domain example.com server

vyos@vyos-current-test# show service dns 
+forwarding {
+    domain example.com {
+        server
+        server
+    }

IPv6 name servers are now allowed:

set service dns forwarding name-server 2001:db8:ff::50

Operational mode command to restart the dnsmasq service:

run restart dns forwarding


Support for NPTv6:

set nat nptv6 rule 10 outbound-interface eth0
set nat nptv6 rule 10 source prefix 2001:db8:aa::/64
set nat nptv6 rule 10 translation prefix 2001:db8:bb::/64


Support for new ciphers: aes128-gcm, aes256-gcm, chacha20-poly1305, 3des-cbc.

A command for (re)-generating the SSH server key pair:

run generate ssh-server-key

Support for user and group access control is a work in progress and the CLI for it is likely to change.

High availability

Support for IPv6 VRRP:

set interfaces ethernet eth0 vrrp vrrp-group 1 virtual-address 2001:db8:ab::1/64


A command for generating remote side config for a tunnel:

run show remote-config openvpn vtunX


Support for including a custom secrets and config files:

set vpn ipsec include-ipsec-secrets /config/auth/ipsec.secrets
set vpn ipsec include-ipsec-conf /config/ipsec/mytunnel.conf

New ciphers for IKEv2: ChaCha20-Poly1305

Idle timeout and ESP lifetime options in L2TP/IPsec server.


Support for HFSC scheduler: CLI analogous to the shaper.

TCP flag matching:

set traffic-policy shaper Foo class 1 match Bar ip tcp <syn|ack>

fq_codel queueing discipline:

set traffic-policy fq-codel Foo codel-quantum <0-4294967295> # Number of bytes used as 'deficit' (default 1514)
set traffic-policy fq-codel Foo flows <0-4294967295> # Number of flows (default 1024)
set traffic-policy fq-codel Foo queue-limit <1-11000> # Queue size in packets (default 10240)
set traffic-policy fq-codel Foo interval <0-4294967295> # Interval (milliseconds) used to measure the delay (default 100)
set traffic-policy fq-codel Foo target <0-4294967295> # Acceptable minimum queue delay (milliseconds)

PPPoE server

PPPoE server was imported from EdgeOS.

An example:

# show service pppoe-server 
 access-concentrator MyISP
 authentication {
     local-users {
         username jrandomhacker {
             password qwerty
     mode local
 client-ip-pool {
 dns-servers {
 interface eth0
 service-name MyISP

RADIUS authentication is also supported, all in all, the options are very similar to PPTP and L2TP servers.

DHCP server

Support for dynamic hostfile updates:

set service dhcp-server hostfile-update <enable|disable>


Simple CLI for iperf (always uses TCP/5001 for now):

run monitor bandwidth-test accept

run monitor bandwidth-test initiate

The "run show tech-support" command strips private information from the config now.

Web proxy

An option to modify the outgoing address:

set service webproxy outgoing-address

New op mode commands for monitoring web proxy logs:

run monitor webproxy access-log
run monitor webproxy cache-log


Script execution

Scripts run from VRRP transition script options now automatically use the correct GID to prevent config permissions issues.

Persistent pre/post-commit hook scripts can now be stored in /config/commit/pre-hooks.d and /config/commit/post-hooks.d

Built-in environment variables

The following environment variables are now available: vyos_prefix, vyos_datarootdir, vyos_bindir, vyos_sbindir, vyos_libdir, vyos_libexecdir, vyos_datadir, vyos_op_templates, vyos_cfg_templates, vyos_configdir. They should always be used instead of old vyatta_* equivalents or hardcoded paths for forward compatibility.

Python API for reading the config

The Python module for reading VyOS config is now included in the image and can be used by VyOS features written in Python as well as user scripts. It supports Python3.


vyos@vyos# python3
>>> import vyos.config

>>> c = vyos.config.Config()

>>> c.return_value("system host-name")

>>> c.list_nodes("interfaces ethernet")

The most essential functions of Vyatta::Config are supported.

Compatibility notes

Telnet server

Telnet server is no longer included in VyOS. It may be re-implemented with different packages if anyone can provide a good reason to do so.


p2p filtering is no longer available. We may reimplement it in the future based on better solutions if there's demand for it.


The "install system" command (that has been deprecated ever since image-based installation was introduced in 2010) is no longer available.

CLI changes

  • smp_affinity option is now called smp-affinity for consistency with everything else (automated migration is provided)
  • GRE key option now supports the full range (0-4294967295)
  • "load" command now supports HTTP protocol and HTTP/301 redirects
  • "commit-archive" now supports SFTP option

Behaviour changes

  • VyOS no longer acts as an NTP server by default. You can enable it with "set system ntp server allow-access"
  • Commit now fails on DHCPv6 client configuration errors (e.g. trying to set mutually exclusive options)
  • Default STP priority for bridges is now 32768
  • Installation-time password setup is now using SHA512 instead of MD5.

SNMP sysDescr and OID

SNMP sysDescr is now "VyOS $version" rather than "Vyatta $version". LibreNMS and Observium already include necessary changes to correctly recognize VyOS as what it is. Other monitoring systems may need to be reconfigured and/or updated to be made aware of this.

Also, VyOS now uses its own PEN/OID 44641 instead of the old Vyatta one. Most SNMP tools rely only on sysDescr, but those that don't may stop recognizing VyOS without necessary updates.

Resolved issues

Task ID Severity Title Contributor
<none> New build system implementation Enhancement Daniil Baturin, Kim Hagen
<none> Porting the system to Debian Jessie Kim Hagen, Alex Harpin, Tom Jepp, Mihail Vasiliev, Daniil Baturin
Bug #411 Minor Loading SSH key with spaces in comment fails Jared R. Baldridge
Bug #287 Enhancement Add dynamic dns support for afraid.org/freedns Alex Harpin
Bug #467 Minor ToS inherit not turned on by default on tunnels (IPIP, GRE) Kim Hagen
Bug #352 Enhancement Support for changing the ethertype value of vif-s Kim Hagen
Bug #455 Enhancement Support for DDNS update from behind NAT (using the web update) Alex Harpin
Bug #408 Enhancement Support for multiple servers in DNS forwarding domain overrides Alex Harpin
Bug #486 Minor Do not add unnecessary blank search domains Alex Harpin
Bug #356 Enhancement Use a new PEN instead of the old Vyatta PEN for SNMP OID Daniil Baturin
Bug #492 Minor Fail commit on DHCPv6 client configuration errors Daniil Baturin
Bug #389 Enhancement Add support for RFC 2136 Benjamin Beret
Bug #94, T553 Enhancement Make VyOS listening for NTP client requests optional Alex Harpin, Daniil Baturin
Bug #106 Major Ensure grub is installed to the raid slave members Alex Harpin
Bug #507 Enhancement Accept custom dyndns services Benjamin Beret
Bug #512 Minor Set Default STP priority to 32768 Benjamin Beret
Bug #541 Major Load l2tp_ip6 module so L2TPv3 over IPv6 can work Daniil Baturin
<none> Enhancement Allow dhcp interface for the local end of a tunnel Carl Byington
<none> Enhancement DHCP bound/reboot must ignore old values Carl Byington
Bug #476 Enhancement Prevent deletion of system based post-hook symlinks Alex Harpin
Bug #579 Enhancement Use sha-512 instead of md5 for installation password Alex Harpin
Bug #18 Enhancement Rename smp_affinity to smp-affinity Alex Harpin
Bug #495 Minor Enable usb autosuspend to reduce cpu usage on kvm Alex Harpin
Bug #619 Enhancement Add restart option to vyatta-dns-forwarding.pl Alex Harpin
Bug #631 Enhancement Add 6rd tunnel support Seamus Caveney
T178 Enhancement Add support for pvlan-proxy-arp on vif sub-interfaces Diego Garcia del Rio
T262 Enhancement Allow full integer range for GRE tunnel key Helge Sychla
T285 Enhancement Add flag for DNSmasq to query all DNS servers Brennent Smith
T286 Major Fix resolv-file configuration problem rtsp
<none> Major Fix vyatta-dns-forwarding.pl after merged pull request #53 Lauris BH
T167 Major "set service ssh allow-root" does not function Ewald van Geffen
<none> Enhancement Fix to generate correct NTP config when specifying ipv6 servers. sayo
T331 Major root should be set to md/X instead of md/mdX Jose Irigon de Irigon
T198 Major Fix typos in the l2tpv3 script Thomas Courbon
T437 Major Fixed system option "Ctrl-Alt-Delete action" broken Christian Poessinger
T414 Remove 'telnet' service Christian Poessinger
T488 Major GRUB can't boot from software RAID Christian Poessinger
T496 Minor Rremove diagnostic partition for RAID1 installs Christian Poessinger
T297 Enhancement Fix DNS Forwarding server does not allow IPv6 address in name-server Christian Poessinger
T507 Enhancement Support for new SSH ciphers and key exhange algorithms Christian Poessinger
T122 Support for SSH user and group access controls Alain Lamar
Bug #456 Enhancement Add simple CLI for iperf Daniil Baturin
Bug #459 Enhancement remove unused reboot configuration nodes Alex Harpin
Bug #460 Enhancement Update the system poweroff cli command to be script based Alex Harpin
Bug #461 Enhancement Replace 'show shutdown' with 'show poweroff' and use script Alex Harpin
Bug #567 Minor Make strip-private remove usernames and SSH keys Alex Harpin
Bug #610 Enhancement Skip unknown interfaces in "show interfaces counters/detail" Alex Harpin
Bug #619 Enhancement Implemented a DNS forwarder restart command - "restart dns forwarding" Tom Jepp
T Major "monitor firewall name <name>" does not monitor any firewall-log-entry Ewald van Geffen
T146 Enhancement Support serial console on any ttyS Geoff Adams
T272 Enhancement Add scripts and templates for generating remote side OpenVPN configs Daniil Baturin
