VyOS Platform Blog

VyOS Project February 2024 Update

Written by Erkin Batu Altunbas | February 8, 2024 7:21:23 AM Z

Hello, community!
Curious what we've been up to in January? Our main focus is the final stabilization of the 1.4.0/Sagitta branch, and we will soon make the first EPA (Early Production Access) release — after that point, config syntax and behavior will not change in the 1.4 LTS release lifetime, and all radical changes will go to the upcoming 1.5/Circinus branch. Quite a lot of things are happening in the development branch, and many of those improvements are also backported to 1.4, including support for Let's Encrypt (or any other ACME provider) in PKI, multiple BGP improvements, and an option to disable Spectre/Meltdown mitigations from the CLI.

New configuration options

  • Support for Let's Encrypt's ACME protocol (T5886):

      set pki ca <name> certificate <base64>
      set pki certificate <name> acme domain-name <fqdn>
      set pki certificate <name> acme email <email-address>
      set pki certificate <name> acme url <directory-url>
  • IPsec remote access VPN module now supports x509 (pubkey) authentication (T5870):

      set vpn ipsec remote-access connection <connection> authentication client-mode x509
      set vpn ipsec remote-access connection <connection> authentication server-mode x509
      set vpn ipsec remote-access connection <connection> authentication x509 certificate <certificate
      set vpn ipsec remote-access connection <connection> authentication x509 ca-certificate <certificate>
  • DNS server options for exempting networks from throttling and extending an expired record's TTL (Serve Stale) by multiples of 30 seconds (T5900):

      set service dns forwarding exclude-throttle-address <address-or-prefix>
      set service dns forwarding serve-stale-extension <n>
  • VPN nexthop neighbor and SRv6 SID value can be set per address family (T591):

      set protocols bgp address-family [ipv4-unicast|ipv6-unicast] nexthop vpn export <address>
      set protocols bgp address-family [ipv4-unicast|ipv6-unicast] sid vpn export [auto|<1-1048575>]
  • Labeled unicast SAFI can be set per peer group (T5913):

      set protocols bgp peer-group <name> [ipv4-labeled-unicast|ipv6-labeled-unicast]
  • The minimum TTL value can be set for multihop BFD connections (T5967):

      set protocols bfd peer <address> minimum-ttl <1-254>
  • DHCP relay agent can be set to listen on a specific interface in addition to a specific address (T3316):

      set service dhcp-server listen-interface <interface>
  • Subnets can be assigned unique numeric IDs to make sure leases are mapped to specific subnets in the lease file (T3316):

      set service <dhcp-server|dhcpv6-server> shared-network-name <name> subnet <subnet> subnet-id <n>
  • Leap second behavior can be configured for the NTP service (see leapsecmode in chrony.conf(5)) (T5692):

      set service ntp leap-second [ignore|smear|system|timezone]
  • VRF support for sFlow (T5968):

      set system sflow vrf <name>
  • Certain kernel parameters can be directly set through the CLI. The most important is the option to disable mitigations for speculative execution CPU bugs such as Spectre and Meltdown that incur a significant performance penalty but aren't very relevant for network devices that never execute untrusted code during normal operation (T5979):

      set system kernel disable-mitigations
  • It is now possible to map entire networks for carrier-grade NAT (T5169):

      set nat source rule 10 protocol 'tcp_udp'
      set nat source rule 10 source address <subnet>
      set nat source rule 10 translation address <subnet>
      set nat source rule 10 translation port <port-range>

New operational mode commands

  • The command to display discrete IPv6 routes and prefixes now works with discrete VRFs as well (T5904):

      show ipv6 route vrf <name> <address-or-prefix>
      show ipv6 route vrf <name> <address-or-prefix> longer-prefixes
  • CertBot operations can now be logged and monitored (T5886):

      show log certbot
      monitor log certbot
  • CertBot renewal can be manually invoked (T5886):

      renew certbot
  • Command to list multicast group membership (T5969):

      show <ip|ipv6> multicast group interface <interface>
  • The command to display the firewall zone policy is available again (T5915):

      show firewall zone-policy
      show firewall zone-policy <zone>
  • Lookup commands to find IP prefixes and ASNs in the prefix table (T6003):

      show rpki as-number <asn>
      show rpki prefix <prefix>
      show rpki prefix <prefix> as-number <asn>

     

Other changes

  • shaper-hfsc QoS policies work as expected again (T5958).

  • Support for virtual hosts was removed from the webserver module (T5902).

  • The IPsec daemon can be configured to bind to dynamic interfaces (such as PPPoE), but this will only take effect after the interface becomes available (T5918).

  • The default serial console transmission speed for ttyS0 is now set to 115200  (unlike the old GRUB default of 9600) (T5910). This value can still be overridden as follows:

      set service console-server device <name> speed <bps>