VyOS Platform Blog

VyOS Project May 2025 Update

Written by Daniil Baturin | May 29, 2025 10:00:08 AM Z

Hello, Community!

Quite a lot of things have happened since the last update we posted in April. In particular, we added the last bit of functionality that we considered a hard requirement for the VPP-based accelerated dataplane: support for VPP firewall. This marks the point when we consider the minimal viable product complete and we plan to ship it in a VyOS Stream release later this year, likely in Q3 — although you don't have to wait for it to play around with it, since it's already in the rolling release.

We are also making a very good progress towards replacing the legacy config backend — that work is still in the development phase and has no visible effects, and will take a while longer to complete, but it's underway.

When it comes to bugs, there are more than twenty recent fixes, including a fix for the nasty bug that led to routing protocol configuration loss if a protocol daemon crashed. Another important fix contributed by a community member makes VMware VMs suspend and resume correctly. Last but not least, the login prompt is no longer displayed in a bold font — that one took more time to track down than anyone hoped, and turned out to be caused by a truncated Systemd service name (ANSI control codes do not reset themselves on word boundaries, you know...).

There are multiple improvements in the base system as well. There's a new set ystem option reboot-on-upgrade-failure command that makes the system automatically reboot into the previous image if the configuration fails to load after upgrade. We hope it will help multiple people avoid unplanned trips to remove places — of course there should be out-of-band management everywhere for this case, but we all know that the real world is not perfect.

Other recently added features include support for IPv6 address in the datasets for firewall remote groups, BPDU guard and root guard supports for bridges, a new option to limit BRAS services (IPoE, PPPoE, and friends) to a specific number of CPU cores to avoid system overload, and more — read on for details!

Removed commands

  • set load-balancing reverse-proxy global-parameters logging facility command is removed because the option is not actually supported by HAProxy. Migration scripts remove it automatically, no need to take any action (T7429).

Renamed commands

  • clear session <tty> is now reset session <tty> since clear is a name reserved for completely non-disruptive commands (T6696).

New features

  • Flowtable target in the global firewall policy: set firewall global-options state-policy offload offload-target <flowtable> (T7358).
  • A new option to suppress most boot messages: set system kernel option quiet (T7397).
  • Containers now support privileged option (T7412).
  • New command that displays all network interfaces (whether directly configurable from the CLI or special): show interfaces kernel (T7268).
  • Group support in NAT66: set nat66 source rule 10 destination group network-group <name> (T7051).
  • Root guard and BPDU guard support for bridge interfaces: set interfaces bridge brX member interface <intf> <bpdu-guard|root-guard> (T7430).
  • Firewall remote-group lists now allow both IPv4 and IPv6 addresses (T7386).
  • A new option for limiting BRAS services to a number worker threads (as many as there are CPUs, half as many, or a specific number): set service pppoe-server thread-count <all|half|N> (T7348).
  • New option to make the system automatically reboot into the previous image if configuration fails to load: set system option reboot-on-upgrade-failure [timeout <min>] (T1771).
  • A few new kernel tweaking options (T7423).
set system option kernel cpu disable-nmi-watchdog
set system option kernel cpu isolate-cpus '1,2,4-5'
set system option kernel cpu nohz-full '1,2,4-5'
set system option kernel cpu rcu-no-cbs '1,2,4-5'
set system option kernel disable-hpet
set system option kernel disable-mce
set system option kernel disable-softlockup
set system option kernel memory default-hugepage-size '2M'
set system option kernel memory disable-numa-balancing
set system option kernel memory hugepage-count '256'
set system option kernel memory hugepage-size '2M'
  • The HTTP API server now supports renew operational mode commands (T7395).

Bug fixes

  • Image upgrade no longer fails when the config has an empty system option subtree (T7394).
  • Added a duplicate prefix safeguard for IPv6 router advertisments (T7389).
  • Improved WireGuard peer commit time (T7387).
  • Tech support archive generation no longer fails on systems without a USB controller (T7410).
  • HAProxy can now properly switch from a custom cert to ACME without a commit error (T7122).
  • set service https api now correctly applies listen-address and no longer listens on all addresses (T7393).
  • Fixed an incorrect trailing back slash in generate Prometheus node exporter configs (T7416).
  • Image download credentials are now passed to the download script via environment variables rather than as command line arguments (T7420).
  • TCP flags matching in QoS works correctly again (T7415).
  • Terminal font no longer ends up bold and white after the last boot message before the login prompt (T7356).
  • Fixed a config migration issue for VRF static routes that could cause upgrades from VyOS 1.3.x to fail (T7417).
  • Generated FRR configs correctly include logging options again (T7431).
  • Prometheus exporters that aren't explicitly configured are no longer started (T7435).
  • FRR configs are now correctly preserved if the daemon crashes and restarts (T7411).
  • BGP large community values now correctly permit whitespace (T5069).
  • Scheduled reboot or shutdown no longer disallows new user logins (T7443).
  • IPsec no longer erroneously enables passthrough for all overlapping networks, only for subnets (T7458).
  • The help string for HAProxy redirect-location now correctly says it's a path rather than a URL (T7335).
  • Fixed a commit error when trying to configure OpenConnect to use RADIUS without specifying a RADIUS server (T7287).
  • Bonding interface mode option now correctly catches malformed values like 803-3ad at set time rather than at commit time (T7466).
  • Accel-PPP services are now correctly restarted on RADIUS server option changes (T7463).
  • IPoE server no longer erroneously requires a client IP pool when a DHCP relay is configured (T6997).
  • IPoE server now correctly checks if giaddr is configured. In 1.4 it's a warning, in later versions — a commit failure (T7472).
  • The configuration system now correctly prevents deletion of interfaces referenced in flowtables (T7350).
  • VMware virtual machine suspent/resume works correctly again (T3681).

That's all for now but stay tuned for updates — we are preparing the VyOS Stream 2025-Q2 now and will share it when the image is ready!
View full post