T283 Enhancement Add CLI command to regenerate SSH server host keys Chris Freas
T394 Enhancement copy vyatta_* environment variables to vyos_* equivalents. Daniil Baturin
T328 Enhancement Change 'show tech-support' behavior to always strip-private Christian Poessinger
T157 Remove "install system" command Christian Poessinger
Bug #387 Enhancement Add initial support for NPTv6 Benjamin Beret
Bug #493 Enhancement Only create nat object for testing changed or added rules Alex Harpin
Bug #434 Enhancement Allow OpenVPN clients to connect without requiring options Alex Harpin
Bug #428 Enhancement Add support for HFSC scheduler in VyOS QoS Benjamin Beret
Bug #513 Enhancement TCP SYN, TCP ACK, max-len matching in QoS rules Benjamin Beret
Bug #446 Enhancement add fq_codel queueing discipline Carl Byington
T453 Enhancement 'tc' filter syntax adjustment Carl Byington
T202 Enhancement Include generated templates for l2tpv3 and dummy links in the QoS package Daniil Baturin
<none> Enhancement Add kludge to setup IPv6 routes for policy routing. William Steve Applegate
<none> Enhancement Allow dhcp-interface for the next-hop on static routes Carl Byington
Bug #581 Major Set source-validation node priority after interface Alex Harpin
T52 Enhancement Add "ospf route-map" command Mihail Vasilev
T132 Enhancement Allow to configure a route-map to apply to local routes Sylvain Munaut
<none> Enhancement Add Border Gateway Protocol extommunities support on route-map parameter. Elizandro Pacheco
T23 Minor Unable to remove rule from prefix list Kim Hagen
T345 Minor Probe for interface existance Christian Poessinger
T545 Major Fixing IPv6 next-hop for route-map Nick Pratley
<none> Enhancement Initial porting of the IPsec configuration scripts to StrongSWAN 5.x Jeff Leung, Ryan Riske, C.J. Collier, Kim Hagen
Bug #359 Enhancement Validate peer address for vti based vpn connections Alex Harpin
Bug #213 Enhancement Validate local address for vti based vpn connections Alex Harpin
<none> Enhancement Allow the user to include a custom ipsec.secrets file. Jeff Leung
<none> Enhancement Add ChaCha20 Poly1305 cipher as an available cipher for IKE exchanges. Jeff Leung
T287 Minor Add missingok to logrotate for ipsec Paul Gear
T137 Major Fix VTI interface configuration to set both ikey and okey Sylvain Munaut
T126 Minor charon listening on ALL interfaces Tania Dziubenko
<none> Enhancement Idle timeout and ESP lifetime options in L2TP/IPsec Carl Byington
T189 Major ipsec/l2tp in Vyos current doesn't start Kim Hagen
T274 Major L2TP Server: cant connect from macosx behind nat Christian Poessinger
T434 Major Fix RADIUS client authentication Christian Poessinger
<none> Major Replace "--vyatta-workaround" keepalived option with upstream version "--release-vips" Kim Hagen
T74 Critical Fix VRRP in nightly development builds Kim Hagen
<none> Enhancement Add support for IPv6 VRRP Florian Fuessl
T460 Major Disable attempts to compare VRRP states to avoid running transition script on keepalived restart (which prevented them from ever running at all). Daniil Baturin
T462 Enhancement setgid to vyattacfg in the transition scipt runner. Daniil Baturin
Bug #511 Enhancement Add dynamic hostfile-updates Brian Hart, bradd, itsmarcos, ruudboon, chibby85
Bug #602 Disable p2p option in firewall config Alex Harpin
Bug #623 Enhancement Check rules for errors before processing them Alex Harpin
Bug #628 Enhancement Update network-group check to allow "this" ( network Alex Harpin
Bug #538 Enhancement Add scripts for running user commit hooks. Daniil Baturin
Bug #509 Trivial Fix formatting issue with top level cli merge command Alex Harpin
Bug #564 Minor Remove unused unionfs mounts following unclean config exits Alex Harpin
Bug #593 Minor Double quoted config values ending in \ are not reboot safe Alex Harpin
Bug #584 Enhancement Allow sftp as copy and commit-archive location destination. Leon Messner
T281 Enhancement Add HTTPS support to the load command and improve HTTP support Christian Poessinger
<none> Enhancement Implement a Python counterpart of the Perl Vyatta::Config Daniil Baturin, Tania Dziubenko, Christian Poessinger
Bug #501 Enhancement Use 'intercept' instead of 'transparent' in squid.conf Alex Harpin
Bug #503 Enhancement Add monitoring of the squid access and cache logs Alex Harpin
Bug #596 Enhancement An option to set outgoing webproxy address Maciej Pasiak, Alex Harpin, Daniil Baturin
T411 Enhancement Remove the legacy config statement that prevents squid from working Alain Lamar
T412 Enhancement Allow rsync in the safe ports squid ACL Alain Lamar
Bug #441 Minor Ensure the load balancing daemon is stopped Alex Harpin