1.4 Sagitta

1.4.1 (future release)

Configuration syntax changes (automatically migrated)

  • T6505 Support VXLAN VLAN-VNI range mapping in CLI

New features and improvements

  • T5878 Make the list of SSH server ciphers configurable

  • T5949 Disable USB autosuspend

  • T6320 WiFi: Enable support for 6GHz AccesPoints

  • T6423 Require command definition nodes that have an owner to also have a priority

  • T6424 ipsec: op-mode command to generate client profiles should honor common name of the CA node that signed the server certificate

  • T6454 Explicitly set the default reverse proxy mode to HTTP

  • T6462 wireless: add op-mode command for hostapd and wpa_supplicant logs

  • T6473 bgp: missing completion helper for peer-groups inside a VRF

  • T6477 Adding Loki plugin to Telegraf

  • T6505 Support VXLAN VLAN-VNI range mapping in CLI

  • T6538 Allow adding a geneve interface to the vrf.

  • T6539 Add logging options to load-balancer reverse-proxy

  • T6566 op-mode: "monitor bandwidth" add support for listing all interfaces concurrently

  • T6576 op-mode: ntp: add support for NTP service restart via CLI

  • T6614 Initial support for smoketesting op-mode commands

Bug fixes

  • T2145 openvpn: server default topology net30 is incompatible with static client IPs for Windows clients

  • T4287 wireless: cannot set regulatory domain

  • T5514 Improve error handling when/if config.boot is deleted or missing

  • T5552 'set system option performance throughput' enables IPv6 forwarding even if it's explicitly disabled with 'set system ipv6 disable-forwarding'

  • T5725 protocol IS-IS configuration is empty if a tunnel does not have remote address

  • T5947 [1.3.2 -> 1.4.0-RC1 Migration] Static ipv6 routes dropped

  • T6148 Reset vpn ipsec command breaks tunnel and does not reset SAs that are down

  • T6332 IPv6-only ISIS (or, in general, dual topology) is not working with other devices running frr

  • T6401 Attempts to delete vlan-to-vni option causes an unhandled exception

  • T6429 bug - isis metric-style not applied configuration

  • T6431 monitor traceroute broken VRF support

  • T6453 GRUB variables with `=` in a value are parsed improperly

  • T6460 Showing DHCPv6 leases can fail due to DUID parsing issues

  • T6463 reverse-proxy: service not reloaded when updating SSL certificate via PKI

  • T6464 sstpc: interface not restarted when updating SSL certificate via PKI

  • T6480 PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem

  • T6484 Smoketest fails: fastnetmon killed due to OOM

  • T6503 Command 'restart ssh' not working

  • T6519 interfaces: 20-to-21 -> migration fails if new system has less ethernet interfaces

  • T6523 Error: "nft table ip vyos_filter not found" when commiting prometheus-client

  • T6559 vyos-configd should return commit error on config dependency error

  • T6584 Revert addition of Linux Kernel MT7921 driver

  • T6593 Release DHCP interface does not work

  • T6600 ospf: smoketest "router ospf' not found in" for ldp sync

  • T6602 interfaces: verify supplied VRF name on all interface types

  • T6603 vrf: nftables conntrack ct_iface_map contains multiple identical entries

  • T6605 `ConfigError()` behavior is wrong with running `vyos-configd`

  • T6610 Missing minisign pub key from image

Other resolved issues

  • T4026 PKI:  generate pki certificate sign <ca-name> is not working

  • T5570 PAM config RADIUS  ignore for default and success

  • T6290 SNMPD show logs systemstats_linux: unexpected header length

  • T6379 "generate openvpn" uses "comp-lzo no", which leads to problems on Android-Clients

  • T6446 Display the support URL from image build data in LTS builds

  • T6486 Generate openvpn client-config ignores configured protocol type

  • T6500 openconnect: add support for new multi ca-certificate CLI node

  • T6524 Rewrite "release dhcp interface <interface>" to Python to drop remaining Perl dependencies

  • T6592 Changing VRF on interface fails

  • T6594 IPoE-server extended-scripts do not work

  • T6597 wireless: hostapd occationly gets deactivated via systemd and causes loss in connectivity

  • T6598 Unexpected podman version 4.3.1

1.4.0 (4th June 2024)

New features and improvements

  • T3202 Enable wireguard debug messages by default

  • T4022 Add package nat-rtsp-dkms

  • T4393 sstp: add support for configuring host-name (SNI)

  • T5386 Execute VRRP transition script when `set high-availability disable` is commited

  • T5752 Check compatibility of new image tools with XCP-NG images

  • T6293 add Mediatek MT7921 to defconfig

  • T6339 Display the flavor name and build comment in "show version"

  • T6395 Enable VFIO No-IOMMU support in kernel config

Bug fixes

  • T4576 vpn l2tp logging level configuration

  • T5527 Adjust for change in coreutils behavior on overlayfs

  • T5939 [1.3.5 -> 1.4.0-RC1 Migration]  as-path-list Entries Get Messed Up

  • T5940 [1.3.5 -> 1.4.0-RC1 Migration] commit-archive Fails to Migrate

  • T6038 Losing default route after first reboot (cloud-init & DHCP)

  • T6094 Destination Nat not Making Firewall Rules

  • T6225 Unhandled exception when configuring random-detect QoS policy

  • T6348 SNAT op-mode fails with flowtable offload entries

  • T6356 Correct the syntax of config.boot.default [..., 'ntp', 'server'] from leaf node with value to tag node

  • T6365 Negating interface names in NAT configuration causes invalid warnings

  • T6377 PermissionError on /config/auth/letsencrypt/live/ when running show pki

  • T6400 pki: unable to generate fingerprint for ACME issued certificates

  • T6402 Invalid variables referenced in reverse proxy validation

  • T6404 Include constraintGroup element in reference tree

  • T6407 Generate ipsec profile error

  • T6419 reverse-proxy: full CA chain is not build when verifying backend server

  • T6421 host-name has no explicit priority to be set on system boot

Other resolved issues

  • T1981 Allow route-map 'set src' to reference both IPv4 and IPv6

  • T3493 DHCPv6 does not have prefix range validation

  • T4519 DHCPv6: "set show dhcpv6 server leases" should show DUID instead of IAID_DUID

  • T4909 Rewrite the NTP op mode in the new format

  • T5351 VyOS deployed with cloud-init improperly saves config.boot

  • T6022 set system image default-boot

  • T6048 Exception in event handler script

  • T6328 Add a warning message about deprecation of web proxy URL filtering

  • T6333 non-free-firmware to trixie

  • T6345 Source NAT Port Mapping setting of Fully-Random is superfluous in Kernels 5.0 onwards

  • T6346 Boot to multi-user.target instead of graphical.target

  • T6358 Container config option to enable host pid

  • T6367 op-mode: commit-archive: TypeError: attribute name must be string, not 'NoneType'

  • T6383 Incorrect completion for rollback-soft

  • T6384 rollback-soft should tell the user to compare and commit

  • T6391 load-balancing reverse-proxy: typo in timeout help

  • T6396 MINOR Typo: set system conntrack timeout custom ipv4 rule X

  • T6409 Remove unused parameter node from reverse-proxy backend

1.4.0-epa3 (14th May 2024)

Security

Configuration syntax changes (automatically migrated)

  • T5535 Move disable-directed-broadcast to firewall global-options

  • T6171 Rename the DHCP server "failover" command to "high-availability mode"

  • T6208 container: rename "cap-add" CLI node to "capability"

  • T6216 Firewall group names that contain the '+' character break the config

  • T6295 netns: disable incomplete support in VyOS 1.4 sagitta

New features and improvements

  • T4309 Support network/address-groups and  ipv6-network/ipv6-address-groups in "conntrack ignore"

  • T4903 Support IPv6 addresses in "set system conntrack ignore"

  • T5364 Make it possible to set the PADO delay to 0

  • T6127 Ability to view logs for rules with Offload not functional

  • T6133 Add domain-name to commit-archive

  • T6143 Increase configuration timeout range for service config-sync

  • T6154 Installer should ask for password twice

  • T6161 Add support for displaying container image data in JSON

  • T6162 ixgbe: Add 1000BASE-BX support

  • T6171 Rename the DHCP server "failover" command to "high-availability mode"

  • T6176 image-tools: rationalize setting of console type

  • T6184 image-tools: add op-mode command to set default boot console type

  • T6192 Support running SSH server in more than one VRF

  • T6226 Add "tcp-requece inspect-delay" to reverse proxy

  • T6257 Add op mode commands for dynamic firewall address groups

  • T6258 Add IPv6 base-reachable-time option to interfaces

  • T6260 image-tools: remove the image directory if it fails to install due to insufficient drive space

  • T6267 Improve commit failure messages for wireless interface configuration

  • T6278 Attempt hint for console type during image install

  • T6291 Add op mode commands for displaying LACP information for bonding interfaces

  • T6306 EVPN-MH - missing options in uplink ports

Bug fixes

  • T2590 DHCPv6 not updating nameservers and search domains since replacing isc-dhcp-client with WIDE dhcp6c

  • T3655 NAT doesn't work correctly with VRF

  • T4718 DHCP server listen-address doesn't take effect if the interface is in a VRF

  • T5164 op cmd: "show dhcp server leases state" with available options does not show any result

  • T5862 Default MTU is not acceptable in some environments

  • T5875 login: removing and re-adding a user keeps the home directory but changes the UID, thus SSH keys no longer work

  • T5996 Incorrect behavior for backslash escapes in config save and compare commands

  • T6082 BGP doesn't allow the same local AS and remote AS in peer groups

  • T6085 VTI interfaces are in UP state by default

  • T6089 [1.3.6->1.4.0-epa1 Migration] "ospf passive-interface default" incorrectly added

  • T6090 Migration of "policy route" configs fails due to TCP flag case sensitivity

  • T6100 NAT config migration error in 1.4.0-epa1 if invalid address/network defined in 1.3.6 version

  • T6106 Improve the commit error message for the case when route-reflector-client option is defined in a peer-group

  • T6119 Use a compliant TOML parser

  • T6130 [1.3.6->1.4.0-epa2 Migration] BGP "set community" missing

  • T6131 Disabling openvpn interface(s) causes OSPF to fail to load on reboot

  • T6136 Configuring a dynamic address group, config script did not check whether the group was created

  • T6138 Conntrack table op-mode fails with flowtable offload entries

  • T6145 Service config-sync does not rely on priorities

  • T6147 Conntrack not working as expected with global state-policy

  • T6149 Update node_data when merging nodes in reference tree generation

  • T6152 Kernel panic for ZimaBoard 232

  • T6160 Unhandled exception when configuring IS-IS

  • T6165 grub: vyos-grub-update failed to start on "slow" systems

  • T6167 VNI not set on VRF after reboot

  • T6168 "add system image" does not set the default boot image to the current console type in compatibility mode

  • T6169 DNS forwarding configuration rejects underscores in SRV records

  • T6173 Build Causes Errors When "--version" Contains Slashes ("/")

  • T6175 op-mode: "renew dhcp interface <name>" does not check if it's an actual DHCP interface

  • T6178 reverse-proxy doesn't check that a certificate exists at set time

  • T6179 Incorrect HAProxy config generated for reverse-proxy rules with url-path

  • T6186 'set system image default-boot' fails to find images that actually do exist in the system

  • T6189 BGP L3VPN connectivity is broken after re-enabling VRF

  • T6191 Policy route set-mss option is not working correctly

  • T6193 dhcp-client: invalid warning "is not a DHCP interface but uses DHCP name-server option" for VLAN interfaces

  • T6196 route-map and summary-only do not work in BGP aggregation at the same time

  • T6197 Validation error in the IPoE server interface client-subnet option

  • T6202 Multi-Protocol BGP is broken by 6PE patch in upstream FRR 9.1

  • T6205 ipoe: error in migration script logic while renaming mac-address to mac

  • T6206 L2tp smoketest fails if vyos-configd is running

  • T6207 image-tools: restore ability to copy config.boot.default on image install

  • T6213 Validations in firewall groups mistakenly reject correct configurations

  • T6216 Firewall group names that contain the '+' character break the config

  • T6218 Container network interface in VRF fails to generate IPv6 link-local address

  • T6221 Enabling VRF breaks connectivity

  • T6222 VRRP rfc3768-compatibility not working correctly when resulting interface name is over 15 characters

  • T6241 Updating CRL in "pki" config does not update OpenVPN

  • T6243 Update vyos-http-api-tools for package idna security advisory

  • T6250 "policy route-map set table" cannot be deleted from the rule

  • T6252 GRE tunnels don't allow configuring MTU larger than 8024

  • T6255 Static table description should not contain white-space

  • T6263 Commit failures when trying to set an IGMP group with source address on an interface

  • T6269 Polixy route "set table" option is not working correctly

  • T6272 PPPoE configuration does not load after deleting a PPPoE interface from the system

  • T6276 Do not call config dependencies on script error

  • T6283 Cannot delete as-path prepend from policy when it contains more than one AS

