VyOS Platform Blog

VyOS Project January 2024 Update

Written by Erkin Batu Altunbas | January 11, 2024 9:26:57 PM Z

Hello, Community!

The new monthly development update is here. Quite a few of these changes were already mentioned in the 1.4.0-rc1 release candidate post, but quite a few are exclusive to the rolling release — at least for now until they are well-tested. Among them is a migration of the DHCP server from ISC DHCPD to Kea, a new NAT64 implementation based on Jool, and configuration rollback without reboot — read on for details!

New configuration options

  • NAT64 translator based on Jool (T160):

      set nat64 source rule <rule> source prefix <prefix>
      set nat64 source rule <rule> match mark <fwmark>
      set nat64 source rule <rule> translation pool <pool> address <address>
      set nat64 source rule <rule> translation pool <pool> port <port-range>
  • NDP proxy service (T2898):

      set service ndp-proxy interface <interface> prefix <prefix> mode [auto|interface|static]
      set service ndp-proxy interface <interface> timeout <n>
      set service ndp-proxy interface <interface> ttl <n>
      set service ndp-proxy interface <interface> enable-router-bit
  • IPv6 segment routing (SRv6) support (T591):

      set protocols segment-routing srv6 locator <locator> prefix <prefix>
      set protocols segment-routing srv6 locator <locator> behavior-usid
      set protocols segment-routing srv6 locator <locator> hmac [accept|drop|ignore]
      set protocols segment-routing srv6 locator <locator> block-len <n>
      set protocols segment-routing srv6 locator <locator> node-len <n>
      set protocols segment-routing srv6 locator <locator> func-bits <n>
      set protocols bgp sid vpn per-vrf export <n>
      set protocols bgp srv6 locator <locator>
  • BGP monitoring (BMP) support (T4163):

      # Enable BMP module
      set system frr bmp
      commit
      run restart bgp
      # Configuration
      set protocols bgp bmp mirror-buffer-limit <n>
      set protocols bgp bmp target <target> address <address>
      set protocols bgp bmp target <target> port <port>
      set protocols bgp bmp target <target> min-retry <n>
      set protocols bgp bmp target <target> max-retry <n>
      set protocols bgp bmp target <target> mirror
      set protocols bgp bmp target <target> monitor ipv4-unicast post-policy
      set protocols bgp bmp target <target> monitor ipv4-unicast pre-policy
      set protocols bgp bmp target <target> monitor ipv6-unicast post-policy
      set protocols bgp bmp target <target> monitor ipv6-unicast pre-policy
  • BGP MED metric can be set to or the round trip time interval. The round trip time can also be added to/subtracted from the existing MED value (T4704):

      set policy route-map <name> rule <rule> set metric [rtt|+rtt|-rtt]
  • Firewall flowtable offload functionality (T4502):

      set firewall flowtable <table> offload software
      set system conntrack flow-accounting
      set firewall [ipv4|ipv6] name <name> rule <rule> action offload
      set firewall [ipv4|ipv6] name <name> rule <rule> offload-target <table>
  • Load balancing reverse proxy service now supports setting multiple SSL certificates. One can simply set more than one certificate in the same configuration node (T5798):

      set load-balancing reverse-proxy service web ssl certificate <certificate>
  • It is now possible to set the maximum number of file descriptors each FRR daemon is allowed to use (1024 by default) (T4020):

      set system frr descriptors <n>
  • OpenConnect configuration now comes with the default HTTP security headers (T5796). They can be enabled with this command:

      set vpn openconnect http-security-headers
  • DHCP server timezone setting, based on RFC 4833 options 100 and 101 (T3316):

      set service dhcp-server shared-network-name <name> subnet <subnet> time-zone <timezone>
  • DHCP server captive portal API setting (T3316):

      set service dhcp-server shared-network-name <name> subnet <subnet> captive-portal <api-endpoint>

New commands

  • The long-awaited ability to rollback configuration without having to reboot is finally here (T5249). You can do it with this new command:

      # rollback-soft 1

    Please test it on your lab routers and in staging environments and let us know if it works well for you!

  • IPv6 RA daemon can be forced to restart (T5866):

      restart router-advert
  • Command to display DHCP leases based on server origin (T5778):

      show dhcp server leases origin <local|remote>

Other changes

  • VyOS DHCP service has migrated from using ISC DHCP Server in its backend to ISC Kea. Read more about it in the pull request and in the task T3316.

  • Dynamic DNS configuration syntax has changed for internal consistency. The existing configuration will be automatically migrated with the update. See the pull request and the task T5791.

  • The syntax for pool configuration for all Accel-PPP based VPN services has been standardized. See the pull request and the task T5688.

  • The HTTPS API server can be started without API keys, using only JWT and PAM authentication (T5844).

That's all for now, but stay tuned for updates — the next 1.4.0 pre-release image is around the corner, and we haveother exciting news to share as well!