VyOS Networks Blog

Building an open source network OS for the people, together.

What's left to do for 1.4 LTS? New zone-based firewall and more

Daniil Baturin
Posted 12 Oct, 2023

Hello, Community!

Many people ask us when VyOS 1.4 will become a stable release. Some people have even started using development builds of the Sagitta branch in production — we'd like to remind everyone that you should only do it at your own risk, but we are certainly happy that we added so many features that people want to use. We assure you that 1.4 is well on track to become a new LTS by the end of this year. A few things are still missing, though — let's discuss them.

Zone-based firewall

The firewall subsystem has undergone a huge rewrite in VyOS 1.4. The last bits of the old iptables-based implementation are gone, and with them are gone the limitations that kept us from adding many new features that nftables offers. The new code is also easier to maintain, and the new CLI is far more flexible than the old one.

However, we have certainly miscalculated a few things. The biggest one is the removal of the zone-based firewall.

Our motivation for removing it was that it was no longer necessary to achieve the same configurations. Originally, many network OSes used a CLI where the user could define a ruleset (often called an ACL — Access Control List) and assign it to a network interface, in either inbound or outbound direction. In other words, every network interface would have its filter policy, and there was no way to reference multiple interfaces in a policy simultaneously. The irony is that Linux firewalls never had that limitation, but Vyatta introduced it artificially to make a CLI familiar to people who had experience with other network OSes. A zone-based firewall was a way to remove that limitation without touching the firewall ruleset syntax: the user could assign network interfaces to zones and then assign rulesets to zone pairs. VyOS inherited that CLI and it remained unchanged for a long time.

The new implementation in VyOS 1.4 no longer has that limitation: you can reference single network interfaces and interface groups in rules. That prompted us to remove the zone-based firewall and write a migration script that converts it to the new "zone-less" CLI syntax. However, from your feedback, we discovered that it's not a reason to remove zone-based firewalls completely: first, many people like the mental model of zone-based firewalls, and second, there are firewall configurations that become a few times larger when converted.

We plan to re-introduce zone-based firewall CLI, compatible with the old syntax. Internally, it will be a thin wrapper for the new code, and old configurations will work exactly like before for the user. Only when that work is complete, can we call an image 1.4.0-RC1.

Cluster removal

Another chunk of work is related to the old cluster service based on the Heartbeat project. The original plan for that service was certainly quite big: presumably, it was supposed to provide redundancy for multiple service types and a framework for service monitoring. However, in practice, the only "service type" it supported in Vyatta/VyOS was the IPv4 address. Then the Heartbeat project became abandoned,  Keepalived went far ahead of it, and we added those high-availability features to our CLI — we already have full support for IPv6 VRRP, a framework for health check and transition scripts, unicast VRRP mode for network environments that can't cope with multicast packets, and more. VRRP is already more functional than the old clustering service.

The only remaining thing is a migration script reliably translating old clustering configs to VRRP configs. It's mostly done but requires more testing. However, we expect that it will be a fully compatible change and will have no impact on the functionality of old configs — except you'll need to ensure that nothing in your network prevents VRRP from working.

Release notes and documentation

Let's face it: VyOS 1.4 has many big changes, deprecations, and feature removals. For example, recently, we removed support for insecure DES and Blowfish ciphers from OpenVPN. We don't expect it to have a big impact because new OpenVPN client configurations will automatically negotiate a more secure cipher, but we can't rule out that there are configs in the wild that have DES or Blowfish hardcoded in them.

All such things must be properly documented so people can plan their upgrades properly.

Let's make VyOS 1.4 stable together!

While we believe it's too early to upgrade your important production routers to 1.4 builds, VyOS 1.4 is certainly in the phase when it needs testing more than ever. Please try out your production configs on lab routers with 1.4 development builds and let us know if anything doesn't work as expected.

If you use VyOS in your home lab as an individual, we'd like to remind you that we offer contributor subscriptions to LTS release images  to everyone who helps us move the project forward, and testing and reporting bugs certainly counts as a contribution for that purpose!

Thanks for being with us, and stay tuned!


The post categories: