1.3 Eqquleus

1.3.9 (future release)

Bug fixes

• T5926 IPSEC does not apply after l2tp configuration was changed

Other resolved issues

• T1311 WAN load-balancing can't flush connections when conntrack-sync is enabled

1.3.8 (25th June 2024)

Bug fixes

• T5725 protocol IS-IS configuration is empty if a tunnel does not have remote address

• T6337 Upgrade from 1.3.5 fails if ssh public key name has a space in it

• T6359 Multicast does not forward after reboot

1.3.7 (13th May 2024)

Security

• T6324 CVE-2024-2961

New features and improvements

• T1244 Add support for StartupResync in conntrack-sync

• T5364 Make it possible to set the PADO delay to 0

• T5418 Allow arbitrary subnets in PPPoE client IP pools

• T5504 Make it possible to set more than one peer-address in unicast VRRP

• T6057 Add ability to disable syslog for conntrackd

Bug fixes

• T1751 DNS server addresses from DHCPv6 are not added to resolv.conf

• T1976 deleting address-family under neighbor will disable neighbor

• T2044 RPKI doesn't boot properly

• T2113 OpenVPN Options error: you cannot use --verify-x509-name with --compat-names or --no-name-remapping

• T2279 Router resolves as 127.0.1.1 when using Router's Recursive DNS

• T2590 DHCPv6 not updating nameservers and search domains since replacing isc-dhcp-client with WIDE dhcp6c

• T2612 HTTPS API, changing API key fails but goes through

• T2801 conntrack-tools flooding logs

• T2998 SNMP v3 oid "exclude" option doesn't work

• T3437 BGP Confederation Addition Causes Error

• T3992 Unhandled exception when trying to add an interface with an assigned address to a bridge

• T4270 When "ignore-hosts-file" is unset, local hostname of the router resolves to 127.0.1.1 in the DNS forwarding service

• T4453 dhclient fails to renew DHCP lease with VRF

• T5239 Host name and domain name missing from the FRR configuration

• T5982 Isolated interfaces smoketest fail

• T6004 Missing RPKI boot priority prevents it from loading

• T6056 Applying 'system static-host-mapping'  command calls unnecessary snmpd restart

• T6088 Configuration corrupted after saving and powercut or force reboot

• T6096 Config commits are not synced properly because 00vyos-sync is deleted by vyos-router

• T6110 Insufficient validation of range option with failover in DHCP server

• T6124 Docker equuleus build image doesn't build due to fpm

• T6141 Trying to set PADO delay in PPPoE server without also configuring the session options causes a commit failure

• T6150 Impossible to set a static IP address via RADIUS in IPoE

• T6193 dhcp-client: invalid warning "is not a DHCP interface but uses DHCP name-server option" for VLAN interfaces

• T6196 route-map and summary-only do not work in BGP aggregation at the same time

• T6243 Update vyos-http-api-tools for package idna security advisory

Other resolved issues

• T1198 Extra hyphen in suggested image name on upgrade

• T3584 Migrate NTP server addresses from *.pool.ntp.org to our own

• T6261 Typo in the operational mode connect and disconnect command output

1.3.6 (14th February 2024)

Security

• T5318 Security Vulnerabilities for VyOS 1.3.3

Configuration syntax changes (automatically migrated)

• T2060 source-validation will be configured at different locations and could lead to massive confusion

• T2289 Denest cerbot certificate configuration from service https

New features and improvements

• T1929 ipset in firewall

• T2060 source-validation will be configured at different locations and could lead to massive confusion

• T2116 Processing configuration via Cloud-init User-Data

• T2191 Using tallow to block sshd probes

• T2289 Denest cerbot certificate configuration from service https

• T3039 Resize a root partition and filesystem automatically during deployment in virtual environments

• T4039 Rsyslog to use 'protocol23format' for protocol UDP

• T4078 A hybrid of "network-group" and "address-group".

