VyOS Project June 2024 Update
Hello, Community!
Now that VyOS 1.4.0/Sagitta is officially available as a new LTS release, it's time to start looking into the future again — what will VyOS 1.5/Circinus be like? Rolling release images from June already include a big and long-awaited feature, thanks for a new contributor Maxime Thiebaut — support for Suricata IDS.
Another highlight is that the UPnP service was removed due to issues with its implementation and the prospect of maintainability. Multiple smaller improvements are also made in CGNAT, L2TP, bonding, and other areas—read on for details!
New configuration options
-
Config sync API port can now be configured for the secondary firewall (T6287).
set service config-sync secondary port <port>
-
SSTP connections can be limited to specified TLS SNIs (T4393).
set vpn sstp host-name <hostname>
-
RADIUS backup and weight attributes can be set for L2TP (T5756).
set vpn l2tp remote-access authentication radius server <address> backup set vpn l2tp remote-access authentication radius server <address> priority <n>
-
It is now possible to define system MAC addresses for bond interfaces (T6303).
set interfaces bonding <bondif> system-mac <mac-address>
-
The host process namespace can be shared with containers (T6358).
set container name <name> allow-host-pid
-
The CPU time used by each container can be limited by a given number of cores (with 0 being unlimited) (T6406).
set container name <name> cpu-quota <n>
-
Log levels can be set for L2TP, PPTP, SSTP, IPoE and PPPoE services (from 0 to 5, 3 being the default) (T4576).
set vpn l2tp remote-access log level <n> set vpn pptp remote-access log level <n> set vpn sstp log level <n> set service ipoe-server log level <n> set service pppoe-server log level <n>
-
IS-IS topology to be used can be configured (T6332).
set protocols isis topology [ipv4-multicast|ipv4-mgmt|ipv6-unicast|ipv6-multicast|ipv6-mgmt|ipv6-dstsrc]
-
DNS forwarding service accepts multiple NS records (T6422).
set service dns forwarding authoritative-domain <fqdn> records ns <name> target <host-0> set service dns forwarding authoritative-domain <fqdn> records ns <name> target <host-1>
-
Support for IDS service has been added — the underlying project is Suricata (T751, see the pull request for the specifics).
-
Headers for reverse proxy responses can be customized (T6370).
set load-balancing reverse-proxy [backend|service] <name> http-response-headers <header> value <value>
-
Raw firewall tables can be configured in addition to the existing filter model (T3900, T6394).
set firewall [ipv4|ipv6] [output|prerouting] raw rule <n> ...
-
Support for EVPN uplink tracking (T6306).
set interfaces ethernet <interface> evpn uplink
-
Firewall rulesets accept IPoE interfaces (T6305).
-
Table number limits for route-map rules have been increased (from 200 to 4294967295) (T6251).
-
There can be more than one CGNAT internal pool, and internal pools are no longer limited to one translation rule each (T5169, T6364).
New commands
-
Commands for displaying LACP information for bonding interfaces (T6291).
show interfaces bonding lacp detail show interfaces bonding <interface> lacp detail show interfaces bonding <interface> lacp neighbors
-
Commands for displaying CGNAT allocations (T6350, T6366).
show nat cgnat allocation show nat cgnat allocation internal-address <address> show nat cgnat allocation external-address <address>
-
Commands for displaying EVPN information (T6335).
show evpn show evpn es show evpn es <es-id> show evpn es detail show evpn es-evi show evpn es-evi detail show evpn es-evi vni <n> show evpn vni show evpn vni detail show evpn vni <n>
-
Commands for displaying NAT logs (T6375).
show log nat source show log nat source rule <n> show log nat destination nat show log nat destination nat rule <n> show log nat static show log nat static rule <n>
-
Reverse proxy service can be manually restarted (T5231).
restart reverse-proxy
-
Boot console type can be specified for the image (T6184).
set system boot-console <tty-type>
Other changes
-
The UPnP service has been removed for security and stability reasons (T3420).
-
show system image
andset system image default-boot
have been added to the HTTP API asshow
andset_default
on the/image
endpoint (T5786). -
NAT port mapping option
fully-random
has been removed, as it is functionally identical torandom
as of Linux 5.0 (T6345).
Stay tuned for more updates!
Comments