VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project October 2023 Update

VyOS Developer Erkin Batu Altunbas
Posted 5 Oct, 2023

Hello, Community!

September was quite the hectic month for us, not only because of the upcoming release of VyOS 1.4 Sagitta (you may have noticed the new branch in the Git repository), but also because development on the trunk is continuing at full throttle, as you can tell from the list below.

New configuration options

  • Single VXLAN Device: VLAN-to-VNI mappings over a single VXLAN container interface to avoid setting up a separate VXLAN interface for each VNI. See documentation for a description and setup instructions (T3700):

  • Support for AWS gateway load balancer (T5261):

    set service aws glb script [on-create|on-destroy] <path>
    set service aws glb status format [simple|full]
    set service aws glb status port <n>
    set service aws glb threads tunnel <n>
    set service aws glb threads tunnel-affinity <n>
    set service aws glb threads udp <n>
    set service aws glb threads udp-affinity <n>
  • IPv6 multicast support with PIMv6 and MLD. See documentation for a description and setup instructions (T5518).

  • IPv6 support for ingress filtering (T3509):

    set firewall ipv6-source-validation [strict|loose|disable]
    set interfaces <interface-type> <name> ip ipv6-source-validation [strict|loose|disable]
  • Software and hardware flowtable offload functionality for the firewall service (T4502):

    set firewall flowtable <name> interface <name>
    set firewall flowtable <name> offload [software|hardware]
    set system conntrack flow-accounting
    set firewall [ipv4|ipv6] forward filter rule <n> action offload
    set firewall [ipv4|ipv6] forward filter rule <n> offload-target <name>
    # For hardware offload:
    set interfaces ethernet <name> offload hw-tc-offload
  • The firewall service now supports bridge filtering (T4072):

    set firewall bridge name <name> ...
    set firewall bridge forward filter ...
  • Firewall SYNPROXY support against TCP SYN flood attacks and port scanners. See documentation for setup instructions (T5217):

  • Firewall marks can be defined to match against ranges and negated ranges (T5616):

    set firewall [ipv4|ipv6] name <name> rule <n> mark <range>
    set policy [route|route6] <name> rule <n> mark <range>
  • Conntrack helpers can also be matched against to protect against potential security problems (T5614):

    set firewall [ipv4|ipv6] name <name> rule <n> conntrack-helper <helper>
  • Conntrack ignore lists now support IPv6 and firewall groups (T4309):

    set system conntrack ignore [ipv4|ipv6] rule <n> [destination|source] group [address-group|domain-group|mac-group|network-group|port-group]
  • Policies for local traffic can be specified by protocol (T5165):

    set policy local-route rule <n> protocol <protocol>
  • Containers can be given key-value pair metadata labels (T5531):

    set container name <name> label <key> value <value>
  • The CAP_SYS_MODULE capability can now be set on containers, permitting loading of kernel modules (T5544):

    set container name <name> cap-add sys-module
  • Ability to remove all private AS numbers from the BGP AS path (T5576):

    set protocols bgp neighbor <neighbor> address-family ipv4-multicast remove-private-as all
  • Mandatory and optional (default) modes for RADIUS and TACACS+ authentication (T5577):

    set system login [radius|tacacs] security-mode [mandatory|optional]
  • BGP options to treat incoming update messages with the given path attribute number as if the contained routes were withdrawn and to advertise software version capability to the peer (T5596):

    set protocols bgp neighbor <neighbor> path-attribute treat-as-withdraw <n>
    set protocols bgp neighbor <neighbor> capability software-version
  • IS-IS options to advertise high metric values on all interfaces and to advertise prefixes of only passive interfaces (T5597):

    set protocols isis advertise-high-metrics
    set protocols isis advertise-passive-only
  • SNMP monitoring support for the VRRP service is now disabled by default. It can still be enabled manually (T5586):

    set high-availability vrrp snmp
  • Backend server backup mode for reverse proxy load balancing to forward traffic to only when all active (non-backup) servers are down (T5602):

    set load-balancing reverse-proxy backend <tag> server <name> backup
  • DNS time-to-live support for web-service and RFC-2136 based protocols (T5612):

    set service dns dynamic address web [service|rfc2136] service <name> ttl <n>
  • Support for DNS cache management on a per-service basis (T5574):

    set service dns dynamic address <address> service <name> [expiry-time|wait-time] <n>
  • It is now possible to pick the IP version to be used by the mDNS repeater service (T5615):

    set service mdns ip-version [ipv4|ipv6|both]

New operational mode commands

  • Generate firewall commands with rule numbers resequences (T5497):

    generate firewall rule-resquence start 10 step 10
  • Disks to be formatted can be selected by id rather than by traditional device names (T5609):

    format by-id <disk-id> like <disk-id>
  • RAID members can be added and deleted through the CLI (T5608):

    [add|delete] raid <device> member <device-name>
    [add|delete] raid <device> by-id member <disk-id>
  • The command to display firewall logs has been revamped and extended, including support for displaying bridge logs (T4072, T5579):

    show log firewall [ipv4|ipv6] [forward|input|output] ...
    show log firewall bridge ...
  • Command to display IPv4 nexthop tracking table (T5581):

    show ip nht
  • Command to monitor the output of any given op-mode command, including the option to show incremental differences:

    monitor command <command>
    monitor command diff <command>
  • NTP time synchronization can be forced by hand (T5582):

    force ntp synchronization

Other changes

  • OpenVPN shared-secret support has been deprecated and will be removed in a future VyOS version. Please migrate your site-to-site tunnels to TLS. You can use self-signed certificates with peer fingerprint verification (T5269).

  • IPSec service now supports full CA chains in PKI (T5606).

  • The webproxy service allows setting a maximum object size up to 1 GB now (T5567).

    set service webproxy maximum-object-size 1000000
  • The kernel-level TCP congestion control algorithm is now BBR (Bottleneck Bandwidth and RTT) instead of the default CUBIC algorithm (T5489).

  • Similarly, the queuing discipline for network devices is now FQ (fair queue) instead of the default pfifo_fast (T5489).

 And the work on stabilizing VyOS 1.4 for the LTS release is underway as well — stay tuned for updates!

The post categories: