VyOS 1.3.0-rc6, the last release candidate
VyOS 1.3.0-rc6 release candidate image is now available for download. Quite some time passed between 1.3.0-rc5 and this release, mostly due to an IPsec bug that prevented certain configs from being either loaded or deleted, but it's fixed now. This is also the last release candidate before we enter the "early production access" phase—the finish line of the LTS release stabilization process.
Read on for details!
First, let's discuss the plan. Our idea of release candidate images is that they are safe for non-critical production use (e.g. home networks, labs, auxiliary routers in big networks), but still can change in ways that would be unacceptable for LTS releases, for example, command syntax may change.
The release candidate phase is followed by an "early production access" phase when the branch is treated as an LTS release: the config syntax and behavior is finalized, and the only possible changes are bug fixes and feature backports that don't change the command syntax and behavior of any existing features.
While in the release candidate phase, we already made quite a few syntax changes. The most recent change was moving the BGP maximum-paths option under the address-family tree. Such changes do not break existing configs because we have a syntax migration mechanism. However, they would break automation scripts, so we couldn't do that to an LTS release.
We are going to use the fact that we are still in the RC phase to make one last syntax change: conntrack modules will be disabled by default and will need to be enabled. To preserve the behavior of existing configs, we will automatically enable them all on upgrade in the config, so old installations will work exactly like before, only new ones will need to take the change into account. That change is already in the current/1.4 branch and being tested. When it's merged into 1.3, at the end of August we will make a 1.3.0-epa1 image and transition to the final stabilization phase.
Prebuilt epa* images will be available for download until the 1.3.0 LTS release goes GA—after that point prebuilt 1.3.x images will only be available for subscribers, just like 1.2.x images now. Remember that we are happy to give free contributor subscriptions to everyone who actively participates in the project, whether by contributing code, testing images, or writing documentation. If you have not contributed yet, it's a perfect time to grab the 1.3.0-rc6 image and start testing it. If you've already made a few contributions, then you can apply for a subscription.
Now let's talk about the improvements we made in August.
Bridge VLAN settings
It's now possible to use VyOS as a VLAN-aware bridge—either as a managed switch stand-in if you need VLAN switching right now and have no suitable switch, or, better, as a transparent firewall.
# Enable VLAN switching on a bridge set interfaces bridge br0 enable-vlan # Set allowed VLANs for a trunk port # It's a multi node, no need for comma-separated values: add VLANs 35 and 82 set interfaces bridge br0 member interface eth0 allowed-vlan 35 set interfaces bridge br0 member interface eth0 allowed-vlan 82 # You can add VLAN ranges, too set interfaces bridge br0 member interface eth0 allowed-vlan 1000-2000 # Make eth1 a "private VLAN" interface to prevent communication between ports set interfaces bridge br0 member interface eth1 isolated
While CPU-based VLAN switching isn't the fastest thing in the world, it still has its place and now it's possible to do.
Bug fixes and improvements
- Global IPsec settings script and StrongSWAN service no longer have a race condition that caused commits to fail.
- The OpenConnect server will now correctly cause a commit failure if the process fails to start due to missing certificates or configuration errors.
- The op mode "ping x.x.x.x do-not-fragment" command works as expected now.
- DHCPD now runs with the correct process GID and will not have a problem re-creating the leases file.
- Fixed formatting issues in the op mode "show dns forwarding statistics" and "show vpn ipsec sa" commands.
- Users are now warned about a planned reboot on login.
- BGP large community improvements: new op mode "show ip bgp large-community AA:BB:CC exact-match" and "show ip bgp large-community-list" commands.
There are good news for contributors too: there's now a Python wrapper for executing operational mode commands and querying values from the running config outside of config sessions. So far it's just a wrapper, but at least there's an official interface for it that we can later re-target to the new configuration backend.