VyOS project April 2023 update

Hello, Community!
We haven't posted development updates lately, but that's just because there were lots of things to do, not because development has slowed down. There have been lots of improvements. Let's summarize what happened in March.

VyOS 1.3 (Equuleus) improvements

A new 1.3.3 maintenance release is on the way, and here are some of the improvements we made there:

• New VyOS build flavor: AWS. AWS images come with the Amazon CloudWatch agent.
• Unaffected containers no longer get restarted upon config change.
• OpenVPN status displays the given tunnel's IP address.
• show interfaces detail displays packet counters just like show interfaces counters does.

The event handler is back

You may remember that the original implementation of the event handling service was removed from VyOS 1.3.0. The main reason was that it would leak memory, and since it was written in Perl, that bug was impossible to fix — Perl's garbage collector is just too primitive for that (it's stuck in the '60s with simple reference counting). It also wasn't a trendy feature so it didn't seem like a significant loss.

However, some people did request it and we made a new implementation in VyOS 1.4. Now we are pretty sure that it's stable enough and we backported it to VyOS 1.3, so an event handler is again available in an LTS release. Here's a configuration example:

set service event-handler event first filter pattern '.*ssh2.*'
set service event-handler event first script arguments '192.0.2.5'
set service event-handler event first script environment interface value 'eth0'
set service event-handler event first script path '/config/scripts/hello.sh'

Container improvements

Container config options for overriding ENTRYPOINT, CMD and ARG parameters and the container hostname

set container name  arguments 
set container name <tag> entrypoint <command>
set container name <tag> command <command>
set container name <tag> host-name  <command>

Config options for remote container registry authentication

set container registry <name> username <username>
set container registry <name> encrypted-password <password>
set container registry <name> plaintext-password <password>

VyOS 1.4 (Sagitta)

VyOS 1.4 is on the way to becoming the new LTS release. There is no set date for its freeze yet but we expect to do it within this year. We are incredibly proud that our rolling release is already almost  free of legacy code. The only remaining legacy components are vyatta-wanloadbalance and vyatta-cluster, not counting the configuration backend. Once the last legacy configuration script is gone, it will open up a path to replacing the configuration backend and finally adding long-awaited functionality like rollbacks without reboots, commit dry-run, and more.

Moreover, almost all operational mode commands are now in the new style and thus automatically exposed in the GraphQL API.

But let's get to the improvement we made lately:

• Support for the Babel routing protocol was added. See documentation for details on how to set it up.
• FRR version was upgraded to v8.5. See below for the new BGP options this update brings.
• The containerization module podman now uses the netavark network stack. Benefits include better IPv6 support, improved performance and improved support for containers attached to multiple networks. Although `netavark' doesn't natively support VRF, container networks can be assigned to VRF networks on VyOS.
• VyOS now uses chrony rather than the old NTPd for its NTP implementation, which allows for machine-readable NTP op mode output and more future improvements.

The number of rounds to hash the user's SHA-512 encrypted password can be manually specified.

set system login user <username> authentication encrypted-password $<id>$rounds=<rounds>$<salt>$<encrypted_password>

set system login user foobar authentication encrypted-password '$6$rounds=656000$ZlOvCt0TLG.wqkIK$7Ju0eDcN9e8N0IehVReatPQlEPk2yVttvXR1klkwRvd0564wazUqAUIJ2EIgmLZQPr90pTeZhSn5jS704cURu0'

IPoE server can be configured to set an order of address pools to fall back on with a next-pool parameter.

set service ipoe-server client-ip-pool name pool01 next-pool pool02
set service ipoe-server client-ip-pool name pool02 next-pool pool03

HTTPS API can be set to accept only certain clients by address

set service https virtual-host <name> allow-client address <address>

Custom port settings for DNS nameserver forwarders and forwarding zones

set service dns forwarding name-server <address> port <port>
set service dns forwarding domain <name> name-server <address> port <port>

PPPoE holdoff option to disconnect inactive clients

set interface pppoe <name> holdoff <seconds>

The uniform syntax for resetting VPN connections

reset vpn [l2tp|sstp|pptp] [all|interface <interface>|user <name>]
reset vpn ipsec remote-access [all|user <name>]
reset vpn ipsec site-to-site [all|peer <name> [tunnel <id>|vti]]
reset vpn ipsec profile <name> tunnel <id> [remote-host <address>]

Wildcard interface names in firewall rules

One reason to use zone-based firewall historically has been that assigning the same ruleset to multiple interfaces was impossible in the "normal" firewall. Well, no longer — now the new firewall interface syntax also supports wildcards.

set firewall interface eth3* in name <name>
set policy route r01 interface wlan*

Firewall, NAT, and routing policies can match packet types

set firewall name <name> rule <n> packet-type [host|multicast|broadcast|other]
set policy route <name> rule <n> packet-type [host|multicast|broadcast|other]
set nat [destination|source] rule <n> packet-type [host|multicast|broadcast|other]

Improved firewall logging options

set firewall [name|ipv6-name] <name> rule <n> log-options level [emerg|alert|crit|err|warn|notice|info|debug] 
set firewall [name|ipv6-name] <name> rule <n> log-options group <n>
set firewall [name|ipv6-name] <name> rule <n> log-options snapshot-length <n>
set firewall [name|ipv6-name] <name> rule <n> log-options queue-threshold <n>

New op mode commands to display next-hop information for BGP instances in VRFs

show bgp vrf martian next-hop
show bgp vrf bgp next-hop
show bgp vrf bgp next-hop <address>

New BGP configuration options

set protocols bgp parameters tcp-keepalive idle <n>
set protocols bgp parameters tcp-keepalive interval <n>
set protocols bgp parameters tcp-keepalive probes <n>

set protocols bgp peer-group <name> port <port>

set protocols bgp neighbor <name> path-attribute discard <n>

Plans

More improvements are underway, including patches to FRR to support paginated outputs and QPPB, not counting ongoing improvements in VyOS. However, that's not all — we are also planning new rewards for contributors, so stay tuned for updates!