VyOS project June 2023 update
We constantly develop VyOS, even if we don't always share updates. Currently, we're focused on the 1.3.3 LTS release, which should be out these days
In the meantime, here's a summary of what's been happening in the project lately.
VyOS 1.3 Equuleus (LTS)
VRRP parameter to delay startup as a measure against race conditions (T4939)
set high-availability vrrp global-parameters startup-delay <seconds>
RADIUS rate limiting option for the PPTP server (T4727)
set vpn pptp remote-access authentication radius rate-limit enable set vpn pptp remote-access authentication radius rate-limit attribute <id> set vpn pptp remote-access authentication radius rate-limit vendor <dict> set vpn pptp remote-access authentication radius rate-limit multiplier <n>
VyOS 1.4 Sagitta (rolling release)
As of this May, all Vyatta-era legacy CLI definitions have been rewritten in the modern Python/XML format. The sole exception is cluster, which we will not rewrite — we discovered that all functionality that the Heartbeat-based clustering component used to provide is now available in Keepalived, so we will convert all cluster configs to VRRP using a migration script instead.
Complete conversion to the new style will open up many possibilities, including auto-generated command reference, commit dry-run, and more.
In addition, this month saw the addition of many new features.
- The domain name parameter in DNS forwarding configuration is now validated as an FQDN to prevent input of misshapen strings. (T5134)
- As VyOS upgraded to Debian 12, the default
wpa_supplicantpackage no longer allows TLS v1.0 or v1.1 connections. VyOS now overrides that behavior for the sake of maintaining legacy EAP-TLS setups. (T5151)
New features and improvements
Command to disable IPsec rekeying (T5139)
To completely disable IKE rekeying, you can now set the lifetime to zero:
set vpn ipsec ike-group IKE lifetime 0
New subcommands to display IPSec remote-access connections (T5042)
show vpn ipsec remote-access <summary|detail|connection-id|username>
sFlow command displays new metrics for packet drops sent and suppressed (T5125)
Dynamic DNS status output has been revamped to be compatible with the new
ddclient cache format. (T5144)
It is now formatted as a table with per-host dual-stack information in rows. Time of last update is displayed in local time instead of UTC.
Filtered routes for a BGP peer can now be displayed with a new command (T5078)
show <ip|ipv6> bgp neighbors <address> filtered-routes
New commands for displaying BGP routes by VNI (T1315)
show bgp vni [<n>|all] type [1|2|3|ead|macip|multicast] show bgp vni [<n>|all] vtep <address>
New configuration option for policies to check failover route targets (T1237)
set protocols failover route <subnet> next-hop <address> check policy [all-available|any-available] set protocols failover route <subnet> next-hop <address> check target <address>
Static route monitoring for BFD (T5161)
set protocols static route <address> next-hop <address> bfd profile <name> set protocols static route <address> next-hop <address> bfd multi-hop source <address> profile <name> set protocols static table <n> [route|route6] <address> bfd profile <name> set protocols static table <n> [route|route6] <address> bfd multi-hop source <address> profile <name> show bfd static routes
Support for MPLS IGP-LDP synchronization for ISIS and OSPF (T5081)
set protocols [isis|ospf] ldp-sync set protocols [isis|ospf] ldp-sync holddown <n> set protocols [isis|ospf] interface <name> ldp-sync holddown <n>
Events relevant to system security are now monitored and recorded by
The audit logs can be displayed with a new command:
show log audit.
It is now possible to limit the total number of concurrent user sessions in the system (T5145)
set system login max-login-session 2
The command to generate tech support diagnostic report has been revamped (T5137)
The command is the same:
show tech-support report
However, it was rewritten from shell to Python for ease of maintenance and the output format was also improved.
Command and behavior changes
The more consistent syntax for attaching protocol-level route-maps (T5150)
The conf-mode syntax for Zebra routing filters has been updated for internal consistency. (Your existing config will be automatically migrated with the update.) It is now possible to filter for BGP IPv6 routes, static routes and connected routes with the new syntax:
set system ip protocol <any|babel|bgp|connected|eigrp|isis|kernel|ospf|rip|static|table> route-map <name> set system ipv6 protocol <any|babel|bgp|connected|eigrp|isis|kernel|ospfv3|rip|static|table> route-map <name>
Stay tuned for the next month's update for even more features like VRF support for Syslog and more!