Hello, community!
If you are wondering what we've been up to — we are on track to bring the 1.4/Sagitta release to its final shape and we are pretty sure next year we'll focus on stabilizing it and preparing it to become the new LTS release.
There are still a lot of things to do and our main focus is now on the implementations of firewall and QoS and on the new-style operational mode that automatically makes all functionality available to the CLI and to the GraphQL API without any additional effort.
However, there are multiple smaller features and fixes as well — read on for details!
We added the ability to check for available new images automatically.
This is what it will look like:
set system update-check auto-check set system update-check url 'http://example.com/image-version.json'
There are no official server-side implementations yet, but we'll let you know when there are. Needless to say, this feature will be off by default and users will need to explicitly enable it. Since the URL is configurable, everyone will also be able to use it in their own network even if it's completely isolated from the public Internet.
TOTP (Time-based One-Time Password) is a popular two-factor authentication algorithm that is used by Google Authenticator and many other 2FA solutions.
We added support for 2FA for system logins through the libpam-google-authenticator package that provides a PAM module and implements RFC 6238 and RFC 4226.
Here are the commands for setting it up:
set system login user vyos authentication otp key <key> set system login user vyos authentication otp rate_limit <rate_limit> set system login user vyos authentication otp rate_time <rate_time> set system login user vyos authentication otp window_size <window_size>
2FA support will help VyOS meet security requirements for its use as critical infrastructure and meet standards such as NIST 800-171.
Support for BGP multipath-relax (T4696)
You can use this new command to enable it:
set protocols bgp parameters bestpath peer-type multipath-relax
This command specifies that BGP decision process should consider paths from all peers for multipath computation. If this option is enabled, paths learned from any of eBGP, iBGP, or confederation neighbors will be multipath if they are otherwise considered equal cost.
es
") and Japanese ("jp106
") keyboard layouts in the "set system option keyboard-layout" command (T4695).The default firewall ruleset action has been incorrectly set to "accept" in nightly builds for some time, now it's correctly set to "drop" again (T4655).
The local-policy and local-policy6 nodes were missing their priority property causing an ordering issue between the creation of dynamic interfaces and referencing said interface in PBR rules. Now you can add a priority value to order local-policy(6) after all interface definitions. (T4685).
Fixed an internal error that might occur when a policy rule for TCP MSS adjustment was missing required options (T4697).
Prometheus client listen-address option no longer accepts invalid values (T4680).
Fixed an node name issue in the IKEv2 road-warrior profile generator for iOS (T4719).
Initial implementations are rarely perfect, and a lot of time, we need to rethink them and refactor or even rewrite the code.
For example, the old range validator was a Python script and due to the Python interpreter startup time, it seriously slowed down every commit when it became widely used. In September, we added a range-checking option to the numeric value validator that is a native code OCaml program and runs orders of magnitude faster (T4698). There are more validator optimizations and rewrites, which will make commits even faster.
Thanks to our long-time contributor Cheeze-It, IS-IS segment routing support has been refactored and brought much closer to the OSPF segment routing implementation (T4739).
Scripts for show system uptime and show system storage were rewritten to the new style. That change is not visible from the CLI, but makes that functionality available in the GraphQL API and brings us closer to a full-featured web GUI as well. There are many more such changes underway, too.
The firewall redesign is a huge subject that warrants its own post — stay tuned! We are also making good progress in the web GUI department, and a working version is around the corner. More to come in the next update that we'll post in December.