VyOS Networks Blog

Hello, Community!

January is usually a quiet month, but there's quite a lot of important work that VyOS maintainers and community contributors have done already. Among them is migration of NHRP to FRR from the barely-maintained OpenNHRP; FQDN peer address support for WireGuard, unified sFlow, and quite a few bug fixes — read on for details!

Configuration syntax changes

Unified sFlow (T6895)

For historical reasons, for quite some time VyOS had two different ways to configure sFlow: uacctd-based set system flow-accounting sflow and hsflow-based set system sflow.

Now uacctd is only used for set system flow-accounting netflow, and the only place to configure sFlow is now set system sflow. Old configs are automatically migrated, so you shouldn't need to worry about it. But let us know if you notice any anomalies!

DMVPN now uses FRR's nhrpd rather than OpenNHRP (T2326)

Our first DMVPN implementation was based on the OpenNHRP project. That project is, sadly, not very actively maintained, so we were looking for alternative. Then FreeRangeRouting added an NHRP daemon, so we started thinking of moving to it... but before we could do it, we have to identify and fix some issues, and then rework our configuration scripts.

But now there's one dependency less in our image, FRR's NHRP is better, and we hope that it will help everyone have more robust DMVPN setups!

We also adjusted the configuration syntax to match FRR's model. In particular, cisco-authentication option is just authentication now. There are other changes — all automatically migrated.

vyos@vyos# set protocols nhrp tunnel tun100
Possible completions:
   authentication       NHRP authentication
   holdtime             Holding time in seconds
 > map                  Map tunnel IP to NBMA
   mtu                  Maximum Transmission Unit (MTU)
+  multicast            Map multicast to NBMA
   network-id           NHRP network id
 > nhs                  Map tunnel IP to NBMA of Next Hop Server
   redirect             Enable sending of Cisco style NHRP Traffic Indication packets
   registration-no-unique
                        Zone to be local-zone
   shortcut             Enable creation of shortcut routes. A received NHRP Traffic
                        Indication will trigger the resolution and establishment of a
                        shortcut route

New features and improvements

Network event logging (T6641)

There are two new operational mode commands that will show you the history of network interface events such as up/down transitions, address changes, and neighbor table changes: run show log network-event and run show interfaces <type> <name> event-log, that allow filtering by event type as well (check out their tab completion).

Looks like a simple change, but behind it is a new daemon that listens to NETLINK events and logs them, that we may release as a standalone project later.

Upgrade compatibility check

This change is not relevant for rolling release users but we will include it in the upcoming 1.4.1 release.

Previously, the add system image command would allow upgrading to any image flavor (T7034). When we only had a single generic ISO, there simply wasn't any concern. However, when the number of official LTS flavors has grown, there were also situations when upgrading to a non-matching flavor could have serious consequences: from loss of VM monitoring or cloud instance backup due to missing guest agents to completely broken configs on hardware platforms that require custom NIC mappings. And in some cases, upgrading old instances to flavors with cloud-init caused misplaced activation of cloud-init that could break the config in really bad ways, including resetting the password to default.

Now that command will refuse installing images if their flavor name is different, so that no one will have to worry about breaking their system by accidentally upgrading to a wrong image.

The upgrade script still allows the user to override that check, for hypothetical emergency cases, or upgrading to experimental flavors. The option is not exposed in the CLI but it's easy to find out how to invoke the script with that option by hand.

Other improvements

• WireGuard now supports FQDNs for peer addresses: set int wireg wg123 peer foo address foo.example.com (T4930).
• HAProxy HTTP response compression support: set load-balancing haproxy http-compression algorithm <gzip}deflate|identity|raw-deflate> (T7081)
• Textfile collector option for Prometheus: set service monitoring prometheus node-exporter collector text-file (T6994).
• Blackbox exporter support for Prometheus service monitoring prometheus blackbox-exporter (T6949).
• SRv6 locator format support: set protocols segment-routing srv6 locators locator <locator> format <uncompressed|usid-f3216> (T6984).
• OpenVPN CRL updates no longer trigger service restart (T6896).

Bug fixes

• Fixed a bug that prevented static routes via PPPoE interfaces from being installed (T7089).
• DHCP lease scripts are now timezone-aware (T6998).
• Fixed an issue with NTP migration script (T6911).
• Commit archive to git can correctly invoke SSH agent again (T7048).
• traffic-policy shaper correctly supports lowdelay DHCP value again (T681).
• Fixed an exception in DHCP lease display with empty hostname fields (T7041).
• set system login radius correctly supports IPv6 source addresses now (T7039).
• Reserved VRF names up and down are now longer accepted by the CLI (T7024).
• Fixed a bug with deleting dhcp option from interfaces with IPv6 (T7016).
• Fixed a bug that could lead to default route loss on changes in the routing configuration (T6991).
• run generate tech-support archive no longer fails when /config/scripts contains subdirectories (T6956).

That's all for now, but stay tuned for updates — in particular, accelerated dataplane integration into the rolling release is underway, and we are also working on a new system for embedding command documentation right into XML definition files!