VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project May 2024 Update

VyOS Developer Erkin Batu Altunbas
Posted 21 May, 2024

Hello, Community!

Lately, we have all been busy preparing the 1.4.0-epa3 release that will transition to GA status in two weeks if no serious issues are found, and its configuration syntax and APIs will be completely frozen for all incompatible changes or require migration scripts. 

Since the current branch (future Circinus/1.5.0 release) and Sagitta/1.4 codebases are so similar at the moment, most changes we made in the current branch, already backported to Sagitta and available in 1.4.0-epa3, such as the ability to run SSH server in multiple VRFs, DHCP server active-active high availability mode, and reverse proxy server health check. However, we are already making experimental changes that will stay in 1.5 for quite a while before we can decide if they are ready for backporting to an LTS branch, such as an initial implementation of CGNAT.

New configuration options

  • The SSH service can be bound to multiple VRF instances (T6192):

      set service ssh vrf <instance>
  • DHCP service high-availability mode can be set manually (T6068):

      set service dhcp-server high-availability mode [active-active|active-passive]
  • Conntrack Sync can be configured to request a table resync against the other node at startup (T1244):

      set service conntrack-sync startup-resync
  • Load-balancing reverse proxy HTTP health check configuration (T6246):

      set load-balancing reverse-proxy backend <name> http-check method [head|get|options|post|put]
      set load-balancing reverse-proxy backend <name> http-check uri <path>
      set load-balancing reverse-proxy backend <name> http-check expect status <response-code>
      set load-balancing reverse-proxy backend <name> http-check expect string <body-string>
  • Load balancing reverse proxy TCP request directive to set the content inspection delay (in milliseconds) (T6226):

      set load-balancing reverse-proxy service <name> tcp-request inspect-delay <n>
  • SSL certificate verification can be disabled for load-balancing reverse proxy backends (T6242):

      set load-balancing reverse-proxy backend <name> ssl no-verify
  • The minimum TLS version can be specified for the OpenConnect VPN service (1.2 by default) (T4982):

      set interfaces openconnect tls-version-min [1.0|1.1|1.2|1.3]
  • Client EAP ID can be set for IPsec remote access VPN service (T6237):

      set vpn ipsec remote-access connection <name> authentication eap-id <id>
      set vpn ipsec remote-access connection <name> authentication eap-id any
  • Failover route option to pretend the nexthop is directly attached to this link (T5722):

      set protocols failover route <route> next-hop <address> onlink
  • SYS_NICE capability can be set in containers (T6210):

      set container name <name> capability sys-nice
  • ARP/NDP cache timeout base value can be set for each interface in milliseconds (30 by default) (T6258):

      set interfaces <interface> <name> ipv6 base-reachable-time <n>
  • Proof of concept implementation of CGNAT rule generation per RFC 6888. See the pull request for the specifics (T5169).

New commands

  • Detailed output subcommands were added for firewall display commands (T6188):
      show firewall [ipv4|ipv6|bridge] name <chain> detail
      show firewall [ipv4|ipv6|bridge] name <chain> rule <n> detail
      show firewall [ipv4|ipv6|bridge] forward filter detail
      show firewall [ipv4|ipv6|bridge] forward filter rule <n> detail
      show firewall [ipv4|ipv6] [input|output] filter detail
      show firewall [ipv4|ipv6] [input|output] filter rule <n> detail
      show firewall group detail
      show firewall group <name> detail

Other changes

  • PKI certificate generator accepts RFC 822 names (e-mail address format) (T6259).

 

 

The post categories:

Comments