  • T6284 IPoE server op mode commands do not show IPv6 addresses

  • T6299 Building VyOS (Dockerized) current ISO fails dues to unmet dependencies podman : Depends: libgpgme11t64 (>= 1.4.1) but it is not installable

  • T6305 IPoE interface wildcard validation error in firewall rules

  • T6307 procps is missing from vyos-1x build dependencies

  • T6317 VLAN doesn't work on a bridge with a wireless interface member

  • T6329 Firewall - Error while printing groups

Other resolved issues

  • T4516 Rewrite system image manipulation tools in Python

  • T5535 Move disable-directed-broadcast to firewall global-options

  • T6146 Add python script to get all priorities of service or section from XML

  • T6159 "show openvpn server" prints a superfluous "OpenVPN status on vtunx" message for every client connection

  • T6180 Add application of mask to configtree

  • T6185 Simplify marshalling of section and config data for config-sync

  • T6187 Use correct CPU counts adjusted for SMT when necessary

  • T6195 dropbear: package upgrade 2022.83-1 -> 2022.83-1+deb12u1

  • T6198 configverify: add common helper for PKI certificate validation

  • T6203 Remove references to the obsolete vyos.xml module (superseded by vyos.xml_ref)

  • T6208 container: rename "cap-add" CLI node to "capability"

  • T6234 PPPoE-server pado-delay refactoring

  • T6245 Unhandled exception in "show openvpn server"

  • T6295 netns: disable incomplete support in VyOS 1.4 sagitta

  • T6327 Drop boot console type ttyUSB (USB serial)

  • T6330 release.pref.chroot indentation broken

1.4.0-epa2 (15th March 2024)

Configuration syntax changes (automatically migrated)

  • T6079 dhcp: migration fails for duplicate static-mapping

New features and improvements

  • T4977 Babel routing protocol support

  • T5504 Make it possible to set more than one peer-address in unicast VRRP

  • T5530 Add LFA to IS-IS

  • T5631 Ability to export the current configuration in JSON format

  • T5717 ospfv3 - add  allow to set metric-type to ospf redistribution while frr docs says its possible.

  • T5772 Require HTTPS API server configurations to include at least one key if key-based auth is used

  • T5781 Add ability to add additional minisign keys

  • T6057 Add ability to disable syslog for conntrackd

  • T6060 op-mode: container: support removing all container images at once

  • T6087 ospfv3: add support to redistribute IS-IS routes

Bug fixes

  • T2998 SNMP v3 oid "exclude" option doesn't work

  • T4270 When "ignore-hosts-file" is unset, local hostname of the router resolves to 127.0.1.1 in the DNS forwarding service

  • T5121 Incorrect "architecture" config loaded

  • T5646 QoS policy limiter broken if class without match

  • T5909 Container registry with authentication prevents config load (section container) after reboot

  • T6004 Missing RPKI boot priority prevents it from loading

  • T6020 VRRP health-check script is not applied correctly in keepalived.conf

  • T6054 load-balancing wan - doesn't configure a list of ports

  • T6055 PKI error: "failed to install x value" when executed the command from conf mode

  • T6061 connection-status nat destination firewall filter not working in 1.4.0-epa1

  • T6069 HTTP API segfault during concurrent configuration requests

  • T6070 bnx2x NIC causes a commit error due to incorrect implementation of EEE status reading

  • T6073 Conntrack/NAT not being disabled when VRFs are defined

  • T6074 container: do not allow deleting images which have a container running

  • T6079 dhcp: migration fails for duplicate static-mapping

  • T6081 QoS policy shaper target and interval wrong calcuations

  • T6084 OpenNHRP DMVPN configuration file clean after reboot if we have any IPSec configuration

  • T6086 NAT does not work with network-groups

  • T6093 Incorrect dhcp-options vendor-class-id regex

  • T6096 Config commits are not synced properly because 00vyos-sync is deleted by vyos-router

  • T6098 Description doesnt seem to allow for non international characters

  • T6104 Regression in commit-archive for non-interactive configuration

  • T6107 Nginx does not allow big config queries for configure endpoint API

  • T6141 Trying to set PADO delay in PPPoE server without also configuring the session options causes a commit failure

Other resolved issues

  • T2199 Rewrite firewall in new XML/Python style

  • T5738 Extend XML building blocks

  • T5870 ipsec remote access VPN: add x509 ("pubkey") authentication

  • T5959 Streamline dns forwarding service

  • T6071 firewall: CLI description limit of 256 characters cause config upgrade issues

  • T6075 Applying firewall rules with a non-existent interface group

  • T6077 banner: implement ASCII contest winner default logo

  • T6083 ethtool: move string parsing to JSON parsing

  • T6095 Tab completion for "set interfaces wireless wlan0 country-code" incorrect country "uk"

  • T6214 Error when using some constraints

1.4.0-epa1 (22th February 2024)

Security

  • T4915 Minisign verification failure == pass??

Breaking changes

  • T5605 Do not generate keysize option in OpenVPN configs

Configuration syntax changes (automatically migrated)

  • T1991 Rework time services

  • T5877 Reduce unnecessary nesting in system domain-search path and improve smoketest

New features and improvements

  • T160 Support NAT64

  • T1991 Rework time services

  • T4221 Add a template filter for converting scalars to single-item lists

  • T4883 Add a description field for routing tables

  • T4940 Interface debugging

  • T5122 Move "archive-areas" to defaults.toml to support "non-free-firmware" repository

  • T5418 Allow arbitrary subnets in PPPoE client IP pools

  • T5449 Add options for TCP MSS probing

  • T5497 Add ability to resequence rule numbers for firewall

  • T5615 Narrow down spurious name conflict with mdns

  • T5877 Reduce unnecessary nesting in system domain-search path and improve smoketest

  • T5965 WWAN modems using raw-ip do not work with dhclient/dhcp6c

  • T5972 login: add possibility to disable individual local user accounts

Bug fixes

  • T2113 OpenVPN Options error: you cannot use --verify-x509-name with --compat-names or --no-name-remapping

  • T2700 Redirecting traffic from PPPoE interface to IFB fails

  • T2801 conntrack-tools flooding logs

  • T3681 The VMware Tools resume script did not run successfully in this virtual machine.

  • T3774 atop logs are not limited in size

  • T3902 Firewall does not load on boot, address-group not found, even though it exists

  • T4796 build-vyos-image ignores multiple options

  • T5239 Host name and domain name missing from the FRR configuration

  • T5245 Wireless interfaces do not get IPv6 link-local address assigned

  • T5376 Conntrack FTP helper does not work properly

  • T5890 OTP key generation is broken

  • T5926 IPSEC does not apply after l2tp configuration was changed

  • T5977 nftables: Operation not supported when using match-ipsec in outbound firewall

  • T6005 Error on adding a wireguard interface to OSPFv3

  • T6043 VxLAN and bridge error bug

  • T6056 Applying 'system static-host-mapping'  command calls unnecessary snmpd restart

  • T6064 Can not build VyOS if repository it not cloned to a branch

Other resolved issues

  • T671 Identify and remove dead code

  • T874 Support for Two Factor Authentication for CLI access via Google Authenticator/OTP

  • T1311 WAN load-balancing can't flush connections when conntrack-sync is enabled

  • T1436 Config entries with default values do not correctly show as changed

  • T1487 DNS (pdns_recursor) stats logs not saved to disk

  • T2433 Improve CLI value validator performance

  • T3337 Add possibility to serve static DNS zones from the router

  • T3471 DHCP hook is not able to detect all running DHCP instances

  • T3474 Revisit storing syntax version of interface definitions in XML file

  • T3522 policy based routing not working

  • T3574 Add constraintGroup for combining validators with logical AND

  • T3642 PKI configuration

  • T3722 op-mode IPSec show vpn ike sa always shows L-TIME 0

  • T3766 containers: Expanding options for networking and building containers

  • T4723 Error when issuing 'show flow-accounting interface pppoe0'

  • T4761 Add a generic URL validator

  • T4795 Cleanup custom python validators

  • T4951 Add an op mode exception for cases when operations fail due to insufficient system resources

  • T5109 Improve OCaml XML validator

  • T5195 Break up the vyos.util module

  • T5348 Service config-sync can freeze the secondary router if it has commit-archive location

  • T5605 Do not generate keysize option in OpenVPN configs

  • T5754 Update to StrongSwan 5.9.11

  • T5846 Refactor and simplify DUID definition in conf-mode

  • T5903 NHRP don´t start on reboot from version 1.5-rolling-202401010026

  • T6001 Add option to enable resolve-via-default

  • T6015 "journalctl_charon" file does not contain data in the generated "ipsec debug-archive" file

  • T6050 Wrong scripting commands descriptions in accel-ppp services

  • T6078 Update ethtool to 6.6