VyOS Project October 2024 Update
Hello, Community!
The October update, which summarizes our work in September, is here. The maintainers and community contributors were busy: four new features, multiple small improvements, and a few bug fixes. Then, there is secure boot implementation, but that will get its blog post when the last bits fall into place!
CLI changes
We made a few changes in the operational mode CLI that may mess with your muscle memory, but open a path to future improvements and make the current CLI more predictable.
The new execute
command family (T6694)
Most of VyOS operational mode commands have very specific meanings that help the user guess how disruptive the command will be: restart
may disrupt an entire subsystem, reset
has localized effects (one a single BGP peer or a PPPoE user, for example), and clear
is generally not disruptive at all.
However, we had a very poorly defined family of force
commands and a bunch of commands that were sitting at the top level, like telnet
and wake-on-lan
.
From now on, "force" has a specific meaning — it's for commands that force actions that the system would eventually perform on its own, like run force root-partition-auto-resize
. We will eventually restructure the op mode to reflect that meaning.
For now, we started with moving user utilities for a new command family: execute
. That family is for various commands that do not display or change the system state.
In particular:
wake-on-lan
is nowexecute wake-on-lan
monitor bandwidth-test
(iperf) is nowexecute bandwidth-test
force owping
is nowexecute owping
force netns
is nowexecute shell netns
force vrf
is nowexecute shell vrf
telnet
is nowexecute telnet
There are also new commands, like execute ssh
, and there will be more to come, now that we have a place for them.
New features
OpenFabric protocol support (T6652)
Thanks to its support in FRR, VyOS now supports OpenFabric — a new link-state protocol similar to IS-IS that is optimized for spine and leaf topologies. It does not have an official RFC yet and is defined in a working draft for now.
Here is a simple example:
set protocols openfabric domain TEST interface eth1 address-family ipv4
set protocols openfabric net '49.0000.0000.0001.00'
You can explore the options in the CLI and consult the FRR documentation to learn more. This is a highly-experimental feature, so if you decide to test it, please let us know how well it works for you!
DNS zone caching (T6294)
The DNS forwarding service can cache zones now. It can get zone data either via DNS AXFR requests (e.g., source axfr 192.0.2.10
) or by downloading a file from a URL (source url <URL>
). Here is an example for caching the root zone provided by ICANN:
vyos@vyos# show service dns forwarding
allow-from 192.168.56.0/24
listen-address 192.168.56.101
zone-cache root {
options {
dnssec validate
max-zone-size 0
refresh {
interval 36000
on-reload
}
retry-interval 60
timeout 300
}
source {
url https://www.internic.net/domain/root.zone
}
}
EAPoL support (T6709)
EAPoL (Extensible Authentication Protocol over Local Area Network) is now available on both Ethernet and bonding interaces. Here is an example, with self-signed certificates for demonstration:
set pki ca eapol-server-ca-root certificate MIIBcTCCARagAwIBAgIUDcAf1oIQV+6WRaW7NPcSnECQ/lUwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTVnlPUyBzZXJ2ZXIgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjBaFw0zMjAyMTUxOTQxMjBaMB4xHDAaBgNVBAMME1Z5[T1](https://vyos.dev/T1)Mgc2VydmVyIHJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ0y24GzKQf4aM2Ir12tI9yITOIzAUjZXyJeCmYI6uAnyAMqc4Q4NKyfq3nBi4XP87cs1jlC1P2BZ8MsjL5MdGWozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRwC/YaieMEnjhYa7K3Flw/o0SFuzAKBggqhkjOPQQDAgNJADBGAiEAh3qEj8vScsjAdBy5shXzXDVVOKWCPTdGrPKnu8UWa2cCIQDlDgkzWmn5ujc5ATKz1fj+Se/aeqwh4QyoWCVTFLIxhQ==
set pki ca eapol-server-ca-intermediate certificate MIIBmTCCAT+gAwIBAgIUNzrtHzLmi3QpPK57tUgCnJZhXXQwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTVnlPUyBzZXJ2ZXIgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjFaFw0zMjAyMTUxOTQxMjFaMCYxJDAiBgNVBAMMG1Z5[T1](https://vyos.dev/T1)Mgc2VydmVyIGludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEl2nJ1CzoqPV6hWII2meGN/uieU6wDMECTk/LgG8CCCSYb488dibUiFN/1UFsmoLIdIhkx/6MUCYh62m8U2WNujUzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMV3YwH88I5gFsFUibbQkMR0ECPsMB8GA1UdIwQYMBaAFHAL9hqJ4wSeOFhrsrcWXD+jRIW7MAoGCCqGSM49BAMCA0gAMEUCIQC/ahujD9dp5pMMCd3SZddqGC9cXtOwMN0JR3e5CxP13AIgIMQmjMYrinFoInxmX64HfshYqnUY8608nK9D2BNPOHo=
