VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project August 2023 Update

VyOS Developer Erkin Batu Altunbas
Posted 10 Aug, 2023

Hello, Сommunity!
Summer may be supposed to be a quiet season, but there's quite some work that VyOS maintainers and contributors managed to do in July, nonetheless. There are many valuable features in the rolling release now, including the kernel-mode OpenVPN DCO offload support that can make tunnels multiple times faster, OSPF graceful restart parameters, mirror mode support for the DDoS protection services, and more.

VyOS 1.3 Equuleus

  • SSHGuard support for protection against brute-force attacks (T5354):
    set service ssh dynamic-protection
    set service ssh dynamic-protection allow-from <address>
    set service ssh dynamic-protection block-time <seconds>
    set service ssh dynamic-protection detect-time <seconds>
    set service ssh dynamic-protection threshold <n>

VyOS 1.4 Sagitta

  • VPP memory optimization improvements (PRs #2074, #2064)
  • OSPF support for external route summarization for Type-5 and Type-7 LSAs (T5334):
    set protocols ospf aggregation timer <seconds>
    set protocols ospf summary-address <subnet> [tag <n>]
    set protocols ospf summary-address <subnet> no-advertise
  • OSPF graceful restart functionality (T5377):
    set protocols [ospf|ospfv3] graceful-restart grace-period <n>
    set protocols [ospf|ospfv3] graceful-restart helper supported-grace-time <n>
    set protocols [ospf|ospfv3] graceful-restart helper planned-only
    set protocols [ospf|ospfv3] graceful-restart helper no-strict-lsa-checking
    set protocols [ospf|ospfv3] graceful-restart helper enable router-id <address>
    show [ip ospf|ipv6 ospfv3] graceful-restart helper
  • OSPF opaque LSA option (T5377): set protocols ospf capability opaque
  • GENEVE option to use IPv4 instead of Ethernet as the inner protocol (T5339):
    set interfaces geneve <name> parameters ip innerproto
    set interfaces geneve <name> remote <address>
    set interfaces geneve <name> vni <id>
  • Support for MPLS BGP forwarding (T5338): set protocols bgp interface <name> mpls forwarding
  • Support for OpenVPN direct channel offload mode (T4974): set interfaces openvpn <name> offload dco
  • sFlow DDoS protection mode, less resource intensive than mirror mode (T5368):
    set service ids ddos-protection mode sflow
    set service ids ddos-protection sflow listen-address <address>
    set service ids ddos-protection sflow port <port>
  • DHCPv6 no-release option to prevent release of allocated address or prefix on client exit (T5387): set interfaces <interface> <name> dhcp6-options no-release
  • DHCP relay can be disabled without deleting configuration (T5059): set service [dhcp-relay|dhcp6-relay] disable
  • Source VRF support for web proxy blacklist updates (T5406): update webproxy blacklists vrf <name>
  • Destination NAT option to redirect connection to localhost (T4889): set nat destination rule <id> translation redirect port <port>
  • Commands to display Ethernet VPN access VLAN information and VLAN tunnel mapping information (T3700):
    show evpn access-vlan [detail]
    show evpn access-vlan <id> show bridge vlan tunnel
  • Commands to display bridge interface nexthop group and detailed interface information (T4659):
    show bridge <name> detail
    show bridge <name> nexthop-group
  • Monitoring commands for web VRRP and VPP logs, as well as interface-specific OpenVPN logs and specific web proxy logs (T5411):
    monitor log [openvpn|vpp|vrrp|webproxy]
    monitor log openvpn interface <name>
    monitor log webproxy [access-log|cache-log]
  • Command to display the last n log entries (T3201): show log <n>
  • Commands to export certificates in PEM format (T5275):
    show pki [ca|certificate|crl] <name> pem
  • CLI support for Swedish keyboard layout (T5336).
  • The ping command now supports -4 and -6 parameters to force IPv4 or IPv6 (T4497)
  • Home directories are kept after user accounts deleted, to preserve the data (T5363).
  • Container network names are no longer mangled after they are configured with VRF (T5398).
  • Fixed bug where LLDP daemon continued running even after disabling (T5373).

VyOS 1.2.x repositories retirement

Last but not least, the EOL of VyOS 1.2.x allowed us to retire many source code repositories from the Vyatta time that are no longer needed because their code was completely rewritten and incorporated in the vyos-1x package. That recent clean-up allowed us to make the list of repositories in our GitHub organization three pages shorter. If you didn't know, such unused packages are moved to the vyos-legacy organization so that they are still accessible but not in the way.

That's all for now, but there's more work underway, so stay tuned for updates!

The post categories: