VyOS Project November 2024 Update

Hello, Community!

The November update is here. This post is short, but not all we've done lately: many internal changes in the configuration system will soon significantly improve commit speeds and open up a path to even more significant improvements. The 1.4.1 release is around the corner, together with the first VyOS Stream image — all built by the new CI system that produces tarballs with the corresponding source code for every image. But now, let's focus on the changes we made in the rolling release in October.

Configuration syntax changes

The HAProxy subsystem is now under set load-balancing reverse-proxy is now set load-balancing haproxy (T6745).

We usually prefer generic terms because we want to keep the config syntax the same even when we change the underlying implementation, as it already happened with the DHCP server, DNS forwarding, and many other components.

In this case, the motivation is that HAProxy is not only a reverse proxy but a more general-purpose load-balancing solution, so the old name was more misleading than helpful.

New features

Packet modification options for all firewall types (T6760)

Originally, only the policy route subtree had packet modification options such as setting connection marks, DSCP bits, hop-limit/TTL, and making forced TCP MSS adjustments.

vyos@ROCK# set policy route FOO rule 10 set 
Possible completions:
   connection-mark      Set connection mark
   dscp                 Set DSCP (Packet Differentiated Services Codepoint) bits
   mark                 Set packet mark
   table                Set the routing table for matched packets
   tcp-mss              Set TCP Maximum Segment Size
   vrf                  VRF to forward packet with

That was a limitation of iptables that became irrelevant when we migrated to nftables but we didn't have a CLI for the.

Now all those options are available in all firewall types, for example: set firewall bridge forward filter rule 1 set connection-mark '123123'.

It's a good first step towards removing the dated and misleading policy route CLI subtree where most options have nothing to do with PBR and to eventual overhaul of the policy-based routing config syntax.

Commit-confirm can use soft rollback now (T5976)

For a long time, VyOS could only roll back to an older config revision by rebooting into it. That was highly disruptive but difficult to fix due to legacy design decisions that take us quite some time to fix. A while ago we added a new rollback-soft command that can revert to older revisions without rebooting.

Now it's possible to make the commit-confirm command use that soft rollback. Just to be on the safe side, we made it optional for now, you can enable it with set system config-management commit-confirm action reload.

Eventually the old, highly-disruptive rollback will become a thing of the past, but for now remember to use those commands if you want to give that new rollback a try, and tell us about any issues you encounter!

Convertor from commands to configs (T6740)

VyOS has had a convertor from configs to commands for a long time — available as a standalone script /usr/bin/vyos-config-to-commands and the | commands filter.

Now there's also a convertor from commands to configs, so far only available as a standalone utility.

vyos@vyos# show | commands | grep eth0
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 hw-id '08:00:27:ab:9e:ce'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
[edit]

vyos@vyos# show | commands | grep eth0 | vyos-commands-to-config
interfaces {
    ethernet eth0 {
        address "dhcp"
        hw-id "08:00:27:ab:9e:ce"
        offload {
            gro
            gso
            sg
            tso
        }
    }
}

Curious why it took so long? Converting configs to commands is a very simple task: as long as you can tokenize configs, you can convert them to valid commands basically by removing all curly braces, duplicating some words, and adding line breaks.

But to convert a command, you need to understand if a word is a config option or a value. To know that, you need to have machine-readable information about the current config structure: what nodes it can have and if they are leaf nodes that can have values or non-leaf nodes that can have child nodes. We have that information and we already used it for config validation; now we also use it for converting commands to configs, and there are many more ways we can use it in the future.

Bug fixes

• Source address for RADIUS connections is working as expected in OpenConnect server settings (T6757).
• Improved validation of IKE group settings prevents errors that could stop the IPsec process (T6101).
• The set table option set policy route now supports table number up to 65535 (T6430).
• PKI supports EC keys now (T6766).
• set traffic-policy fair-queue test hash-interval is no longer limited to 1-127 and support any values, like VyOS 1.3.x did (T6791).
• Trailing slashes in set system login user test home-directory work as expected again (T6807).
• Op mode commands for the console server no longer throw errors when the console server is not configured (T6808).

Misc

• The URL of rolling release packages is now [https://packages.vyos.net/repositories/current/] rather than rolling-packages.vyos.net/current/ — it's updated in the build scripts so it shouldn't be an issue. But if you have it hardcoded anywhere for mirroring or similar, take note of the change! (T6755)
• There's now support for Italian keyboard layouts: set system option keyboard-layout it (T6759).
• Root certificates of certificates received via ACME are now automatically imported into the PKI (T6481).

That's all for now but stay tuned for updates!