1.3 Eqquleus

1.3.9 (future release)

Bug fixes

  • T5926 IPSEC does not apply after l2tp configuration was changed

Other resolved issues

  • T1311 WAN load-balancing can't flush connections when conntrack-sync is enabled

1.3.8 (25th June 2024)

Bug fixes

  • T5725 protocol IS-IS configuration is empty if a tunnel does not have remote address

  • T6337 Upgrade from 1.3.5 fails if ssh public key name has a space in it

  • T6359 Multicast does not forward after reboot

1.3.7 (13th May 2024)

Security

New features and improvements

  • T1244 Add support for StartupResync in conntrack-sync

  • T5364 Make it possible to set the PADO delay to 0

  • T5418 Allow arbitrary subnets in PPPoE client IP pools

  • T5504 Make it possible to set more than one peer-address in unicast VRRP

  • T6057 Add ability to disable syslog for conntrackd

Bug fixes

  • T1751 DNS server addresses from DHCPv6 are not added to resolv.conf

  • T1976 deleting address-family under neighbor will disable neighbor

  • T2044 RPKI doesn't boot properly

  • T2113 OpenVPN Options error: you cannot use --verify-x509-name with --compat-names or --no-name-remapping

  • T2279 Router resolves as 127.0.1.1 when using Router's Recursive DNS

  • T2590 DHCPv6 not updating nameservers and search domains since replacing isc-dhcp-client with WIDE dhcp6c

  • T2612 HTTPS API, changing API key fails but goes through

  • T2801 conntrack-tools flooding logs

  • T2998 SNMP v3 oid "exclude" option doesn't work

  • T3437 BGP Confederation Addition Causes Error

  • T3992 Unhandled exception when trying to add an interface with an assigned address to a bridge

  • T4270 When "ignore-hosts-file" is unset, local hostname of the router resolves to 127.0.1.1 in the DNS forwarding service

  • T4453 dhclient fails to renew DHCP lease with VRF

  • T5239 Host name and domain name missing from the FRR configuration

  • T5982 Isolated interfaces smoketest fail

  • T6004 Missing RPKI boot priority prevents it from loading

  • T6056 Applying 'system static-host-mapping'  command calls unnecessary snmpd restart

  • T6088 Configuration corrupted after saving and powercut or force reboot

  • T6096 Config commits are not synced properly because 00vyos-sync is deleted by vyos-router

  • T6110 Insufficient validation of range option with failover in DHCP server

  • T6124 Docker equuleus build image doesn't build due to fpm

  • T6141 Trying to set PADO delay in PPPoE server without also configuring the session options causes a commit failure

  • T6150 Impossible to set a static IP address via RADIUS in IPoE

  • T6193 dhcp-client: invalid warning "is not a DHCP interface but uses DHCP name-server option" for VLAN interfaces

  • T6196 route-map and summary-only do not work in BGP aggregation at the same time

  • T6243 Update vyos-http-api-tools for package idna security advisory

Other resolved issues

  • T1198 Extra hyphen in suggested image name on upgrade

  • T3584 Migrate NTP server addresses from *.pool.ntp.org to our own

  • T6261 Typo in the operational mode connect and disconnect command output

1.3.6 (14th February 2024)

Security

  • T5318 Security Vulnerabilities for VyOS 1.3.3

Configuration syntax changes (automatically migrated)

  • T2060 source-validation will be configured at different locations and could lead to massive confusion

  • T2289 Denest cerbot certificate configuration from service https

New features and improvements

  • T1929 ipset in firewall

  • T2060 source-validation will be configured at different locations and could lead to massive confusion

  • T2116 Processing configuration via Cloud-init User-Data

  • T2191 Using tallow to block sshd probes

  • T2289 Denest cerbot certificate configuration from service https

  • T3039 Resize a root partition and filesystem automatically during deployment in virtual environments

  • T4039 Rsyslog to use 'protocol23format' for protocol UDP

  • T4078 A hybrid of "network-group" and "address-group".

  • T5182 Update Intel ice driver

  • T5187 Update Realtek r8152 driver

  • T5275 Add op mode commands for exporting certificates to PEM files with correct headers

  • T5796 Openconnect - HTTPS  security headers are missing

Bug fixes

  • T117 Cannot install from ISO via serial console on ttyS1

  • T1925 DMVPN is always listed as down in "show vpn ipsec sa"

  • T2085 Building some packages with vyos-build no longer works for Equuleus/current

  • T2163 Disabled vif interface with "address dhcp" requests DHCP address

  • T2404 Cannot change MTU

  • T2509 No inotify notifications from /

  • T2574 wan-load-balance snat bug and route problem

  • T2793 compare + TAB completion does not show proper username if user contains _

  • T2837 make-version-file  executed too early during build process

  • T3154 route-map CLI allows 32-bit ASNs in community options even though FRR doesn't

  • T3980 vrrp transition-script validator makes warning fatal and also causes a python NameError exception

  • T4062 VRRP IPSEC-AH : sequence number xxxxxxx already processed. Packet dropped. Local(xxxxxxx)

  • T4566 Cannot log in on serial console on Equuleus v1.3.1

  • T4752 ICMP redirects not working / not properly configured

  • T4760 VyOS does not support running multiple instances of DHCPv6 clients

  • T4990 Commit results may not be properly saved if power is cut immediately after a successful commit

  • T5180 initramfs-tools ignores firmware from updates directory

  • T5543 Fix source address handling in static joins

  • T5625 "restart vpn" does not work if ipsec-interfaces is not set

  • T5739 Password recovery does not work if public keys are configured

  • T5800 HTTPS API unavailable after delete VRF

  • T5852 Reboots fail with eapol WAN interface

  • T5914 CVE-2023-48795 - Terrapin vulnerability

  • T5924 Build cannot pass the smoketest dialup-router-medium-vpn

  • T5967 Multi-hop BFD connections can't be established; please add minimum-ttl option.

  • T6017 Update vyos-http-api-tools for security advisory

Other resolved issues

  • T922 OSPF - Process Crash after peer reboot

  • T1297 Add GARP settings to VRRP/keepalived

  • T1369 GCP Networking Failure

  • T1500 Slow boot/load and CLI response times

  • T1667 Add a tool for automatically importing old style command definitions into XML

  • T1671 rewrite udev script logic /lib/udev/vyatta_net_name

  • T1981 Allow route-map 'set src' to reference both IPv4 and IPv6

  • T2223 convert operational show interfaces to python/XML

  • T2353 Interface [conf_mode] errors parent task

  • T2431 Python validators are slow

  • T2452 Serial console related issues

  • T2546 The root task for rewriting [op-mode] to XML

  • T2579 The root task for VRF features

  • T2655 ConfigError formatting issue

  • T2720 Rework vyos.template Python module to make future extension easier

  • T2755 Requirements for partial interface setup

  • T2799 VyOS Certificates Manager

  • T3191 PAM RADIUS freezing when accounting does not configured on RADIUS server

  • T3348 dhcpd: Can't create new lease file: Permission denied

  • T3403 Error on interrupting list of pppoe sessions

  • T3513 Attempting to remove firewall rule results in error

  • T3688 Fail to save configuration via scp/sftp

  • T3737 openvpn-option needs to be able to support quotes as since openvpn 2.4.

  • T3813 Some custom sysctl parameters can't be applied bug

  • T4222 Support for TWAMP as round-trip metric

  • T4646 USB serial output console does not work

  • T5274 Add a deprecation warning for OpenVPN site-to-site with pre-shared secret

  • T5714 IPSec VPN: op-mode: "show log vpn" does not show results

  • T5715 IPSec VPN: restart vpn is not working

  • T6014 Bump keepalived version

  • T6249 ISO builder fails because of changed buster-backport repository

1.3.5 (15th December 2023)

Configuration syntax changes (automatically migrated)

  • T2139 openvpn: allow "dh-file none" to disable DH for ECDH keys

New features and improvements

  • T1118 Obsolete "utc" option in time selector in firewall

  • T2014 Use vendor specific NTP Pool hostname

  • T2139 openvpn: allow "dh-file none" to disable DH for ECDH keys

  • T4269 node.def generator should automatically add default values

  • T5213 Accel-ppp sending accounting interim updates acct-interim-interval option

  • T5270 Make OpenVPN `tls dh-params` optional

  • T5271 Add support for peer-fingerprint to OpenVPN

  • T5273 Add op mode commands for displaying certificate details and fingerprints

  • T5387 dhcp6c: add a no release option

  • T5576 Add bgp remove-private-as all option

  • T5586 Disable by default SNMP for Keepalived VRRP

  • T5630 pppoe: allow to specify MRU in addition to already configurable MTU

  • T5661 Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection

Bug fixes

  • T305 loadbalancing does not work with one pppoe connection and another connection of either dhcp or static

  • T971 authentication public-keys options quoting issue

  • T1012 vyos-build configure script should check /etc/issue to avoid confusion

  • T2051 Throughput anomalies

  • T2250 vyos-build "make iso" error if configure was ran outside of the docker container

  • T3020 The "scp" example is wrong in the bash-completion for "set system config-management commit-archive location"

  • T3045 Changes to Conntrack-Sync don't apply correctly (Mutlicast->UDP)

  • T3940 DHCP client does not remove IP address when stopped by the 02-vyos-stopdhclient hook

  • T4146 Nginx should not listen on port 80

  • T4328 Large MTU on 1.3.1-S1

  • T4402 OpenVPN client-ip-pool option is broken

  • T4601 dhcp : relay agent IP address issue.

  • T4776 NVME storage is not detected properly during installation

  • T5223 tunnel key doesn't clear

  • T5235 SSH keys with special characters cannot be applied via Cloud-init

  • T5402 VRRP router with rfc3768-compatibility sends multiple ARP replies

  • T5413 Deny the opportunity to use one public/private key pair on both wireguard peers.

  • T5486 Service dns dynamic cannot pass the smoketest

  • T5669 VXLAN interface changing port does not work

  • T5670 bridge: missing member interface validator

  • T5763 Fix imprecise check for remote file name in vyos-load-config.py

  • T5777 frr: backport and upstream recent bgpd daemon crashes

Other resolved issues

  • T1276 dhcp relay + VLAN fails

  • T2719 Standardized op mode script structure

  • T3536 Unable to list all available routes

  • T3702 Policy: Allow routing by fwmark

  • T5191 Replace underscores with hyphens in command-line options generated by vyos.opmode

  • T5268 OpenVPN: upgrade package to 2.6 series

  • T5280 Update Expired keys (2023-06-08) for PowerDNS

  • T5578 "ikev2-reauth" description contains outdated information

  • T5624 Remove /etc/debian_version from the image

  • T5632 Add jq package to parse JSON files

  • T5817 Show openvpn server fails in some cases

1.3.4 (17th October 2023)

New features and improvements

  • T738 Add local-port and resolver port options for powerdns in CLI configuration tree

  • T2123 Configure 3 NTP servers

  • T2424 Ability to choose the direction of Mirroring

  • T3144 Support op-mode command to release DHCP leases

  • T3546 Add support for running scripts on PPPoE server session events

  • T4151 IPV6 local PBR Support

  • T4426 Add arpwatch to the image

  • T4475 route-map does not support ipv6 peer

  • T4825 interfaces veth/veth-pairs -standalone used

  • T5190 Cloud-Init cannot fetch Meta-data on machines where the main Ethernet interface is not eth0

