Hello, Community!
The new monthly development update is here. Quite a few of these changes were already mentioned in the 1.4.0-rc1 release candidate post, but quite a few are exclusive to the rolling release — at least for now until they are well-tested. Among them is a migration of the DHCP server from ISC DHCPD to Kea, a new NAT64 implementation based on Jool, and configuration rollback without reboot — read on for details!
NAT64 translator based on Jool (T160):
set nat64 source rule <rule> source prefix <prefix> set nat64 source rule <rule> match mark <fwmark> set nat64 source rule <rule> translation pool <pool> address <address> set nat64 source rule <rule> translation pool <pool> port <port-range>
NDP proxy service (T2898):
set service ndp-proxy interface <interface> prefix <prefix> mode [auto|interface|static] set service ndp-proxy interface <interface> timeout <n> set service ndp-proxy interface <interface> ttl <n> set service ndp-proxy interface <interface> enable-router-bit
IPv6 segment routing (SRv6) support (T591):
set protocols segment-routing srv6 locator <locator> prefix <prefix> set protocols segment-routing srv6 locator <locator> behavior-usid set protocols segment-routing srv6 locator <locator> hmac [accept|drop|ignore] set protocols segment-routing srv6 locator <locator> block-len <n> set protocols segment-routing srv6 locator <locator> node-len <n> set protocols segment-routing srv6 locator <locator> func-bits <n> set protocols bgp sid vpn per-vrf export <n> set protocols bgp srv6 locator <locator>
BGP monitoring (BMP) support (T4163):
# Enable BMP module set system frr bmp commit run restart bgp # Configuration set protocols bgp bmp mirror-buffer-limit <n> set protocols bgp bmp target <target> address <address> set protocols bgp bmp target <target> port <port> set protocols bgp bmp target <target> min-retry <n> set protocols bgp bmp target <target> max-retry <n> set protocols bgp bmp target <target> mirror set protocols bgp bmp target <target> monitor ipv4-unicast post-policy set protocols bgp bmp target <target> monitor ipv4-unicast pre-policy set protocols bgp bmp target <target> monitor ipv6-unicast post-policy set protocols bgp bmp target <target> monitor ipv6-unicast pre-policy
BGP MED metric can be set to or the round trip time interval. The round trip time can also be added to/subtracted from the existing MED value (T4704):
set policy route-map <name> rule <rule> set metric [rtt|+rtt|-rtt]
Firewall flowtable offload functionality (T4502):
set firewall flowtable <table> offload software set system conntrack flow-accounting set firewall [ipv4|ipv6] name <name> rule <rule> action offload set firewall [ipv4|ipv6] name <name> rule <rule> offload-target <table>
Load balancing reverse proxy service now supports setting multiple SSL certificates. One can simply set more than one certificate in the same configuration node (T5798):
set load-balancing reverse-proxy service web ssl certificate <certificate>
It is now possible to set the maximum number of file descriptors each FRR daemon is allowed to use (1024 by default) (T4020):
set system frr descriptors <n>
OpenConnect configuration now comes with the default HTTP security headers (T5796). They can be enabled with this command:
set vpn openconnect http-security-headers
DHCP server timezone setting, based on RFC 4833 options 100 and 101 (T3316):
set service dhcp-server shared-network-name <name> subnet <subnet> time-zone <timezone>
DHCP server captive portal API setting (T3316):
set service dhcp-server shared-network-name <name> subnet <subnet> captive-portal <api-endpoint>
The long-awaited ability to rollback configuration without having to reboot is finally here (T5249). You can do it with this new command:
# rollback-soft 1
Please test it on your lab routers and in staging environments and let us know if it works well for you!
IPv6 RA daemon can be forced to restart (T5866):
restart router-advert
Command to display DHCP leases based on server origin (T5778):
show dhcp server leases origin <local|remote>
VyOS DHCP service has migrated from using ISC DHCP Server in its backend to ISC Kea. Read more about it in the pull request and in the task T3316.
Dynamic DNS configuration syntax has changed for internal consistency. The existing configuration will be automatically migrated with the update. See the pull request and the task T5791.
The syntax for pool configuration for all Accel-PPP based VPN services has been standardized. See the pull request and the task T5688.
The HTTPS API server can be started without API keys, using only JWT and PAM authentication (T5844).
That's all for now, but stay tuned for updates — the next 1.4.0 pre-release image is around the corner, and we haveother exciting news to share as well!