• T5182 Update Intel ice driver

• T5187 Update Realtek r8152 driver

• T5275 Add op mode commands for exporting certificates to PEM files with correct headers

• T5796 Openconnect - HTTPS  security headers are missing

Bug fixes

• T117 Cannot install from ISO via serial console on ttyS1

• T1925 DMVPN is always listed as down in "show vpn ipsec sa"

• T2085 Building some packages with vyos-build no longer works for Equuleus/current

• T2163 Disabled vif interface with "address dhcp" requests DHCP address

• T2404 Cannot change MTU

• T2509 No inotify notifications from /

• T2574 wan-load-balance snat bug and route problem

• T2793 compare + TAB completion does not show proper username if user contains _

• T2837 make-version-file  executed too early during build process

• T3154 route-map CLI allows 32-bit ASNs in community options even though FRR doesn't

• T3980 vrrp transition-script validator makes warning fatal and also causes a python NameError exception

• T4062 VRRP IPSEC-AH : sequence number xxxxxxx already processed. Packet dropped. Local(xxxxxxx)

• T4566 Cannot log in on serial console on Equuleus v1.3.1

• T4752 ICMP redirects not working / not properly configured

• T4760 VyOS does not support running multiple instances of DHCPv6 clients

• T4990 Commit results may not be properly saved if power is cut immediately after a successful commit

• T5180 initramfs-tools ignores firmware from updates directory

• T5543 Fix source address handling in static joins

• T5625 "restart vpn" does not work if ipsec-interfaces is not set

• T5739 Password recovery does not work if public keys are configured

• T5800 HTTPS API unavailable after delete VRF

• T5852 Reboots fail with eapol WAN interface

• T5914 CVE-2023-48795 - Terrapin vulnerability

• T5924 Build cannot pass the smoketest dialup-router-medium-vpn

• T5967 Multi-hop BFD connections can't be established; please add minimum-ttl option.

• T6017 Update vyos-http-api-tools for security advisory

Other resolved issues

• T922 OSPF - Process Crash after peer reboot

• T1297 Add GARP settings to VRRP/keepalived

• T1369 GCP Networking Failure

• T1500 Slow boot/load and CLI response times

• T1667 Add a tool for automatically importing old style command definitions into XML

• T1671 rewrite udev script logic /lib/udev/vyatta_net_name

• T1981 Allow route-map 'set src' to reference both IPv4 and IPv6

• T2223 convert operational show interfaces to python/XML

• T2353 Interface [conf_mode] errors parent task

• T2431 Python validators are slow

• T2452 Serial console related issues

• T2546 The root task for rewriting [op-mode] to XML

• T2579 The root task for VRF features

• T2655 ConfigError formatting issue

• T2720 Rework vyos.template Python module to make future extension easier

• T2755 Requirements for partial interface setup

• T2799 VyOS Certificates Manager

• T3191 PAM RADIUS freezing when accounting does not configured on RADIUS server

• T3348 dhcpd: Can't create new lease file: Permission denied

• T3403 Error on interrupting list of pppoe sessions

• T3513 Attempting to remove firewall rule results in error

• T3688 Fail to save configuration via scp/sftp

• T3737 openvpn-option needs to be able to support quotes as since openvpn 2.4.

• T3813 Some custom sysctl parameters can't be applied bug

• T4222 Support for TWAMP as round-trip metric

• T4646 USB serial output console does not work

• T5274 Add a deprecation warning for OpenVPN site-to-site with pre-shared secret

• T5714 IPSec VPN: op-mode: "show log vpn" does not show results

• T5715 IPSec VPN: restart vpn is not working

• T6014 Bump keepalived version

• T6249 ISO builder fails because of changed buster-backport repository

1.3.5 (15th December 2023)

Configuration syntax changes (automatically migrated)

• T2139 openvpn: allow "dh-file none" to disable DH for ECDH keys

New features and improvements

• T1118 Obsolete "utc" option in time selector in firewall

• T2014 Use vendor specific NTP Pool hostname

• T2139 openvpn: allow "dh-file none" to disable DH for ECDH keys

• T4269 node.def generator should automatically add default values

• T5213 Accel-ppp sending accounting interim updates acct-interim-interval option

• T5270 Make OpenVPN `tls dh-params` optional

• T5271 Add support for peer-fingerprint to OpenVPN

• T5273 Add op mode commands for displaying certificate details and fingerprints

• T5387 dhcp6c: add a no release option

• T5576 Add bgp remove-private-as all option

• T5586 Disable by default SNMP for Keepalived VRRP

• T5630 pppoe: allow to specify MRU in addition to already configurable MTU

• T5661 Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection

Bug fixes

• T305 loadbalancing does not work with one pppoe connection and another connection of either dhcp or static

• T971 authentication public-keys options quoting issue

• T1012 vyos-build configure script should check /etc/issue to avoid confusion

• T2051 Throughput anomalies

• T2250 vyos-build "make iso" error if configure was ran outside of the docker container

• T3020 The "scp" example is wrong in the bash-completion for "set system config-management commit-archive location"

• T3045 Changes to Conntrack-Sync don't apply correctly (Mutlicast->UDP)

• T3940 DHCP client does not remove IP address when stopped by the 02-vyos-stopdhclient hook

• T4146 Nginx should not listen on port 80

• T4328 Large MTU on 1.3.1-S1

• T4402 OpenVPN client-ip-pool option is broken

• T4601 dhcp : relay agent IP address issue.

• T4776 NVME storage is not detected properly during installation

• T5223 tunnel key doesn't clear

• T5235 SSH keys with special characters cannot be applied via Cloud-init

• T5402 VRRP router with rfc3768-compatibility sends multiple ARP replies

• T5413 Deny the opportunity to use one public/private key pair on both wireguard peers.

• T5486 Service dns dynamic cannot pass the smoketest

• T5669 VXLAN interface changing port does not work

• T5670 bridge: missing member interface validator

• T5763 Fix imprecise check for remote file name in vyos-load-config.py

• T5777 frr: backport and upstream recent bgpd daemon crashes

Other resolved issues

• T1276 dhcp relay + VLAN fails

• T2719 Standardized op mode script structure

• T3536 Unable to list all available routes

• T3702 Policy: Allow routing by fwmark

• T5191 Replace underscores with hyphens in command-line options generated by vyos.opmode

• T5268 OpenVPN: upgrade package to 2.6 series

• T5280 Update Expired keys (2023-06-08) for PowerDNS

• T5578 "ikev2-reauth" description contains outdated information

• T5624 Remove /etc/debian_version from the image

• T5632 Add jq package to parse JSON files

• T5817 Show openvpn server fails in some cases

1.3.4 (17th October 2023)

New features and improvements

• T738 Add local-port and resolver port options for powerdns in CLI configuration tree

• T2123 Configure 3 NTP servers

• T2424 Ability to choose the direction of Mirroring

• T3144 Support op-mode command to release DHCP leases

• T3546 Add support for running scripts on PPPoE server session events

• T4151 IPV6 local PBR Support

• T4426 Add arpwatch to the image

• T4475 route-map does not support ipv6 peer

• T4825 interfaces veth/veth-pairs -standalone used

• T5190 Cloud-Init cannot fetch Meta-data on machines where the main Ethernet interface is not eth0

• T5265 WAN load-balancing: missing completion helpers

• T5315 vrrp: add support for version 3

• T5354 Add sshguard to protect against brut-forces for 1.3

Bug fixes

• T2611 Prefix list names are shared between ipv4 and ipv6

• T2908 VRF and bridge membership isn’t mutually exclusive

• T2958 DHCP server doesn't work from a live CD

• T3070 Firewall going OOM, possible related to nftables migration

• T3098 Cannot talk to rtnetlink: Message too long Command failed -:1

• T3339 Cloud-Init domain search setting not applied

• T4113 Incorrect GRUB configuration parsing

• T4121 Nameservers from DHCP client cannot be used in specific cases

• T4407 Network-config v2 is broken in Cloud-init 22.1 and VyOS 1.3

• T4412 commit archive: reboot not working with sftp

• T4459 API service with VRF doesn't work in 1.3.1

• T4745 CLI TAB issue with values with '-' at the beginning in conf mode

• T4790 RADIUS login does not work if sum of timeouts more than 50s

• T4855 Trying to create more than one tunnel of the same type to the same address causes unhandled exception

