VyOS Project July 2025 Update
Hello, Community!
This month's update looks small — just a few small features and a bunch of bug fixes. One reason is the vacation season, of course. Some people (namely, I and Yuriy) went to DebConf 2025 rather than a vacation, where we heard a lot of interesting talks and had productive conversations with Debian developers — the biggest thing is that we will likely be able to contribute our improvements to live-build back to upstream which is great
The other reason is that there are lots of big developments in-progress that do not have visible effects yet, including an operational mode rework that will open up a pathway to operator-level user access controls; the ongoing work on rewriting the configuration backend; VPP support for VRRP, sFlow support for VPP, and BRAS protocols.
Contributor license agreement
You might have noticed that new PRs now require contributors to sign a contributor license agreement — signing is done by leaving a comment in the PR itself, so no complicated process there.
That agreement is a more or less exact copy of the agreement used by the Linux Foundation. The main point is that you certify that you have the right to distribute the code in question, are not infringing anyone else's rights, and are ready to give us the right to use the code.
New features
- Add
no-split-gso
andack-filter
for CAKE (T7589). - Support PROXY protocol for haproxy:
set load-balancing haproxy service <name> listen-address <addr> accept-proxy
(T7595). - IKEv2 retransmission options:
set vpn ipsec options retransmission <attempts ...|base ...|timeout ...>
(T7504). - SRv6 uSID IS-IS capability:
set protocols isis segment-routing srv6 locator <locator>
(T7639).
Bug fixes
- Fixed a uuidgen warning if DMI doesn't have product_serial or it empty (T7587).
- Fixed the WAN load balancer default SNAT behaviour (T7584).
- Call libvyosconfig functions from the main thread under http-api (T7588).
service monitoring prometheus
No longer tries to stop unconfigured services (T7528).- Command 'show vpn debug peer <peer_name>' works correctly again (T7545).
show wan-load-balance
command was briefly broken but now works correctly again (T7622).- WAN load balancer no longer erroneously enables packet rate limits (T7625).
- Fix regression in vyos-load-config: allow load without argument to load default (T7627).
- Trying to configure config encryption in a live CD now correctly causes an error (T4919).
- Configuration encryption now works without a hardware TPM (T7628).
- MSS clamping is now correctly applied on VRF interfaces (T5797).
- Fixed a memory leak in
vyos.airbag
(T6704) - Fixed a missing import and an incorrect check in NAT64 (T7645).
- Fix the output command of "show vpn ipsec connection" for passthrough tunnels (T7489).
- VPP configuration no longer requires a second reboot after upgrade (T7649).
protocol all
works correctly in IPsec again (T7581).- IPSec traffic selectors without prefixes work correctly again (T7593).
- QAT configuration no longer erroneously declares virtual function C62x devices unsupported (T7662).
Comments