  • T5265 WAN load-balancing: missing completion helpers

  • T5315 vrrp: add support for version 3

  • T5354 Add sshguard to protect against brut-forces for 1.3

Bug fixes

  • T2611 Prefix list names are shared between ipv4 and ipv6

  • T2908 VRF and bridge membership isn’t mutually exclusive

  • T2958 DHCP server doesn't work from a live CD

  • T3070 Firewall going OOM, possible related to nftables migration

  • T3098 Cannot talk to rtnetlink: Message too long Command failed -:1

  • T3339 Cloud-Init domain search setting not applied

  • T4113 Incorrect GRUB configuration parsing

  • T4121 Nameservers from DHCP client cannot be used in specific cases

  • T4407 Network-config v2 is broken in Cloud-init 22.1 and VyOS 1.3

  • T4412 commit archive: reboot not working with sftp

  • T4459 API service with VRF doesn't work in 1.3.1

  • T4745 CLI TAB issue with values with '-' at the beginning in conf mode

  • T4790 RADIUS login does not work if sum of timeouts more than 50s

  • T4855 Trying to create more than one tunnel of the same type to the same address causes unhandled exception

  • T4869 A network with `/32` or `/128` mask cannot be removed from a network-group

  • T4895 Tag nodes are overwritten when configured by Cloud-Init from User-Data

  • T5006 Http api segfault with concurrent requests

  • T5140 Firewall network-group problems

  • T5221 BGP as-override behavior differs from new FRR and other vendors

  • T5240 Service router-advert failed to start radvd with more then 3 name-servers

  • T5305 REST API configure operation should not be defined as async

  • T5313 UDP broadcast relay - missing verify() that relay interfaces have an IP address assigned

  • T5329 Wireguard interface as GRE tunnel source causes configuration error on boot

  • T5428 dhcp: client renewal fails when running inside VRF

  • T5506 Container bridge interfaces do not have a link-local address

  • T5524 Add config directory to liveCD

  • T5533 Keepalived VRRP IPv6 group enters in FAULT state

  • T5545 sflow is not working

  • T5555 Fix timezone migrator (system 13-to-14)

  • T5594 VRRP - Error if using IPv6 Link Local as hello source address

Other resolved issues

  • T469 Problem after commit with errors

  • T2296 Upgrade WALinux to 2.2.41

  • T3424 PPPoE IA-PD doesn't work in VRF

  • T3577 Generating vpn x509 key pair fails with command not found

  • T3713 Create a meta-package for user utilities

  • T4306 Do not check for ditry repository when building release images

  • T4874 Add Warning message to Equuleus

  • T4933 Malformed lines cause vyos.util.colon_separated_to_dict fail with a nondescript error

  • T5272 Upgrade OpenVPN to 2.6 in Equuleus

  • T5470 wlan: can not disable interface if SSID is not configured

  • T5557 bgp: Use treat-as-withdraw for tunnel encapsulation attribute CVE-2023-38802

1.3.3 (22th June 2023)

Security

  • T3835 vyos router 1.2.7 snmp Dos bug

  • T4970 pin OCaml pcre package to avoid JIT support

Configuration syntax changes (automatically migrated)

  • T4628 ConfigTree() throws ValueError() if tagNode contains whitespaces

New features and improvements

  • T1024 Policy Based Routing by DSCP

  • T1928 Is the 'Welcome to VyOS' message when using SSH an information leak?

  • T1993 Extended pppoe rate-limiter

  • T2603 pppoe-server: reduce min MTU

  • T2640 Running VyOS inside Docker containers

  • T2769 Add VRF support for syslog

  • T3937 Rewrite "show system memory" in Python to make it usable as a library function

  • T4219 support incoming-interface (iif) in local PBR

  • T4575 vyos.utill add new wrapper "rc_cmd" to get the return code and output

  • T4683 Add kitty-terminfo package to build

  • T4727 Add RADIUS rate limit support to PPTP server

  • T4743 Enable IPv6 address for Dynamic DNS

  • T4785 snmp: Allow !, @, * and # in community name

  • T4812 IPsec ability to show all configured connections

  • T4898 Add mtu config option for dummy interfaces

  • T4922 Add ssh-client source-interface CLI option

  • T4947 Support mounting container volumes as ro or rw

  • T4948 pppoe: add CLI option to allow definition of host-uniq flag

  • T4949 Backport "monitor log" and "show log" op-mode definitions from current to equuleus

  • T4959 Add container registry authentication config for containers

  • T4971 Radius attribute "Framed-Pool" for PPPoE

  • T5033 generate-public-key command fails for address with multiple public keys like GitHub

  • T5098 PPPoE client holdoff configuration

Bug fixes

  • T2118 Failure to boot after power outage due to dirty filesystem and no fsck in initramfs

  • T2189 Adding a large port-range will take ~ 20 minutes to commit

  • T2516 vyos-container: cannot configure ethernet interface

  • T2838 Ethernet device names changing, multiple hw-id being added

  • T3852 DHCP client issue - interface has two dhclient processes when link is unpluged and then plug again

  • T4117 Does not possible to configure PoD/CoA for L2TP vpn

  • T4153 Monitor bandwidth-test initiate not working

  • T4177 Strip-private doesn't work for service monitoring

  • T4312 Telegraf configuration doesn't accept IPs for URL

  • T4533 Radius clients don’t  have simple permissions

  • T4582 Router-advert: Preferred lifetime cannot equal valid lifetime in PIOs

  • T4628 ConfigTree() throws ValueError() if tagNode contains whitespaces

  • T4630 Prevent attempts to use the same interface as a source interface for pseudo-ethernet and MACsec at the same time

  • T4642 proxy: hyphen not allowed in proxy URL

  • T4648 PPPoE: Ignore default router from RA when PPPoE default-route is set to none

  • T4664 Add validation to reject whitespace in tag node value names

  • T4668 Adding/removing members from bond doesn't work/results in incorrect interface state

