1.4 Sagitta
1.4.1 (future release)
Configuration syntax changes (automatically migrated)
T6505
Support VXLAN VLAN-VNI range mapping in CLI
New features and improvements
T5878
Make the list of SSH server ciphers configurable
T5949
Disable USB autosuspend
T6320
WiFi: Enable support for 6GHz AccesPoints
T6423
Require command definition nodes that have an owner to also have a priority
T6424
ipsec: op-mode command to generate client profiles should honor common name of the CA node that signed the server certificate
T6454
Explicitly set the default reverse proxy mode to HTTP
T6462
wireless: add op-mode command for hostapd and wpa_supplicant logs
T6473
bgp: missing completion helper for peer-groups inside a VRF
T6477
Adding Loki plugin to Telegraf
T6505
Support VXLAN VLAN-VNI range mapping in CLI
T6538
Allow adding a geneve interface to the vrf.
T6539
Add logging options to load-balancer reverse-proxy
T6566
op-mode: "monitor bandwidth" add support for listing all interfaces concurrently
T6576
op-mode: ntp: add support for NTP service restart via CLI
T6614
Initial support for smoketesting op-mode commands
Bug fixes
T2145
openvpn: server default topology net30 is incompatible with static client IPs for Windows clients
T4287
wireless: cannot set regulatory domain
T5514
Improve error handling when/if config.boot is deleted or missing
T5552
'set system option performance throughput' enables IPv6 forwarding even if it's explicitly disabled with 'set system ipv6 disable-forwarding'
T5725
protocol IS-IS configuration is empty if a tunnel does not have remote address
T5947
[1.3.2 -> 1.4.0-RC1 Migration] Static ipv6 routes dropped
T6148
Reset vpn ipsec command breaks tunnel and does not reset SAs that are down
T6332
IPv6-only ISIS (or, in general, dual topology) is not working with other devices running frr
T6401
Attempts to delete vlan-to-vni option causes an unhandled exception
T6429
bug - isis metric-style not applied configuration
T6431
monitor traceroute broken VRF support
T6453
GRUB variables with `=` in a value are parsed improperly
T6460
Showing DHCPv6 leases can fail due to DUID parsing issues
T6463
reverse-proxy: service not reloaded when updating SSL certificate via PKI
T6464
sstpc: interface not restarted when updating SSL certificate via PKI
T6480
PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem
T6484
Smoketest fails: fastnetmon killed due to OOM
T6503
Command 'restart ssh' not working
T6519
interfaces: 20-to-21 -> migration fails if new system has less ethernet interfaces
T6523
Error: "nft table ip vyos_filter not found" when commiting prometheus-client
T6559
vyos-configd should return commit error on config dependency error
T6584
Revert addition of Linux Kernel MT7921 driver
T6593
Release DHCP interface does not work
T6600
ospf: smoketest "router ospf' not found in" for ldp sync
T6602
interfaces: verify supplied VRF name on all interface types
T6603
vrf: nftables conntrack ct_iface_map contains multiple identical entries
T6605
`ConfigError()` behavior is wrong with running `vyos-configd`
T6610
Missing minisign pub key from image
Other resolved issues
T4026
PKI: generate pki certificate sign <ca-name> is not working
T5570
PAM config RADIUS ignore for default and success
T6290
SNMPD show logs systemstats_linux: unexpected header length
T6379
"generate openvpn" uses "comp-lzo no", which leads to problems on Android-Clients
T6446
Display the support URL from image build data in LTS builds
T6486
Generate openvpn client-config ignores configured protocol type
T6500
openconnect: add support for new multi ca-certificate CLI node
T6524
Rewrite "release dhcp interface <interface>" to Python to drop remaining Perl dependencies
T6592
Changing VRF on interface fails
T6594
IPoE-server extended-scripts do not work
T6597
wireless: hostapd occationly gets deactivated via systemd and causes loss in connectivity
T6598
Unexpected podman version 4.3.1
1.4.0 (4th June 2024)
New features and improvements
T3202
Enable wireguard debug messages by default
T4022
Add package nat-rtsp-dkms
T4393
sstp: add support for configuring host-name (SNI)
T5386
Execute VRRP transition script when `set high-availability disable` is commited
T5752
Check compatibility of new image tools with XCP-NG images
T6293
add Mediatek MT7921 to defconfig
T6339
Display the flavor name and build comment in "show version"
T6395
Enable VFIO No-IOMMU support in kernel config
Bug fixes
T4576
vpn l2tp logging level configuration
T5527
Adjust for change in coreutils behavior on overlayfs
T5939
[1.3.5 -> 1.4.0-RC1 Migration] as-path-list Entries Get Messed Up
T5940
[1.3.5 -> 1.4.0-RC1 Migration] commit-archive Fails to Migrate
T6038
Losing default route after first reboot (cloud-init & DHCP)
T6094
Destination Nat not Making Firewall Rules
T6225
Unhandled exception when configuring random-detect QoS policy
T6348
SNAT op-mode fails with flowtable offload entries
T6356
Correct the syntax of config.boot.default [..., 'ntp', 'server'] from leaf node with value to tag node
T6365
Negating interface names in NAT configuration causes invalid warnings
T6377
PermissionError on /config/auth/letsencrypt/live/ when running show pki
T6400
pki: unable to generate fingerprint for ACME issued certificates
T6402
Invalid variables referenced in reverse proxy validation
T6404
Include constraintGroup element in reference tree
T6407
Generate ipsec profile error
T6419
reverse-proxy: full CA chain is not build when verifying backend server
T6421
host-name has no explicit priority to be set on system boot
Other resolved issues
T1981
Allow route-map 'set src' to reference both IPv4 and IPv6
T3493
DHCPv6 does not have prefix range validation
T4519
DHCPv6: "set show dhcpv6 server leases" should show DUID instead of IAID_DUID
T4909
Rewrite the NTP op mode in the new format
T5351
VyOS deployed with cloud-init improperly saves config.boot
T6022
set system image default-boot
T6048
Exception in event handler script
T6328
Add a warning message about deprecation of web proxy URL filtering
T6333
non-free-firmware to trixie
T6345
Source NAT Port Mapping setting of Fully-Random is superfluous in Kernels 5.0 onwards
T6346
Boot to multi-user.target instead of graphical.target
T6358
Container config option to enable host pid
T6367
op-mode: commit-archive: TypeError: attribute name must be string, not 'NoneType'
T6383
Incorrect completion for rollback-soft
T6384
rollback-soft should tell the user to compare and commit
T6391
load-balancing reverse-proxy: typo in timeout help
T6396
MINOR Typo: set system conntrack timeout custom ipv4 rule X
T6409
Remove unused parameter node from reverse-proxy backend
1.4.0-epa3 (14th May 2024)
Security
T6324
CVE-2024-2961
Configuration syntax changes (automatically migrated)
T5535
Move disable-directed-broadcast to firewall global-options
T6171
Rename the DHCP server "failover" command to "high-availability mode"
T6208
container: rename "cap-add" CLI node to "capability"
T6216
Firewall group names that contain the '+' character break the config
T6295
netns: disable incomplete support in VyOS 1.4 sagitta
New features and improvements
T4309
Support network/address-groups and ipv6-network/ipv6-address-groups in "conntrack ignore"
T4903
Support IPv6 addresses in "set system conntrack ignore"
T5364
Make it possible to set the PADO delay to 0
T6127
Ability to view logs for rules with Offload not functional
T6133
Add domain-name to commit-archive
T6143
Increase configuration timeout range for service config-sync
T6154
Installer should ask for password twice
T6161
Add support for displaying container image data in JSON
T6162
ixgbe: Add 1000BASE-BX support
T6171
Rename the DHCP server "failover" command to "high-availability mode"
T6176
image-tools: rationalize setting of console type
T6184
image-tools: add op-mode command to set default boot console type
T6192
Support running SSH server in more than one VRF
T6226
Add "tcp-requece inspect-delay" to reverse proxy
T6257
Add op mode commands for dynamic firewall address groups
T6258
Add IPv6 base-reachable-time option to interfaces
T6260
image-tools: remove the image directory if it fails to install due to insufficient drive space
T6267
Improve commit failure messages for wireless interface configuration
T6278
Attempt hint for console type during image install
T6291
Add op mode commands for displaying LACP information for bonding interfaces
T6306
EVPN-MH - missing options in uplink ports
Bug fixes
T2590
DHCPv6 not updating nameservers and search domains since replacing isc-dhcp-client with WIDE dhcp6c
T3655
NAT doesn't work correctly with VRF
T4718
DHCP server listen-address doesn't take effect if the interface is in a VRF
