VyOS Project October 2024 Update

Hello, Community!

The October update, which summarizes our work in September, is here. The maintainers and community contributors were busy: four new features, multiple small improvements, and a few bug fixes. Then, there is secure boot implementation, but that will get its blog post when the last bits fall into place!

CLI changes

We made a few changes in the operational mode CLI that may mess with your muscle memory, but open a path to future improvements and make the current CLI more predictable.

The new execute command family (T6694)

Most of VyOS operational mode commands have very specific meanings that help the user guess how disruptive the command will be: restart may disrupt an entire subsystem, reset has localized effects (one a single BGP peer or a PPPoE user, for example), and clear is generally not disruptive at all.

However, we had a very poorly defined family of force commands and a bunch of commands that were sitting at the top level, like telnet and wake-on-lan.

From now on, "force" has a specific meaning — it's for commands that force actions that the system would eventually perform on its own, like run force root-partition-auto-resize. We will eventually restructure the op mode to reflect that meaning.

For now, we started with moving user utilities for a new command family: execute. That family is for various commands that do not display or change the system state.

In particular:

• wake-on-lan is now execute wake-on-lan
• monitor bandwidth-test (iperf) is now execute bandwidth-test
• force owping is now execute owping
• force netns is now execute shell netns
• force vrf is now execute shell vrf
• telnet is now execute telnet

There are also new commands, like execute ssh , and there will be more to come, now that we have a place for them.

New features

OpenFabric protocol support (T6652)

Thanks to its support in FRR, VyOS now supports OpenFabric — a new link-state protocol similar to IS-IS that is optimized for spine and leaf topologies. It does not have an official RFC yet and is defined in a working draft for now.

Here is a simple example:

set protocols openfabric domain TEST interface eth1 address-family ipv4
set protocols openfabric net '49.0000.0000.0001.00'

You can explore the options in the CLI and consult the FRR documentation to learn more. This is a highly-experimental feature, so if you decide to test it, please let us know how well it works for you!

DNS zone caching (T6294)

The DNS forwarding service can cache zones now. It can get zone data either via DNS AXFR requests (e.g., source axfr 192.0.2.10) or by downloading a file from a URL (source url <URL>). Here is an example for caching the root zone provided by ICANN:

vyos@vyos# show service dns forwarding 
 allow-from 192.168.56.0/24
 listen-address 192.168.56.101
 zone-cache root {
     options {
         dnssec validate
         max-zone-size 0
         refresh {
             interval 36000
             on-reload
         }
         retry-interval 60
         timeout 300
     }
     source {
         url https://www.internic.net/domain/root.zone
     }
 }

EAPoL support (T6709)

EAPoL (Extensible Authentication Protocol over Local Area Network) is now available on both Ethernet and bonding interaces. Here is an example, with self-signed certificates for demonstration:

set pki ca eapol-server-ca-root certificate MIIBcTCCARagAwIBAgIUDcAf1oIQV+6WRaW7NPcSnECQ/lUwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTVnlPUyBzZXJ2ZXIgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjBaFw0zMjAyMTUxOTQxMjBaMB4xHDAaBgNVBAMME1Z5[T1](https://vyos.dev/T1)Mgc2VydmVyIHJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ0y24GzKQf4aM2Ir12tI9yITOIzAUjZXyJeCmYI6uAnyAMqc4Q4NKyfq3nBi4XP87cs1jlC1P2BZ8MsjL5MdGWozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRwC/YaieMEnjhYa7K3Flw/o0SFuzAKBggqhkjOPQQDAgNJADBGAiEAh3qEj8vScsjAdBy5shXzXDVVOKWCPTdGrPKnu8UWa2cCIQDlDgkzWmn5ujc5ATKz1fj+Se/aeqwh4QyoWCVTFLIxhQ==
set pki ca eapol-server-ca-intermediate certificate MIIBmTCCAT+gAwIBAgIUNzrtHzLmi3QpPK57tUgCnJZhXXQwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTVnlPUyBzZXJ2ZXIgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjFaFw0zMjAyMTUxOTQxMjFaMCYxJDAiBgNVBAMMG1Z5[T1](https://vyos.dev/T1)Mgc2VydmVyIGludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEl2nJ1CzoqPV6hWII2meGN/uieU6wDMECTk/LgG8CCCSYb488dibUiFN/1UFsmoLIdIhkx/6MUCYh62m8U2WNujUzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMV3YwH88I5gFsFUibbQkMR0ECPsMB8GA1UdIwQYMBaAFHAL9hqJ4wSeOFhrsrcWXD+jRIW7MAoGCCqGSM49BAMCA0gAMEUCIQC/ahujD9dp5pMMCd3SZddqGC9cXtOwMN0JR3e5CxP13AIgIMQmjMYrinFoInxmX64HfshYqnUY8608nK9D2BNPOHo=
set pki ca eapol-client-ca-root certificate MIIBcDCCARagAwIBAgIUZmoW2xVdwkZSvglnkCq0AHKa6zIwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTVnlPUyBjbGllbnQgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjFaFw0zMjAyMTUxOTQxMjFaMB4xHDAaBgNVBAMME1Z5[T1](https://vyos.dev/T1)MgY2xpZW50IHJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUpKXzQk2NOVKDN4VULk2yw4mOKPvnmg947+VY7lbpfOfAUD0QRg95qZWCw899eKnXp/U4TkAVrmEKhUb6OJTFozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTXu6xGWUl25X3sBtrhm3BJSICIATAKBggqhkjOPQQDAgNIADBFAiEAnTzEwuTI9bz2Oae3LZbjP6f/f50KFJtjLZFDbQz7DpYCIDNRHV8zBUibC+zg5PqMpQBKd/oPfNU76nEv6xkp/ijO
set pki ca eapol-client-ca-intermediate certificate MIIBmDCCAT+gAwIBAgIUJEMdotgqA7wU4XXJvEzDulUAGqgwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTVnlPUyBjbGllbnQgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjJaFw0zMjAyMTUxOTQxMjJaMCYxJDAiBgNVBAMMG1Z5[T1](https://vyos.dev/T1)MgY2xpZW50IGludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGyIVIi217s9j3O+WQ2b6R65/Z0ZjQpELxPjBRc0CA0GFCo+pI5EvwI+jNFArvTAJ5+ZdEWUJ1DQhBKDDQdIavCjUzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOUS8oNJjChB1Rb9BlclETvziHJ9MB8GA1UdIwQYMBaAFNe7rEZZSXblfewG2uGbcElIgIgBMAoGCCqGSM49BAMCA0cAMEQCIArhaxWgRsAUbEeNHD/ULtstLHxw/P97qPUSROLQld53AiBjgiiz9pDfISmpekZYz6bIDWRIR0cXUToZEMFNzNMrQg==
set pki certificate eapol-client certificate MIIBmTCCAUCgAwIBAgIUV5[T77](https://vyos.dev/T77)XdE/tV82Tk4Vzhp5BIFFm0wCgYIKoZIzj0EAwIwJjEkMCIGA1UEAwwbVnlPUyBjbGllbnQgaW50ZXJtZWRpYXRlIENBMB4XDTIyMDIxNzE5NDEyMloXDTMyMDIxNTE5NDEyMlowIjEgMB4GA1UEAwwXVnlPUyBjbGllbnQgY2VydGlmaWNhdGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARuyynqfc/qJj5eKJ03oOH8X4Z8spDeAPO9WYckMM0ldPj+9kU607szFzPwjaPWzPdgyIWz3hcN8yAhCIhytmJao1AwTjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTIFKrxZ+PqOhYSUqnlTGCUmM7wTjAfBgNVHSMEGDAWgBTlEvKDSYwoQdUW/QZXJRE784hyfTAKBggqhkjOPQQDAgNHADBEAiAvO8/jvz05xqmP3OXD53XhfxDLMIxzN4KPoCkFqvjlhQIgIHq2/geVx3rAOtSps56q/jiDouN/aw01TdpmGKVAa9U=
set pki certificate eapol-client private key MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgxaxAQsJwjoOCByQE+qSYKtKtJzbdbOnTsKNSrfgkFH6hRANCAARuyynqfc/qJj5eKJ03oOH8X4Z8spDeAPO9WYckMM0ldPj+9kU607szFzPwjaPWzPdgyIWz3hcN8yAhCIhytmJa
set interfaces bonding bond0 member interface eth2
set interfaces bonding bond0 member interface eth3
set interfaces bonding bond0 eapol ca-certificate eapol-server-ca-intermediate
set interfaces bonding bond0 eapol ca-certificate eapol-client-ca-intermediate
set interfaces bonding bond0 eapol certificate eapol-client

Other improvements

• NAT66 now support destination groups: set nat66 destination rule <num> destination group address-group <name> (T6679).
• There's now support for 802.11ax WiFi mode: set interfaces wireless wlanN mode ax (T6693).
• Bridge firewall rules now support VLAN id and priority matching: set firewall bridge forward filter rule <num> vlan <id XXXX | priority Y> (T6698).
• An op mode wrapper for the nmap port scanner: e.g., run execute port-scan host 192.0.2.10 (T6181).
• New command to disable built-in DNS in container networks: set container network <NAME> disable-dns (T6701).
• New command to explicitly configure the pstate driver on AMD machines: set system option kernel amd-pstate-driver (active|passive|guided) (T6703).
• PPPoE server can now be configured to accept any service name from clients (set service pppoe-server accept-any-service) and to accept blank names (accept-blank-service) (T6685).
• New option to include timezone in syslog messages: set system syslog host <hostname> format include-timezone (T4061).
• NAT rules now support matching FQDNs, just like firewall rules: set nat destination rule 10 destination fqdn 'vyos.dev' (T6687).
• There is now Prometheus exporter for FRR metrics: set service monitoring frr-exporter <listen-address <addr> | port <num> | vrf <name> (T973).
• Hardware timestamp offload for NTP: set service ntp offload timestamp default-enable (T6630).

Bug fixes

• Podman (the container daemon) is correctly listening on a UNIX domain socket again (T6702).
• Fixed a bug that led to BGP daemon crash on attempts to commit certain invalid configurations with on-match options (T6676).
• restart vrrp works correctly again (T6711).
• Fixed SA filtering in show vpn ike sa (T6682).
• Date changes made with set date are now correctly saved in the hardware clock (T6715).
• Ethernet offload settings in the config now correctly reflect kernel settings (T6716).
• Formerly-missing bridge firewall commands are now correctly present (T6723).
• Fixed VXLAN configuration loss when a VXLAN interface is removed from a bridge (T6675).
• WireGuard peer name is correctly included in show interfaces wireguard wgX summary now (T4833).
• HTTP API now correctly returns commit errors messages (T6326).
• Fixes validation for LLDP interface names (T6727).
• Uncaught exceptions in scripts running under configd are now correctly reported as commit errors (T6608).
• Fixed the behavior of syslog global preserve-fqdn (T6719).

That's all for now... but then there's a big feature that will get its own blog post — secure boot, so stay tuned for updates!