set pki ca eapol-client-ca-root certificate MIIBcDCCARagAwIBAgIUZmoW2xVdwkZSvglnkCq0AHKa6zIwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTVnlPUyBjbGllbnQgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjFaFw0zMjAyMTUxOTQxMjFaMB4xHDAaBgNVBAMME1Z5[T1](https://vyos.dev/T1)MgY2xpZW50IHJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUpKXzQk2NOVKDN4VULk2yw4mOKPvnmg947+VY7lbpfOfAUD0QRg95qZWCw899eKnXp/U4TkAVrmEKhUb6OJTFozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTXu6xGWUl25X3sBtrhm3BJSICIATAKBggqhkjOPQQDAgNIADBFAiEAnTzEwuTI9bz2Oae3LZbjP6f/f50KFJtjLZFDbQz7DpYCIDNRHV8zBUibC+zg5PqMpQBKd/oPfNU76nEv6xkp/ijO
set pki ca eapol-client-ca-intermediate certificate MIIBmDCCAT+gAwIBAgIUJEMdotgqA7wU4XXJvEzDulUAGqgwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTVnlPUyBjbGllbnQgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjJaFw0zMjAyMTUxOTQxMjJaMCYxJDAiBgNVBAMMG1Z5[T1](https://vyos.dev/T1)MgY2xpZW50IGludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGyIVIi217s9j3O+WQ2b6R65/Z0ZjQpELxPjBRc0CA0GFCo+pI5EvwI+jNFArvTAJ5+ZdEWUJ1DQhBKDDQdIavCjUzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOUS8oNJjChB1Rb9BlclETvziHJ9MB8GA1UdIwQYMBaAFNe7rEZZSXblfewG2uGbcElIgIgBMAoGCCqGSM49BAMCA0cAMEQCIArhaxWgRsAUbEeNHD/ULtstLHxw/P97qPUSROLQld53AiBjgiiz9pDfISmpekZYz6bIDWRIR0cXUToZEMFNzNMrQg==
set pki certificate eapol-client certificate MIIBmTCCAUCgAwIBAgIUV5[T77](https://vyos.dev/T77)XdE/tV82Tk4Vzhp5BIFFm0wCgYIKoZIzj0EAwIwJjEkMCIGA1UEAwwbVnlPUyBjbGllbnQgaW50ZXJtZWRpYXRlIENBMB4XDTIyMDIxNzE5NDEyMloXDTMyMDIxNTE5NDEyMlowIjEgMB4GA1UEAwwXVnlPUyBjbGllbnQgY2VydGlmaWNhdGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARuyynqfc/qJj5eKJ03oOH8X4Z8spDeAPO9WYckMM0ldPj+9kU607szFzPwjaPWzPdgyIWz3hcN8yAhCIhytmJao1AwTjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTIFKrxZ+PqOhYSUqnlTGCUmM7wTjAfBgNVHSMEGDAWgBTlEvKDSYwoQdUW/QZXJRE784hyfTAKBggqhkjOPQQDAgNHADBEAiAvO8/jvz05xqmP3OXD53XhfxDLMIxzN4KPoCkFqvjlhQIgIHq2/geVx3rAOtSps56q/jiDouN/aw01TdpmGKVAa9U=
set pki certificate eapol-client private key MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgxaxAQsJwjoOCByQE+qSYKtKtJzbdbOnTsKNSrfgkFH6hRANCAARuyynqfc/qJj5eKJ03oOH8X4Z8spDeAPO9WYckMM0ldPj+9kU607szFzPwjaPWzPdgyIWz3hcN8yAhCIhytmJa
set interfaces bonding bond0 member interface eth2
set interfaces bonding bond0 member interface eth3
set interfaces bonding bond0 eapol ca-certificate eapol-server-ca-intermediate
set interfaces bonding bond0 eapol ca-certificate eapol-client-ca-intermediate
set interfaces bonding bond0 eapol certificate eapol-client
Other improvements
- NAT66 now support destination groups:
set nat66 destination rule <num> destination group address-group <name>
(T6679). - There's now support for 802.11ax WiFi mode:
set interfaces wireless wlanN mode ax
(T6693). - Bridge firewall rules now support VLAN id and priority matching:
set firewall bridge forward filter rule <num> vlan <id XXXX | priority Y>
(T6698). - An op mode wrapper for the nmap port scanner: e.g.,
run execute port-scan host 192.0.2.10
(T6181). - New command to disable built-in DNS in container networks:
set container network <NAME> disable-dns
(T6701). - New command to explicitly configure the pstate driver on AMD machines:
set system option kernel amd-pstate-driver (active|passive|guided)
(T6703). - PPPoE server can now be configured to accept any service name from clients (
set service pppoe-server accept-any-service
) and to accept blank names (accept-blank-service
) (T6685). - New option to include timezone in syslog messages:
set system syslog host <hostname> format include-timezone
(T4061). - NAT rules now support matching FQDNs, just like firewall rules:
set nat destination rule 10 destination fqdn 'vyos.dev'
(T6687). - There is now Prometheus exporter for FRR metrics:
set service monitoring frr-exporter <listen-address <addr> | port <num> | vrf <name>
(T973). - Hardware timestamp offload for NTP:
set service ntp offload timestamp default-enable
(T6630).
Bug fixes
- Podman (the container daemon) is correctly listening on a UNIX domain socket again (T6702).
- Fixed a bug that led to BGP daemon crash on attempts to commit certain invalid configurations with
on-match
options (T6676). restart vrrp
works correctly again (T6711).- Fixed SA filtering in
show vpn ike sa
(T6682). - Date changes made with
set date
are now correctly saved in the hardware clock (T6715). - Ethernet offload settings in the config now correctly reflect kernel settings (T6716).
- Formerly-missing bridge firewall commands are now correctly present (T6723).
- Fixed VXLAN configuration loss when a VXLAN interface is removed from a bridge (T6675).
- WireGuard peer name is correctly included in
show interfaces wireguard wgX summary
now (T4833). - HTTP API now correctly returns commit errors messages (T6326).
- Fixes validation for LLDP interface names (T6727).
- Uncaught exceptions in scripts running under configd are now correctly reported as commit errors (T6608).
- Fixed the behavior of
syslog global preserve-fqdn
(T6719).
That's all for now... but then there's a big feature that will get its own blog post — secure boot, so stay tuned for updates!
Comments