T5164
op cmd: "show dhcp server leases state" with available options does not show any result
T5862
Default MTU is not acceptable in some environments
T5875
login: removing and re-adding a user keeps the home directory but changes the UID, thus SSH keys no longer work
T5996
Incorrect behavior for backslash escapes in config save and compare commands
T6082
BGP doesn't allow the same local AS and remote AS in peer groups
T6085
VTI interfaces are in UP state by default
T6089
[1.3.6->1.4.0-epa1 Migration] "ospf passive-interface default" incorrectly added
T6090
Migration of "policy route" configs fails due to TCP flag case sensitivity
T6100
NAT config migration error in 1.4.0-epa1 if invalid address/network defined in 1.3.6 version
T6106
Improve the commit error message for the case when route-reflector-client option is defined in a peer-group
T6119
Use a compliant TOML parser
T6130
[1.3.6->1.4.0-epa2 Migration] BGP "set community" missing
T6131
Disabling openvpn interface(s) causes OSPF to fail to load on reboot
T6136
Configuring a dynamic address group, config script did not check whether the group was created
T6138
Conntrack table op-mode fails with flowtable offload entries
T6145
Service config-sync does not rely on priorities
T6147
Conntrack not working as expected with global state-policy
T6149
Update node_data when merging nodes in reference tree generation
T6152
Kernel panic for ZimaBoard 232
T6160
Unhandled exception when configuring IS-IS
T6165
grub: vyos-grub-update failed to start on "slow" systems
T6167
VNI not set on VRF after reboot
T6168
"add system image" does not set the default boot image to the current console type in compatibility mode
T6169
DNS forwarding configuration rejects underscores in SRV records
T6173
Build Causes Errors When "--version" Contains Slashes ("/")
T6175
op-mode: "renew dhcp interface <name>" does not check if it's an actual DHCP interface
T6178
reverse-proxy doesn't check that a certificate exists at set time
T6179
Incorrect HAProxy config generated for reverse-proxy rules with url-path
T6186
'set system image default-boot' fails to find images that actually do exist in the system
T6189
BGP L3VPN connectivity is broken after re-enabling VRF
T6191
Policy route set-mss option is not working correctly
T6193
dhcp-client: invalid warning "is not a DHCP interface but uses DHCP name-server option" for VLAN interfaces
T6196
route-map and summary-only do not work in BGP aggregation at the same time
T6197
Validation error in the IPoE server interface client-subnet option
T6202
Multi-Protocol BGP is broken by 6PE patch in upstream FRR 9.1
T6205
ipoe: error in migration script logic while renaming mac-address to mac
T6206
L2tp smoketest fails if vyos-configd is running
T6207
image-tools: restore ability to copy config.boot.default on image install
T6213
Validations in firewall groups mistakenly reject correct configurations
T6216
Firewall group names that contain the '+' character break the config
T6218
Container network interface in VRF fails to generate IPv6 link-local address
T6221
Enabling VRF breaks connectivity
T6222
VRRP rfc3768-compatibility not working correctly when resulting interface name is over 15 characters
T6241
Updating CRL in "pki" config does not update OpenVPN
T6243
Update vyos-http-api-tools for package idna security advisory
T6250
"policy route-map set table" cannot be deleted from the rule
T6252
GRE tunnels don't allow configuring MTU larger than 8024
T6255
Static table description should not contain white-space
T6263
Commit failures when trying to set an IGMP group with source address on an interface
T6269
Polixy route "set table" option is not working correctly
T6272
PPPoE configuration does not load after deleting a PPPoE interface from the system
T6276
Do not call config dependencies on script error
T6283
Cannot delete as-path prepend from policy when it contains more than one AS
T6284
IPoE server op mode commands do not show IPv6 addresses
T6299
Building VyOS (Dockerized) current ISO fails dues to unmet dependencies podman : Depends: libgpgme11t64 (>= 1.4.1) but it is not installable
T6305
IPoE interface wildcard validation error in firewall rules
T6307
procps is missing from vyos-1x build dependencies
T6317
VLAN doesn't work on a bridge with a wireless interface member
