VyOS Project November 2022 Update
If you are wondering what we've been up to — we are on track to bring the 1.4/Sagitta release to its final shape and we are pretty sure next year we'll focus on stabilizing it and preparing it to become the new LTS release.
There are still a lot of things to do and our main focus is now on the implementations of firewall and QoS and on the new-style operational mode that automatically makes all functionality available to the CLI and to the GraphQL API without any additional effort.
However, there are multiple smaller features and fixes as well — read on for details!
Update-check for VyOS images (T3476)
We added the ability to check for available new images automatically.
This is what it will look like:
set system update-check auto-check set system update-check url 'http://example.com/image-version.json'
There are no official server-side implementations yet, but we'll let you know when there are. Needless to say, this feature will be off by default and users will need to explicitly enable it. Since the URL is configurable, everyone will also be able to use it in their own network even if it's completely isolated from the public Internet.
Support for two-factor authentication for system logins through TOTP (T874)
TOTP (Time-based One-Time Password) is a popular two-factor authentication algorithm that is used by Google Authenticator and many other 2FA solutions.
We added support for 2FA for system logins through the libpam-google-authenticator package that provides a PAM module and implements RFC 6238 and RFC 4226.
Here are the commands for setting it up:
set system login user vyos authentication otp key <key> set system login user vyos authentication otp rate_limit <rate_limit> set system login user vyos authentication otp rate_time <rate_time> set system login user vyos authentication otp window_size <window_size>
2FA support will help VyOS meet security requirements for its use as critical infrastructure and meet standards such as NIST 800-171.
Support for BGP multipath-relax (T4696)
You can use this new command to enable it:
set protocols bgp parameters bestpath peer-type multipath-relax
This command specifies that BGP decision process should consider paths from all peers for multipath computation. If this option is enabled, paths learned from any of eBGP, iBGP, or confederation neighbors will be multipath if they are otherwise considered equal cost.
- Support for Spanish ("
es") and Japanese ("
jp106") keyboard layouts in the "set system option keyboard-layout" command (T4695).
- New listen address command for OpenConnect: (T4656).
- Global RFS (Receive Flow Steering) is now enabled by default in the kernel (T4689).
- The Telegraf process is now automatically restarted after failures.
The default firewall ruleset action has been incorrectly set to "accept" in nightly builds for some time, now it's correctly set to "drop" again (T4655).
- Pseudo-ethernet interface mode command works correctly again (T4663).
- Improved error reporting for cases when operational mode commands are given a non-existent bridge interface as an argument. (T4673).
- The GraphQL API now returns operational mode command error messages if errors occur (T4674).
- It's now possible use the same VRID for VRRPv2 and VRRPv3. Thanks to Sander Klein for the commit! (T4665).
The local-policy and local-policy6 nodes were missing their priority property causing an ordering issue between the creation of dynamic interfaces and referencing said interface in PBR rules. Now you can add a priority value to order local-policy(6) after all interface definitions. (T4685).
- Fixed incorrect verify local and remote address OpenVPN site-to-site incorrect check for IPv6 local and remote address. (T4679).
Fixed an internal error that might occur when a policy rule for TCP MSS adjustment was missing required options (T4697).
Prometheus client listen-address option no longer accepts invalid values (T4680).
- Fixed op-mode NAT translation output broken in recent nightly builds (T4713).
Fixed an node name issue in the IKEv2 road-warrior profile generator for iOS (T4719).
- The ebgp-multihop option is now supported for directly-connected (interface-based) BGP neighbors. (T4744)
- Fixed several bugs around bonding member interface states not changing correctly after configuration changes (T4668).
- Fixed incorrect OpenVPN site-to-site check for IPv6 local and remote addresses (T4679).
Refactorings and optimizations
Initial implementations are rarely perfect, and a lot of time, we need to rethink them and refactor or even rewrite the code.
For example, the old range validator was a Python script and due to the Python interpreter startup time, it seriously slowed down every commit when it became widely used. In September, we added a range-checking option to the numeric value validator that is a native code OCaml program and runs orders of magnitude faster (T4698). There are more validator optimizations and rewrites, which will make commits even faster.
Thanks to our long-time contributor Cheeze-It, IS-IS segment routing support has been refactored and brought much closer to the OSPF segment routing implementation (T4739).
Scripts for show system uptime and show system storage were rewritten to the new style. That change is not visible from the CLI, but makes that functionality available in the GraphQL API and brings us closer to a full-featured web GUI as well. There are many more such changes underway, too.
The firewall redesign is a huge subject that warrants its own post — stay tuned! We are also making good progress in the web GUI department, and a working version is around the corner. More to come in the next update that we'll post in December.