VyOS Project March 2024 Update
Hello, Community!
While VyOS 1.4/Sagitta has taken its final shape, and we are working to smoothen any remaining sharp edges (especially in migration scripts), the upcoming 1.5/Circinus branch is the new frontier where we can go wild and experiment freely. Safe features from the current branch are still backported to 1.4/Sagitta.
Still, we already have non-back portable features — such as improvements to the new DHCP server implementation based on Kea rather than the now-obsolete ISC DHCP server.
In the last month, there were quite a few improvements, including the ability to set multiple peer addresses for unicast VRRP (a feature by our new core team member Natalia Solomko), segment routing support for static IPv6 routes, support for SSH public keys in the PKI subsystem, and more.
New configuration options
-
DHCP server can ignore client IDs for static IP assignments (T6063):
set service dhcp-server shared-network-name <name> subnet <subnet> ignore-client-id
-
Local interfaces must be manually specified to link to subnets for DHCPv6 (T5993):
set service dhcpv6-server shared-network-name <name> subnet <subnet> interface <interface>
-
VRRP keepalived can have more than one peer address per group (T5504):
set high-availability vrrp group <group> peer-address <address-0> set high-availability vrrp group <group> peer-address <address-1>
-
The
resolve-via-defaultoption can be disabled for next-hop tracking (T6001):set system [ip|ipv6] nht no-resolve-via-default
-
A Site-of-Origin identifier can be set for MAC-VRF (T6032):
set protocols bgp address-family l2vpn-evpn mac-vrf soo <asn-or-ip>
-
Additional BGP configuration features (T6024):
set protocols bgp parameters labeled-unicast [explicit-null|ipv6-explicit-null|ipv6-explicit-null] set protocols bgp parameters allow-martian-nexthop set protocols bgp parameters no-hard-administrative-reset
-
BGP neighbor path attribute can be set to multiple values (T6010):
set protocols bgp neighbor <neighbor> path-attribute discard <n> set protocols bgp neighbor <neighbor> path-attribute discard <m>
-
Segment support for static IPv6 routes (T5849):
set protocols static route6 <prefix> next-hop <address> segments <segments> set protocols static route6 <prefix> interface <interface> segments <segments>
-
IPv4 prefixes are now valid options for UPnP ACLs (T5989):
set service upnp rule <n> ip <prefix>
-
PKI OpenSSH key support (T6034):
set pki openssh <name> [public|private] key <pem-key> set pki openssh <name> public type ssh-rsa set pki openssh <name> private type password-protected
-
Options to set PKI cache expiry and retry intervals (T6023):
set protocols rpki expire-interval <seconds> set protocols rpki retry-interval <seconds>
-
IPSec anti-replay window size can be changed from the default value of 32 or outright disabled with a value of 0 (T5998):
set vpn ipsec site-to-site peer <name> replay-window <n>
-
Individual local user accounts can be disabled (T5972):
set system login user <name> disable
-
It is possible to set the UID and GID of a container (T5955):
set container name <name> [uid|gid] <n>
New operational mode commands
-
Command to display the next-hop tracking table supports IPv6 (T5581):
show ipv6 nht
-
Command to display DHCP(v6) static mappings (T3316):
show [dhcp|dhcpv6] server static-mappings show [dhcp|dhcpv6] server static-mappings sort [duid|ip|mac|pool] show [dhcp|dhcpv6] server static-mappings pool <name>
-
All container images can be deleted with a single command (T6060):
delete container image all
Other changes
-
It is no longer possible to accidentally delete running containers (T6074).
-
The default message of the day banner was replaced with a new one following the competition (T6077). Download the latest nightly build to see it!
That's all for now, but more updates will come soon, so stay tuned!
Comments