T6329
Firewall - Error while printing groups
Other resolved issues
T4516
Rewrite system image manipulation tools in Python
T5535
Move disable-directed-broadcast to firewall global-options
T6146
Add python script to get all priorities of service or section from XML
T6159
"show openvpn server" prints a superfluous "OpenVPN status on vtunx" message for every client connection
T6180
Add application of mask to configtree
T6185
Simplify marshalling of section and config data for config-sync
T6187
Use correct CPU counts adjusted for SMT when necessary
T6195
dropbear: package upgrade 2022.83-1 -> 2022.83-1+deb12u1
T6198
configverify: add common helper for PKI certificate validation
T6203
Remove references to the obsolete vyos.xml module (superseded by vyos.xml_ref)
T6208
container: rename "cap-add" CLI node to "capability"
T6234
PPPoE-server pado-delay refactoring
T6245
Unhandled exception in "show openvpn server"
T6295
netns: disable incomplete support in VyOS 1.4 sagitta
T6327
Drop boot console type ttyUSB (USB serial)
T6330
release.pref.chroot indentation broken
1.4.0-epa2 (15th March 2024)
Configuration syntax changes (automatically migrated)
T6079
dhcp: migration fails for duplicate static-mapping
New features and improvements
T4977
Babel routing protocol support
T5504
Make it possible to set more than one peer-address in unicast VRRP
T5530
Add LFA to IS-IS
T5631
Ability to export the current configuration in JSON format
T5717
ospfv3 - add allow to set metric-type to ospf redistribution while frr docs says its possible.
T5772
Require HTTPS API server configurations to include at least one key if key-based auth is used
T5781
Add ability to add additional minisign keys
T6057
Add ability to disable syslog for conntrackd
T6060
op-mode: container: support removing all container images at once
T6087
ospfv3: add support to redistribute IS-IS routes
Bug fixes
T2998
SNMP v3 oid "exclude" option doesn't work
T4270
When "ignore-hosts-file" is unset, local hostname of the router resolves to 127.0.1.1 in the DNS forwarding service
T5121
Incorrect "architecture" config loaded
T5646
QoS policy limiter broken if class without match
T5909
Container registry with authentication prevents config load (section container) after reboot
T6004
Missing RPKI boot priority prevents it from loading
T6020
VRRP health-check script is not applied correctly in keepalived.conf
T6054
load-balancing wan - doesn't configure a list of ports
T6055
PKI error: "failed to install x value" when executed the command from conf mode
T6061
connection-status nat destination firewall filter not working in 1.4.0-epa1
T6069
HTTP API segfault during concurrent configuration requests
T6070
bnx2x NIC causes a commit error due to incorrect implementation of EEE status reading
T6073
Conntrack/NAT not being disabled when VRFs are defined
T6074
container: do not allow deleting images which have a container running
T6079
dhcp: migration fails for duplicate static-mapping
T6081
QoS policy shaper target and interval wrong calcuations
T6084
OpenNHRP DMVPN configuration file clean after reboot if we have any IPSec configuration
T6086
NAT does not work with network-groups
T6093
Incorrect dhcp-options vendor-class-id regex
T6096
Config commits are not synced properly because 00vyos-sync is deleted by vyos-router
T6098
Description doesnt seem to allow for non international characters
T6104
Regression in commit-archive for non-interactive configuration
T6107
Nginx does not allow big config queries for configure endpoint API
T6141
Trying to set PADO delay in PPPoE server without also configuring the session options causes a commit failure
Other resolved issues
T2199
Rewrite firewall in new XML/Python style
T5738
Extend XML building blocks
T5870
ipsec remote access VPN: add x509 ("pubkey") authentication
T5959
Streamline dns forwarding service
T6071
firewall: CLI description limit of 256 characters cause config upgrade issues
T6075
Applying firewall rules with a non-existent interface group
T6077
banner: implement ASCII contest winner default logo
T6083
ethtool: move string parsing to JSON parsing
T6095
Tab completion for "set interfaces wireless wlan0 country-code" incorrect country "uk"
T6214
Error when using some constraints
1.4.0-epa1 (22th February 2024)
Security
T4915
Minisign verification failure == pass??
Breaking changes
T5605
Do not generate keysize option in OpenVPN configs
Configuration syntax changes (automatically migrated)
T1991
Rework time services
T5877
Reduce unnecessary nesting in system domain-search path and improve smoketest
New features and improvements
T160
Support NAT64
T1991
Rework time services
T4221
Add a template filter for converting scalars to single-item lists
T4883
Add a description field for routing tables
T4940
Interface debugging
T5122
Move "archive-areas" to defaults.toml to support "non-free-firmware" repository
T5418
Allow arbitrary subnets in PPPoE client IP pools
T5449
Add options for TCP MSS probing
T5497
Add ability to resequence rule numbers for firewall
T5615
Narrow down spurious name conflict with mdns
T5877
Reduce unnecessary nesting in system domain-search path and improve smoketest
T5965
WWAN modems using raw-ip do not work with dhclient/dhcp6c
T5972
login: add possibility to disable individual local user accounts
Bug fixes
T2113
OpenVPN Options error: you cannot use --verify-x509-name with --compat-names or --no-name-remapping
T2700
Redirecting traffic from PPPoE interface to IFB fails
T2801
conntrack-tools flooding logs
T3681
The VMware Tools resume script did not run successfully in this virtual machine.
T3774
atop logs are not limited in size
T3902
Firewall does not load on boot, address-group not found, even though it exists
T4796
build-vyos-image ignores multiple options
T5239
Host name and domain name missing from the FRR configuration
T5245
Wireless interfaces do not get IPv6 link-local address assigned
T5376
Conntrack FTP helper does not work properly
T5890
OTP key generation is broken
T5926
IPSEC does not apply after l2tp configuration was changed
T5977
nftables: Operation not supported when using match-ipsec in outbound firewall
T6005
Error on adding a wireguard interface to OSPFv3
T6043
VxLAN and bridge error bug
T6056
Applying 'system static-host-mapping' command calls unnecessary snmpd restart
T6064
Can not build VyOS if repository it not cloned to a branch
Other resolved issues
T671
Identify and remove dead code
T874
Support for Two Factor Authentication for CLI access via Google Authenticator/OTP
T1311
WAN load-balancing can't flush connections when conntrack-sync is enabled
T1436
Config entries with default values do not correctly show as changed
T1487
DNS (pdns_recursor) stats logs not saved to disk
T2433
Improve CLI value validator performance
T3337
Add possibility to serve static DNS zones from the router
T3471
DHCP hook is not able to detect all running DHCP instances
T3474
Revisit storing syntax version of interface definitions in XML file
T3522
policy based routing not working
T3574
Add constraintGroup for combining validators with logical AND
T3642
PKI configuration
T3722
op-mode IPSec show vpn ike sa always shows L-TIME 0
T3766
containers: Expanding options for networking and building containers
T4723
Error when issuing 'show flow-accounting interface pppoe0'
T4761
Add a generic URL validator
T4795
Cleanup custom python validators
T4951
Add an op mode exception for cases when operations fail due to insufficient system resources
T5109
Improve OCaml XML validator
T5195
Break up the vyos.util module
T5348
Service config-sync can freeze the secondary router if it has commit-archive location
T5605
Do not generate keysize option in OpenVPN configs
T5754
Update to StrongSwan 5.9.11
T5846
Refactor and simplify DUID definition in conf-mode
T5903
NHRP don´t start on reboot from version 1.5-rolling-202401010026
T6001
Add option to enable resolve-via-default
T6015
"journalctl_charon" file does not contain data in the generated "ipsec debug-archive" file
T6050
Wrong scripting commands descriptions in accel-ppp services
T6078
Update ethtool to 6.6