  • T4671 linux-firmware package is missing symlinks defined in WHENCE file

  • T4679 OpenVPN site-to-site incorrect check for IPv6 local and remote address

  • T4680 Telegraf prometheus-client listen-address invalid format

  • T4702 Wireguard peers configuration is not synchronized with CLI

  • T4709 TCP MSS clamping broken in equuleus

  • T4730 Conntrack-sync error - listen-address is not the correct type in config as it should be

  • T4737 FRRouting/zebra 7.5.1 does not redistribute routes to other protocols

  • T4799 PowerDNS >= 4.7 does not get reloaded by vyos-hostsd

  • T4872 Op-mode show openvpn misses a case when parsing for tunnel IP

  • T4884 Missing a community6 in snmpd config

  • T4896 ospfv3: Fix broken not-advertise option

  • T4902 snmpd: exclude container storage from monitoring

  • T4918 Odd show interface behavior

  • T4939 VRRP command  no-preempt not work as expected

  • T4955 Openconnect radiusclient.conf generating with extra authserver

  • T4975 CLI does not work after cutting off the power or reset

  • T4978 KeyError: 'memory' container_config['memory'] on upgrading to 1.4-rolling-202302041536

  • T4992 Incorrect check is_local_address for bgp neighbor with option ip_nonlocal_bind set

  • T4993 Can't delete conntrack ignore rule

  • T5009 op-mode command:  restart dhcp relay-agent not working

  • T5011 Some interface drivers don't support min_mtu and max_mtu and verify_mtu check should be skipped

  • T5017 Bug with validator interface-name

  • T5047 Recreate only a specific container

  • T5066 Different GRE tunnel but same tunnel keys error

  • T5136 Possible config corruption on upgrade

  • T5152 Telegraf agent hostname isn't qualified

  • T5175 http-api: error in MultiPart parser for FastAPI version >= 0.91.0

  • T5176 http-api: update vyos-http-api-tools for FastAPI security vulnerability

  • T5186 QoS test cannot pass for 1.3

Other resolved issues

  • T1288 FRR: rewrite staticd backend (/opt/vyatta/share/vyatta-cfg/templates/protocols/static/*)

  • T1875 Add the ability to use network address as BGP neighbor (bgp listen range)

  • T2913 Failure to install fpm while building builder docker image

  • T3083 Add feature event-handler

  • T3608 Standardize warnings from configure scripts

  • T3810 webproxy squidguard rules don't work properly after rewriting to python.

  • T4122 interface ip address config missing after upgrade from 1.2.8 to 1.3.0 (when redirect is configured?)

  • T4262 install image doesn't respect chosen root partition size

  • T4381 OpenVPN: Add "Tunnel IP" column in "show openvpn server" operational command

  • T4511 IPv6 DNS lookup

  • T4625 Update ocserv to current revision (1.1.6)

  • T4652 Upgrade PowerDNS recursor to 4.7 series

  • T4798 Migrate the file-exists validator away from Python

  • T4832 dhcp: Add IPv6-only dhcp option support (RFC 8925)

  • T4875 Replace Python validator 'interface-name' to avoid Python startup cost

  • T4900 Cache intermediary results of get_config_diff in Config instance

  • T4906 ipsec connections shows only one connection as up

  • T4925 Need to add the possibility to configure Pseudo-Random Functions (PRF) in IKEv2

  • T4999 vyos.util backport dict_search_recursive

  • T5007 Interface multicast setting is invalid

  • T5008 MACsec CKN of 32 chars is not allowed in CLI, but works fine

  • T5111 pppd-dns.service startup failed

  • T5243 Default route is inactive if an interface has multiple ip addresses of the same subnet in 1.3.2 Equuleus

1.3.2 (7th November 2022)

New features and improvements

  • T1375 Add clear  dhcp server  lease function

  • T2580 Support for ip pools for ippoe

  • T2683 no dual stack in system static-host-mapping host-name

  • T2763 New SNMP resource request - SNMP over TCP

  • T3318 Update Linux Kernel to v5.4.208 / 5.10.142

  • T3785 Add unicode support to configtree backend

  • T4260 Extend vyos.configdict.node_changed() to support recursiveness

  • T4315 Telegraf - Output to prometheus

  • T4336 isis: add support for MD5 authentication password on a circuit

  • T4346 Deprecate "system ipv6 disable" option to disable address family within OS kernel

  • T4373 PPPoE-server add multiplier option for shaper

  • T4395 Extend show vpn debug

  • T4421 Add support for floating point numbers in the numeric validator

  • T4442 HTTP API add action "reset"

  • T4456 NTP client in VRF tries to bind to interfaces outside VRF, logs many messages

  • T4489 MPLS sysctl not persistent for tunnel interfaces

  • T4507 IPoE-server add multiplier option for shaper

  • T4509 Feature Request: DNS64

  • T4515 Reduce telegraf binary size

  • T4522 bond: add ability to specify mii monitor interval via CLI

  • T4584 hostap: create custom package build

  • T4614 OpenConnect split-dns directive

  • T4647 Add Google Virtual NIC (gVNIC) support

Bug fixes

  • T2194 "show firewall" garbled output

  • T2654 Multiple names unable to be assigned to the same static mapping

  • T3507 Bond with mode LACP show u/u in show interfaces even if peer is not configured

  • T3714 Some sysctl custom parameters disappear after reboot

  • T4206 Policy Based Routing with DHCP Interface Issue

  • T4230 OpenVPN server configuration deleted after reboot when using a VRRP virtual-address

  • T4294 Adding a new openvpn-option does not restart the OpenVPN process

  • T4313 "generate public-key-command" throws unhandled exceptions when it cannot retrieve the key

  • T4319 The command "set system ipv6 disable" doesn't work as expected.

  • T4324 wwan: check alive script should only be run via cron if a wwan interface is configured at all

  • T4330 MTU settings cannot be applied when IPv6 is disabled

  • T4331 IPv6 link local addresses are not configured when an interface is in a VRF

  • T4337 isis: IETF SPF delay algorithm can not be configured - results in vyos.frr.CommitError

  • T4338 wwan: changing interface description should not trigger reconnect

  • T4339 wwan: tab-completion results in "No such file or directory" if there is no WWAN interface

  • T4341 login: disable user-account prior to deletion and wait until deletion is complete

  • T4350 DMVPN opennhrp spokes dont work behind NAT

  • T4354 Slave interfaces fall out from bonding during configuration change

  • T4361 `vyos.config.exists()` does not work for nodes with multiple values

  • T4363 salt-minion: default mine_interval option is not set

  • T4366 geneve: interface is removed on changes to e.g. description

  • T4369 OpenVPN: daemon not restarted on changes to "openvpn-option" CLI node

  • T4388 dhcp-server: missing constraint on tftp-server-name option

  • T4405 DHCP client sometimes ignores `no-default-route` option of an interface

  • T4441 wwan: connection not possible after a change added after 1.3.1-S1 release

  • T4447 DHCPv6 prefix delegation `sla-id` limited to 128

  • T4468 web-proxy source group cannot start with a number bug

  • T4510 set system static-host-mapping doesn't allow IPv4 and IPv6 for same name.

  • T4513 Webproxy monitor commands do not work

  • T4521 bond: ARP monitor interval is not configured despite set via CLI

  • T4525 Delete interface from VRF and add it to bonding error

  • T4527 Prevent to create VRF name default

  • T4532 Flow-accounting IPv6 server/receiver bug

  • T4534 bond: bridge: error out if member interface is assigned to a VRF instance

  • T4537 MACsec not working with cipher gcm-aes-256

  • T4538 Macsec does not work correctly when the interface status changes.

  • T4565 vlan aware bridge not working with - Kernel: T3318: update Linux Kernel to v5.4.205 #249

  • T4572 Add an option to force interface MTU to the value received from DHCP

  • T4579 bridge: can not delete member interface CLI option when VLAN is enabled

  • T4592 macsec: can not create two interfaces using the same source-interface

  • T4616 openconnect: KeyError: 'local_users'

  • T4618 Traffic policy not set on virtual interfaces

  • T4632 VLAN-aware bridge not working

  • T4653 Interface offload options are not applied correctly

  • T4666 EAP-TLS no longer allows TLSv1.0 after T4537, T4584

Other resolved issues

  • T4415 Include license/copyright files in the image but remove user documentation from /usr/share/doc to reduce its size

  • T4430 Show firewall output with visual shift default rule

  • T4629 Raised ConfigErrors contain dict instead of only the dict key

  • T4654 RPKI cache incorrect description

1.3.1 (21th March 2022)

Security

  • T4204 Update Accel-PPP to a newer revision

  • T4310 CVE-2022-0778: infinite loop in OpenSSL certificate parsing

  • T4311 CVE-2021-4034: local privilege escalation in PolKit

Configuration syntax changes (automatically migrated)

  • T1972 Allow setting interface name for virtual_ipaddress in VRRP VRID

  • T4273 ssh: Upgrade from 1.2.X to 1.3.0 breaks config

New features and improvements

  • T1972 Allow setting interface name for virtual_ipaddress in VRRP VRID

  • T2400 OpenVPN: dont restart server if no need

  • T2764 Increase maximum number of NAT rules

  • T3164 console-server ssh does not work with RADIUS PAM auth

  • T3299 Allow the web proxy service to listen on all IP addresses

  • T3854 Missing op-mode commands for conntrack-sync

  • T3872 Add configurable telegraf monitoring service

  • T4055 Add VRF support for HTTP(S) API service

  • T4100 Firewall increase maximum number of rules

  • T4120 [VXLAN] add ability to set multiple unicast-remotes

  • T4128 keepalived: Upgrade package to add VRF support

  • T4261 MACsec: add DHCP client support

Bug fixes

  • T2922 The `vpn ipsec logging log-modes` miss the IPSec daemons state check

  • T3380 "show vpn ike sa" does not display IPv6 peers

  • T3686 Bridging OpenVPN tap with no local-address breaks

  • T3914 VRRP rfc3768-compatibility doesn't work with unicast peers

  • T3924 VRRP stops working with VRF

  • T4002 firewall group network-group long names restriction incorrect behavior

  • T4081 VRRP health-check script stops working when setting up a sync group

  • T4087 IPsec IKE-group proposals limit of 10 pieces

  • T4092 IKEv2 mobike commit failed with DMVPN nhrp

  • T4093 SNMPv3 snmpd.conf generation bug

  • T4101 commit-archive: Use of uninitialized value $source_address in concatenation

  • T4104 RAID1: "add raid md0 member sda1" does not restore boot sector

  • T4110 [IPV6-SSH/DNS}  enable IPv6 link local adresses as listen-address %eth0

  • T4141 Set high-availability vrrp sync-group without members error

  • T4142 Input ifbX interfaces not displayed in op-mode

  • T4152 NHRP shortcut-target holding-time does not work

  • T4154 Error add second gre tunnel with the same source interface

  • T4165 Custom conntrack rules cannot be deleted

  • T4168 IPsec VPN is impossible to restart when DMVPN is configured

  • T4183 IPv6 link-local address not accepted as wireguard peer

  • T4184 NTP allow-clients address doesn't work it allows to use ntp server for all addresses

  • T4191 Lost access to host after VRF re-creating

  • T4196 DHCP server client-prefix-length parameter results in non-functional leases

  • T4203 Reconfigure DHCP client interface causes brief outages

  • T4226 VRRP transition-script does not work for groups name which contains -(minus) sign

  • T4228 bond: OS error thrown when two bonds use the same member

  • T4233 ssh: sync regex for allow/deny usernames to "system login"

  • T4234 Show firewall partly broken in 1.3.x

  • T4237 Conntrack-sync error - error adding listen-address command

  • T4240 Cannot add wlan0 to bridge via configure

  • T4241 ocserv openconnect looks broken in recent bulds of 1.3 Equuleus

  • T4242 ethernet speed/duplex can never be switched back to auto/auto

  • T4258 [DHCP-SERVER]  error parameter on Failover

  • T4259 The conntrackd daemon can be started wrongly

  • T4263 vyos.util.leaf_node_changed() dos not honor valueLess nodes

  • T4264 vxlan: interface is destroyed and rebuild on description change

  • T4267 Error - Missing required "ip key" parameter

  • T4273 ssh: Upgrade from 1.2.X to 1.3.0 breaks config

  • T4297 Interface configuration saving fails for ice/iavf based interfaces because they can't change speed/duplex settings

  • T4377 generate tech-support archive includes previous archives

Other resolved issues

  • T4227 Typo in help completion of hello-time option of bridge interface

  • T4255 Unexpected print of dict bridge on delete

  • T4476 Next steps after installation is not communicated properly to new users

1.3.0 (21th December 2021)

Breaking changes

  • T3350 OpenVPN config file generation broken

  • T3866 Configs with DNS forwarding listening on OpenVPN interfaces or interfaces without a fixed address cannot be migrated to the new syntax

Configuration syntax changes (automatically migrated)

  • T2162 migration script for router-advert sets link-mtu 0 on bridge interfaces

  • T2691 Upgrade from 1.2.5 to 1.3-rolling-202007040117 results in broken config due to case mismatch

  • T3293 RPKI migration script errors out after CLI rewrite

New features and improvements

  • T3704 Add ability to interact with Areca RAID adapers

  • T3745 op-mode IPSec show vpn ipse sa sorting

  • T3912 Use a more informative default post-login banner

  • T3945 Add route-map for bgp aggregate-address

  • T3971 Ability to build ISO images for XCP-NG hypervisor

  • T4012 Add VRF support for TFTP

  • T4013 Add pkg cloudwatch for AWS images

  • T4046 Sflow - Add Source address parameter

  • T4049 support command-style output with compare command

  • T4082 Add op mode command to restart ldpd

  • T4084 Dehardcode the default login banner

Bug fixes

  • T1624 Failed to set up config session

  • T1710 [equuleus] buster: add patch to fix live-build missing key error

  • T1847 set_level incorrectly handles path given as empty string

  • T1876 IPSec VTI tunnels are deleted after rekey and dangling around as A/D

  • T2009 Ethernet Interface always stays down

  • T2022 When RADIUS config is active, local logins won't work

  • T2082 WireGuard broken after merging T2057

  • T2158 Commit fails if ethernet interface doesn't support flow control (pause)

  • T2162 migration script for router-advert sets link-mtu 0 on bridge interfaces

  • T2164 Package libstrongswan-standard-plugins missing from image

  • T2167 vyos.ifconfig.get_mac() broken

  • T2176 'WiFiIf' object has no attribute 'set_state'

  • T2177 Commit fails on adding disabled interface to bridge

  • T2241 Changing settings on an interface causes it to fall out of bridge

  • T2273 OpenVPN no longer starts in latest rolling, migrate to systemd

  • T2283 openvpn not starting: ccd path in template not moved to /run/openvpn/ccd

  • T2293 OpenVPN: UnboundLocalError after merging server_network PullRequest

  • T2318 dns-forwarding migration script breaks with invalid interface name

  • T2337 hw-id gone missing from interfaces after upgrade to 1.3-rolling-202004191028

  • T2427 Interface addressing broken since fix for T2372 was merged

  • T2466 live-build encounters apt dependency problem when building with local packages

  • T2578 ipaddrcheck unaware of /31 host addresses - can no longer assign /31 mask to interface addresses

  • T2600 RADIUS system login configuration rendered wrongly

  • T2624 Serial Console: fix migration script for configured powersave and no console

  • T2642 sshd fails to start due to configuration error

  • T2678 High RAM usage on SSH logins with lots of IPv6 routes in the routing table.

  • T2682 VRF aware services - connection no longer possible after system reboot

  • T2691 Upgrade from 1.2.5 to 1.3-rolling-202007040117 results in broken config due to case mismatch

  • T2746 IPv6 link-local addresses not configured

  • T2758 router-advert: 'infinity' is not a valid integer number

  • T2886 RADIUS authentication broken only returns operator level

  • T2894 bond: lacp: member interfaces get removed once bond interface has vlans configured

  • T2952 configd: timeout breaks synchronization of messages, causing freeze

  • T3208 Does not possible to change user password

  • T3350 OpenVPN config file generation broken

  • T3370 dhcp: Invalid domain name "private"

  • T3699 login: verify selected "system login user" name is not already used by the base system.

  • T3707 Ping incorrect ip host checks

  • T3822 OpenVPN processes do not have permission to read key files generated with `run generate openvpn key`

  • T3866 Configs with DNS forwarding listening on OpenVPN interfaces or interfaces without a fixed address cannot be migrated to the new syntax

  • T3886 DHCP server can not start

  • T3887 Removal of IPv6 BGP-peer with peer-group may trigger problems

  • T3913 VRF traffic fails after upgrade from 1.3.0-RC6 to 1.3.0-EPA1/2

  • T3934 Openconnect VPN broken: ocserv-worker general protection fault on client connect

  • T3962 Image cannot be built without open-vm-tools

  • T3972 Removing vif-c interface raises KeyError

  • T4015 Update Accel-PPP to a newer revision

  • T4019 Smoketests for SSTP and openconnect fails

  • T4033 VRRP - Error security when setting scripts

  • T4035 Geneve interfaces aren't displayed by operational mode commands

  • T4052 Validator return traceback on VRRP configuration with the script path not in config dir

  • T4053 VRRP impossible to set scripts out of the /config directory

  • T4167 DMVPN apply wrong param on the first configuration

  • T4201 Firewall - ICMPv6 matches not working as expected on 1.3.0

  • T4268 Elevated LA while using VyOS monitoring feature

  • T4296 Interface config injected by Cloud-Init may interfere with VyOS native

  • T4344 DHCP statistics not matching, conf-mode generates incorrect pool name with dash

  • T4571 Sflow with vrf configured does not use vrf to validate agent-address IP from vrf-configured interfaces

Other resolved issues

  • T1497 "set system name-server" generates invalid/incorrect resolv.conf

  • T1606 Rolling release no longer boots after adding hostname daemon

  • T1676 [equuleus] buster: update GRUB boot parameters during upgrade

  • T2129 XML schema: tagNode not allowed on first level in new XML op-mode definition

  • T2389 BGP community-list unknown command

  • T2722 get_config_dict() and key_mangling=('-', '_') will alter CLI data for tagNodes

  • T3182 Main blocker Task for FRR 7.4/7.5 series update

  • T3293 RPKI migration script errors out after CLI rewrite

  • T3302 Make vyos-configd relay stdout from scripts to the user's console

  • T3687 IS-IS is missing IPv6 support

  • T3689 static ipv6 route doesn't deleted in some cases

  • T3695 OpenConnect reports commit success when ocserv fails to start due to SSL cert/key file issues

  • T3697 Impossible to delete IPsec completely

  • T3711 service router-advert interface <name> dnssl option has no effects

  • T3725 show configuration in json format

  • T3735 Configuration with multiple network addresses of firewall network-group via colud-init fails

  • T4065 IPSEC configuration error: connection to unix:///var/run/charon.ctl failed: No such file or directory

  • T4088 Fix typo in login banner

  • T4115 reboot in <x> not working as expected

  • T4198 Error shown on commit

1.3.0-epa3 (5th November 2021)

Configuration syntax changes (automatically migrated)

  • T3925 Tunnel: dhcp-interface not implemented - use source-interface instead

New features and improvements

  • T3927 Kernel: Enable kernel support for HW offload of the TLS protocol

  • T3942 Generate IPSec debug archive from op-mode

Bug fixes

  • T3610 DHCP-Server creation for not primary IP address fails

  • T3846 dmvpn configuration not reapllied after "restart vpn"

  • T3921 tunnel: KeyError when using dhcp-interface

  • T3922 NHRP: delete fails

  • T3925 Tunnel: dhcp-interface not implemented - use source-interface instead

  • T3926 strip-private does not sanitize "cisco-authentication" from NHRP configuration

  • T3941 "show vpn ipsec sa" shows established time of parent SA not child SA's

  • T3943 "netflow source-ip" prevents image upgrades if IP address does not exist locally

  • T3944 VRRP fails over when adding new group to master

  • T3954 FTDI cable makes VyOS sagitta latest hang, /dev/serial unpopulated, config system error

  • T3956 GRE tunnel - unable to move from source-interface to source-address, commit error

  • T4004 IPsec ike-group parameters are not saved correctly (after reboot)

  • T4034 "make xcp-ng-iso" still includes vyos-xe-guest-utilities

Other resolved issues

  • T3188 Tunnel local-ip to dhcp-interface Change Fails to Update

  • T3341 Wrong behavior of the "reset vpn ipsec-peer XXX tunnel XXX" command

  • T3626 Configuring and disabling DHCP Server

  • T3918 DHCPv6 prefix delegation incorrect verify error

  • T3920 dhclient exit hook script 01-vyos-cleanup causes too many arguments error

  • T3990 WATCHFRR: crashlog and per-thread log buffering unavailable (due to files left behind in /var/tmp/frr/ after reboot)

  • T4005 Feature Request: IPsec IKEv1 + IKEv2 for one peer

1.3.0-epa2 (18th October 2021)

New features and improvements

  • T3277 DNS Forwarding - reverse zones

  • T3885 dhcpv6-pd: randomly generated DUID is not persisted

  • T3890 dhcp(v6): provide op-mode commands to retrieve both server and client logfiles

  • T3899 Add support for hd44780 LCD displays

Bug fixes

  • T3750 pdns-recursor 4.4 issue with dont-query and private DNS servers

  • T3874 D-Link Ethernet Interface not working.

  • T3877 VRRP always enabled rfc3768-compatibility even when not specified

  • T3878 get_config_dict() no_tag_node_value_mangle has no effect

  • T3879 GPG key verification fails when upgrading from a 1.3 beta version

  • T3883 VRF - Delette vrf config on interface

  • T3893 MGRE Tunnel commit crash If sit tunnel available

  • T3894 Tunnel Commit Failed if system does not have `eth0`

  • T3904 NTP pool associations silently fail

Other resolved issues

  • T3422 Dynamic DNS doesn't allow zone field with cloudflare protocol

  • T3425 Scripts from the /config/scripts/ folder do not run on live system

  • T3880 EFI boot shows error on display

  • T3882 Upgrade PowerDNs recursor to 4.5 series

  • T3888 Incorrect warning when poweroff command executed from configure mode.

  • T3889 Migrate to journalctl when reading daemon logs

1.3.0-epa1 (30th September 2021)

Configuration syntax changes (automatically migrated)

  • T3672 DHCP-FO with multiple subnets results in invalid/non-functioning dhcpd.conf configuration file output

  • T3779 Backport all 1.4 IS-IS features and configuration to 1.3 except VRF

  • T3804 cli: Migrate and merge "system name-servers-dhcp" into "system name-server"

  • T3842 Backport DHCP server improvements from VyOS 1.4 sagitta to 1.3 equuleus

New features and improvements

  • T1099 Openvpn: use config files instead of one long command.

  • T1154 use of local cache to build iso

  • T1176 FRR - BGP replicating routes

  • T1350 VRRP transition script will be executed once only

  • T3716 Linux kernel parameters ignore_routes_with_link_down- ignore disconnected routing connections

  • T3779 Backport all 1.4 IS-IS features and configuration to 1.3 except VRF

  • T3789 Add custom validator for base64 encoded CLI data

  • T3803 Add source-address option to the ping CLI

  • T3804 cli: Migrate and merge "system name-servers-dhcp" into "system name-server"

  • T3840 dns forwarding: Cache size should allow values > 10k

  • T3841 dhcp-server: add ping-check option to CLI

  • T3842 Backport DHCP server improvements from VyOS 1.4 sagitta to 1.3 equuleus

  • T3857 reboot: send wall message to all users for information

  • T3859 Add "log-adjacency-changes" to ospfv3 process

Bug fixes

  • T945 Unable to change configuration after changing it from script (vbash + script-template)

  • T1148 epa2 BGP peers initiate before config is fully loaded, routes leak.

  • T1249 multiple PBR rules can set to a single interface

  • T1894 FRR config not loaded after daemons segfault or restart

  • T2019 LLDP wrong config generation for interface 'all'

  • T2127 restart dhcp server reports a failure

  • T2161 snmpd cannot start if ipv6 disabled

  • T2328 dhcpv6 server not starting (disable check reversed?)

  • T2430 cannot delete specific route static next-hop

  • T2432 dhcpd: Can't create new lease file: Permission denied

  • T2434 Duplicate Address Detection Breaks Interfaces

  • T2525 OSPFv3 missing route map, not establishing

  • T2623 Creating sit tunnel fails with “Can not set “local” for tunnel sit tun1 at tunnel creation”

  • T2738 Modifying configuration in the "interfaces" section from VRRP transition scripts causes configuration lockup and high CPU utilization

  • T2759 validate-value prints error messages from validators that fail even if overall validation succeeds

  • T2800 Pseudo-Ethernet: source-interface must not be member of a bridge

  • T2895 VPN IPsec "leftsubnet" declared 2 times

  • T2920 Commit crash when adding the second mGRE tunnel with the same key

  • T2931 Unicode decode error causes vyos.configd service to restart

  • T2941 Using a non-ASCII character in the description field causes UnicodeDecodeError in configsource.py

  • T3076 Router reboot adds unwanted 'conntrack-sync mcast-group '225.0.0.50'' line to configuration

  • T3196 No NAT translations showing up

  • T3219 Typo in openvpn server client config for IPv6 iroute

  • T3601 Error in ssh keys for vmware cloud-init if ssh keys is left empty.

  • T3637 vrf: bind-to-all didn't work properly

  • T3672 DHCP-FO with multiple subnets results in invalid/non-functioning dhcpd.conf configuration file output

  • T3708 isisd and gre-bridge commit error

  • T3731 verify_accel_ppp_base_service return wrong config error for SSP

  • T3738 openvpn fails if server and authentication are configured

  • T3740 HTTPs API breaks when the address is IPv6

  • T3756 VyOS generates invalid QR code for wireguard clients

  • T3772 VRRP virtual interfaces are not shown in show interfaces

  • T3773 Delete the "show system integrity" command (to prepare for a re-implementation)

  • T3777 adding IPv6 EUI64 address fails commit in 1.3.0-rc6

  • T3781 Revert the NAT implementation in 1.3 back to iptables

  • T3782 Ingress Shaping with IFB No Longer Functional with 1.3

  • T3783 "set protocols isis spf-delay-ietf" is not working

  • T3786 GRE tunnel source address 0.0.0.0 error

  • T3788 Keys are not allowed with ipip and sit tunnels

  • T3790 Does not possible to configure PPTP static ip-address to users

  • T3792 login: A hypen present in a username from "system login user" is replaced by an underscore

  • T3797 show interface errors with vrrp configuration

  • T3802 Commit fails if ethernet interface doesn't support flow control

  • T3805 OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface

  • T3806 Don't set link local ipv6 address if MTU less then 1280

  • T3807 Op Command "show interfaces wireguard"  does not show the output

  • T3808 ipsec is mistakenly restarted after delete

  • T3816 Error after entering outbound-interface command in NAT

  • T3850 Dots are no longer allowed in SSH public key names

  • T3860 Error on pppoe, tunnel and wireguard interfaces for IPv6 EUI64 addresses

  • T3867 vxlan: multicast group address is not validated

Other resolved issues

  • T1202 Add `hvinfo` to the packages directory

  • T1214 Add `ipaddrcheck` to the packages directory

  • T1236 Update Linux Kernel

  • T2027 get_config_dict is failing when the configuration section is empty/missing

  • T2555 XML op-mode generation scripts silently discard XML nodes

  • T2727 Add a dotted decimal value validator

  • T2927 isc-dhcpd release and expiry events never execute

  • T3217 Save FRR configuration on each commit

  • T3234 multi_to_list fails in certain cases, with root cause an element redundancy in XML interface-definitions

  • T3254 Dynamic DNS status shows incorrect last update time

  • T3291 Fault on setting offload RPS with single-core CPU

  • T3362 1.3 - RC1 ifb redirect failing to commit

  • T3381 Change GRE tunnel failed

  • T3396 syslog can't be configured with an ipv6 literal destination in 1.2.x

  • T3431 Show version all bug

  • T3537 Unable to override the default OSPFv3 link cost for wireguard interface

  • T3634 Add op command option for ping for do not fragment bit to be set

  • T3683 VXLAN not accept ipv6 and source-interface options and mtu bug

  • T3730 op-mode conntrack-sync miss some functions

  • T3732 override-default helper should support adding defaultValues to default less nodes

  • T3768 Remove early syntaxVersion implementation

  • T3776 Rename FRR daemon restart op-mode commands

  • T3814 wireguard: commit error showing incorrect peer name from the configured name

  • T3819 Upgrade Salt Stack 3002.3 -> 3003 release train

  • T3820 PowerDNS recursor - update from 4.3 -> 4.4 to sync with current