VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project June 2024 Update

VyOS Developer Erkin Batu Altunbas
Posted 20 Jun, 2024

Hello, Community!

Now that VyOS 1.4.0/Sagitta is officially available as a new LTS release, it's time to start looking into the future again — what will VyOS 1.5/Circinus be like? Rolling release images from June already include a big and long-awaited feature, thanks for a new contributor Maxime Thiebaut — support for Suricata IDS.

Another highlight is that the UPnP service was removed due to issues with its implementation and the prospect of maintainability. Multiple smaller improvements are also made in CGNAT, L2TP, bonding, and other areas—read on for details!

New configuration options

  • Config sync API port can now be configured for the secondary firewall (T6287).

      set service config-sync secondary port <port>
  • SSTP connections can be limited to specified TLS SNIs (T4393).

      set vpn sstp host-name <hostname>
  • RADIUS backup and weight attributes can be set for L2TP (T5756).

      set vpn l2tp remote-access authentication radius server <address> backup
      set vpn l2tp remote-access authentication radius server <address> priority <n>
  • It is now possible to define system MAC addresses for bond interfaces (T6303).

      set interfaces bonding <bondif> system-mac <mac-address>
  • The host process namespace can be shared with containers (T6358).

      set container name <name> allow-host-pid
  • The CPU time used by each container can be limited by a given number of cores (with 0 being unlimited) (T6406).

      set container name <name> cpu-quota <n>
  • Log levels can be set for L2TP, PPTP, SSTP, IPoE and PPPoE services (from 0 to 5, 3 being the default) (T4576).

      set vpn l2tp remote-access log level <n>
      set vpn pptp remote-access log level <n>
      set vpn sstp log level <n>
      set service ipoe-server log level <n>
      set service pppoe-server log level <n>
  • IS-IS topology to be used can be configured (T6332).

    set protocols isis topology [ipv4-multicast|ipv4-mgmt|ipv6-unicast|ipv6-multicast|ipv6-mgmt|ipv6-dstsrc]
  • DNS forwarding service accepts multiple NS records (T6422).

      set service dns forwarding authoritative-domain <fqdn> records ns <name> target <host-0>
      set service dns forwarding authoritative-domain <fqdn> records ns <name> target <host-1>
  • Support for IDS service has been added — the underlying project is Suricata (T751, see the pull request for the specifics).

  • Headers for reverse proxy responses can be customized (T6370).

    set load-balancing reverse-proxy [backend|service] <name> http-response-headers <header> value <value>
  • Raw firewall tables can be configured in addition to the existing filter model (T3900, T6394).

      set firewall [ipv4|ipv6] [output|prerouting] raw rule <n> ...
  • Support for EVPN uplink tracking (T6306).

      set interfaces ethernet <interface> evpn uplink
  • Firewall rulesets accept IPoE interfaces (T6305).

  • Table number limits for route-map rules have been increased (from 200 to 4294967295) (T6251).

  • There can be more than one CGNAT internal pool, and internal pools are no longer limited to one translation rule each (T5169, T6364).

New commands

  • Commands for displaying LACP information for bonding interfaces (T6291).

      show interfaces bonding lacp detail
      show interfaces bonding <interface> lacp detail
      show interfaces bonding <interface> lacp neighbors
  • Commands for displaying CGNAT allocations (T6350, T6366).

      show nat cgnat allocation
      show nat cgnat allocation internal-address <address>
      show nat cgnat allocation external-address <address>
  • Commands for displaying EVPN information (T6335).

      show evpn
      show evpn es
      show evpn es <es-id>
      show evpn es detail
      show evpn es-evi
      show evpn es-evi detail
      show evpn es-evi vni <n>
      show evpn vni
      show evpn vni detail
      show evpn vni <n>
  • Commands for displaying NAT logs (T6375).

      show log nat source
      show log nat source rule <n>
      show log nat destination nat
      show log nat destination nat rule <n>
      show log nat static
      show log nat static rule <n>
  • Reverse proxy service can be manually restarted (T5231).

      restart reverse-proxy
  • Boot console type can be specified for the image (T6184).

      set system boot-console <tty-type>

Other changes

  • The UPnP service has been removed for security and stability reasons (T3420).

  • show system image and set system image default-boot have been added to the HTTP API as show and set_default on the /image endpoint (T5786).

  • NAT port mapping option fully-random has been removed, as it is functionally identical to random as of Linux 5.0 (T6345).

Stay tuned for more updates!


The post categories: