VyOS Platform Blog

VyOS 1.4.0-rc3 release candidate

Written by Daniil Baturin | January 22, 2024 7:11:13 AM Z

Hello, Community!

VyOS 1.4.0-rc3 image is now available for everyone to download and test. We are grateful to everyone who helped us test previously release candidate images. Thanks to your bug reports and pull requests, we fixed many bugs, including two that could cause the system to lock up at startup or shut down! We also did a lot of internal refactoring in January, but this image still has quite a few new features, including support for obtaining certificates from ACME providers (such as Let's Encrypt), IPv6 segment routing, IS-IS fast reroute, and more. We are also taking the last chance to make configuration syntax changes that will make the config look cleaner and make it easier to implement new features, so please pay attention to the config syntax and behavior changes section of this post. There's one feature from the rolling release time that we decided to remove due to its design flaws and the fact that it doesn't fit the scope of a router OS well — HTTPS virtual host configuration support.

If you are curious why this release is VyOS 1.4.0-rc3, here's the story: we uploaded an image named 1.4.0-rc2 and shared it with the community in Slack before announcing it officially in the blog, but when a few major bugs were discovered, we decided to postpone the wider release, but since reusing a version for a different image is a bad practice, we incremented the release candidate number.

New features

  • It's now possible to match firewall marks in NAT64 rules (a continuation of T160): set nat64 source rule 10 match mark 42.
  • New operational mode command to restart the IPv6 router advertisement daemon (T5866):  restart router-advert.
  • x509 authentication support for remote access IPsec VPN (T5870): set vpn ipsec remote-access connection Users authentication x509.
  • New DNS forwarding options (T5900): serve-stale-extension and exclude-throttle-address.
  • The PKI subsystem now supports obtaining certificates through ACME, e.g., from Let's Encrypt (T5886):
set pki ca STAGING-PEM certificate <PEM-encoded CA cert>
set pki certificate vyos acme domain-name 'vyos.my.domain.com'
set pki certificate vyos acme email 'vyos@vyos.net'
set pki certificate vyos acme url 'https://acme-staging-v02.api.letsencrypt.org/directory'

run renew certbot
  • IS-IS fast reroute configuration commands (T5530): set protocols isis fast-reroute lfa ....
  • Labeled unicast SAFI support (T5913):
set protocols bgp peer-group foo4 address-family ipv4-labeled-unicast maximum-prefix '20'
set protocols bgp peer-group foo6 address-family ipv6-labeled-unicast maximum-prefix '100'
  • Support for IPv6 segment routing (T591):
set protocols bgp sid vpn per-vrf export '99'
set protocols bgp srv6 locator 'foo'
set protocols bgp system-as '100'

set protocols segment-routing srv6 locator bar prefix '2001:b::/64'
set protocols segment-routing srv6 locator foo behavior-usid
set protocols segment-routing srv6 locator foo prefix '2001:a::/64'

Bug fixes

  • Deleting service snmp works correctly again (T5856).
  • If you delete and re-add a user account, home directory permissions are now restored correctly (T5875).
  • Fixed a service startup priority issue that could cause the system to get stuck during shutdown (T5897).
  • show dhcpv6 server leases no longer shows erroneous warning messages (T5159).
  • OpenVPN server can now be configured with IPv6 addresses only (T3214).
  • All journald logs are also stored in syslog now (T1487).
  • Fixed an error when calling run show interfaces wireless info on a system without wireless interfaces (T5857).
  • Reboot commands like reboot in <minutes> work as expected now (T5944).
  • Fixed the DHCP client exit hook for IPsec (T4856).
  • Fixed a boot error caused by incorrect NDP proxy config node priority (T5863).
  • Deleting a parent interface correctly deletes all underlying VLAN links with it (T4638).

Config syntax and behavior changes

  • The command to enable SNMP in LLDP is now set service lldp snmp rather than the unnecessarily wordy set service lldp snmp enable (T5855).
  • The command for setting the system search domain is now set system domain-search <domain>, not set system domain-search domain <domain1> (T5877).
  • The option to enable logging for all rules in a firewall is now just default-log, not enable-default-log (T5834).
  • EEE (Energy Efficient Ethernet) is now disabled by default since it makes no sense for routers (T5566).
  • Stricter validations in dynamic DNS client configuration.
  • IPsec DPD option hold is renamed to trap to match the StrongSWAN name for it (T4658).
  • Standardized client IP/IPv6 pool configuration syntax across all *PPP servies (T5688).

Removed features

  • The service https virtual-host command tree is removed due to design issues and the fact that it's out of scope for a router (T5902).

That's all for now, but stay tuned for updates!
View full post