VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project January 2024 Update

VyOS Developer Erkin Batu Altunbas
Posted 11 Jan, 2024

Hello, Community!

The new monthly development update is here. Quite a few of these changes were already mentioned in the 1.4.0-rc1 release candidate post, but quite a few are exclusive to the rolling release — at least for now until they are well-tested. Among them is a migration of the DHCP server from ISC DHCPD to Kea, a new NAT64 implementation based on Jool, and configuration rollback without reboot — read on for details!

New configuration options

  • NAT64 translator based on Jool (T160):

      set nat64 source rule <rule> source prefix <prefix>
  set nat64 source rule <rule> match mark <fwmark>
  set nat64 source rule <rule> translation pool <pool> address <address>
  set nat64 source rule <rule> translation pool <pool> port <port-range>

  • NDP proxy service (T2898):

      set service ndp-proxy interface <interface> prefix <prefix> mode [auto|interface|static]
  set service ndp-proxy interface <interface> timeout <n>
  set service ndp-proxy interface <interface> ttl <n>
  set service ndp-proxy interface <interface> enable-router-bit

  • IPv6 segment routing (SRv6) support (T591):

      set protocols segment-routing srv6 locator <locator> prefix <prefix>
  set protocols segment-routing srv6 locator <locator> behavior-usid
  set protocols segment-routing srv6 locator <locator> hmac [accept|drop|ignore]
  set protocols segment-routing srv6 locator <locator> block-len <n>
  set protocols segment-routing srv6 locator <locator> node-len <n>
  set protocols segment-routing srv6 locator <locator> func-bits <n>
  set protocols bgp sid vpn per-vrf export <n>
  set protocols bgp srv6 locator <locator>

  • BGP monitoring (BMP) support (T4163):

      # Enable BMP module
  set system frr bmp
  commit
  run restart bgp
  # Configuration
  set protocols bgp bmp mirror-buffer-limit <n>
  set protocols bgp bmp target <target> address <address>
  set protocols bgp bmp target <target> port <port>
  set protocols bgp bmp target <target> min-retry <n>
  set protocols bgp bmp target <target> max-retry <n>
  set protocols bgp bmp target <target> mirror
  set protocols bgp bmp target <target> monitor ipv4-unicast post-policy
  set protocols bgp bmp target <target> monitor ipv4-unicast pre-policy
  set protocols bgp bmp target <target> monitor ipv6-unicast post-policy
  set protocols bgp bmp target <target> monitor ipv6-unicast pre-policy

  • BGP MED metric can be set to or the round trip time interval. The round trip time can also be added to/subtracted from the existing MED value (T4704):

      set policy route-map <name> rule <rule> set metric [rtt|+rtt|-rtt]

  • Firewall flowtable offload functionality (T4502):

      set firewall flowtable <table> offload software
  set system conntrack flow-accounting
  set firewall [ipv4|ipv6] name <name> rule <rule> action offload
  set firewall [ipv4|ipv6] name <name> rule <rule> offload-target <table>

  • Load balancing reverse proxy service now supports setting multiple SSL certificates. One can simply set more than one certificate in the same configuration node (T5798):

      set load-balancing reverse-proxy service web ssl certificate <certificate>

  • It is now possible to set the maximum number of file descriptors each FRR daemon is allowed to use (1024 by default) (T4020):

      set system frr descriptors <n>

  • OpenConnect configuration now comes with the default HTTP security headers (T5796). They can be enabled with this command:

      set vpn openconnect http-security-headers

  • DHCP server timezone setting, based on RFC 4833 options 100 and 101 (T3316):

      set service dhcp-server shared-network-name <name> subnet <subnet> time-zone <timezone>

  • DHCP server captive portal API setting (T3316):

      set service dhcp-server shared-network-name <name> subnet <subnet> captive-portal <api-endpoint>

New commands

  • The long-awaited ability to rollback configuration without having to reboot is finally here (T5249). You can do it with this new command:

      # rollback-soft 1

    Please test it on your lab routers and in staging environments and let us know if it works well for you!

  • IPv6 RA daemon can be forced to restart (T5866):

      restart router-advert

  • Command to display DHCP leases based on server origin (T5778):

      show dhcp server leases origin <local|remote>

Other changes

  • VyOS DHCP service has migrated from using ISC DHCP Server in its backend to ISC Kea. Read more about it in the pull request and in the task T3316.

  • Dynamic DNS configuration syntax has changed for internal consistency. The existing configuration will be automatically migrated with the update. See the pull request and the task T5791.

  • The syntax for pool configuration for all Accel-PPP based VPN services has been standardized. See the pull request and the task T5688.

  • The HTTPS API server can be started without API keys, using only JWT and PAM authentication (T5844).

That's all for now, but stay tuned for updates — the next 1.4.0 pre-release image is around the corner, and we haveother exciting news to share as well!
The post categories: project updates 1.4 1.5

Comments

Blog Categories

RSS Feed arrow
See All Categories