• T4869 A network with `/32` or `/128` mask cannot be removed from a network-group

• T4895 Tag nodes are overwritten when configured by Cloud-Init from User-Data

• T5006 Http api segfault with concurrent requests

• T5140 Firewall network-group problems

• T5221 BGP as-override behavior differs from new FRR and other vendors

• T5240 Service router-advert failed to start radvd with more then 3 name-servers

• T5305 REST API configure operation should not be defined as async

• T5313 UDP broadcast relay - missing verify() that relay interfaces have an IP address assigned

• T5329 Wireguard interface as GRE tunnel source causes configuration error on boot

• T5428 dhcp: client renewal fails when running inside VRF

• T5506 Container bridge interfaces do not have a link-local address

• T5524 Add config directory to liveCD

• T5533 Keepalived VRRP IPv6 group enters in FAULT state

• T5545 sflow is not working

• T5555 Fix timezone migrator (system 13-to-14)

• T5594 VRRP - Error if using IPv6 Link Local as hello source address

Other resolved issues

• T469 Problem after commit with errors

• T2296 Upgrade WALinux to 2.2.41

• T3424 PPPoE IA-PD doesn't work in VRF

• T3577 Generating vpn x509 key pair fails with command not found

• T3713 Create a meta-package for user utilities

• T4306 Do not check for ditry repository when building release images

• T4874 Add Warning message to Equuleus

• T4933 Malformed lines cause vyos.util.colon_separated_to_dict fail with a nondescript error

• T5272 Upgrade OpenVPN to 2.6 in Equuleus

• T5470 wlan: can not disable interface if SSID is not configured

• T5557 bgp: Use treat-as-withdraw for tunnel encapsulation attribute CVE-2023-38802

1.3.3 (22th June 2023)

Security

• T3835 vyos router 1.2.7 snmp Dos bug

• T4970 pin OCaml pcre package to avoid JIT support

Configuration syntax changes (automatically migrated)

• T4628 ConfigTree() throws ValueError() if tagNode contains whitespaces

New features and improvements

• T1024 Policy Based Routing by DSCP

• T1928 Is the 'Welcome to VyOS' message when using SSH an information leak?

• T1993 Extended pppoe rate-limiter

• T2603 pppoe-server: reduce min MTU

• T2640 Running VyOS inside Docker containers

• T2769 Add VRF support for syslog

• T3937 Rewrite "show system memory" in Python to make it usable as a library function

• T4219 support incoming-interface (iif) in local PBR

• T4575 vyos.utill add new wrapper "rc_cmd" to get the return code and output

• T4683 Add kitty-terminfo package to build

• T4727 Add RADIUS rate limit support to PPTP server

• T4743 Enable IPv6 address for Dynamic DNS

• T4785 snmp: Allow !, @, * and # in community name

• T4812 IPsec ability to show all configured connections

• T4898 Add mtu config option for dummy interfaces

• T4922 Add ssh-client source-interface CLI option

• T4947 Support mounting container volumes as ro or rw

• T4948 pppoe: add CLI option to allow definition of host-uniq flag

• T4949 Backport "monitor log" and "show log" op-mode definitions from current to equuleus

• T4959 Add container registry authentication config for containers

• T4971 Radius attribute "Framed-Pool" for PPPoE

• T5033 generate-public-key command fails for address with multiple public keys like GitHub

• T5098 PPPoE client holdoff configuration

Bug fixes

• T2118 Failure to boot after power outage due to dirty filesystem and no fsck in initramfs

• T2189 Adding a large port-range will take ~ 20 minutes to commit

• T2516 vyos-container: cannot configure ethernet interface

• T2838 Ethernet device names changing, multiple hw-id being added

• T3852 DHCP client issue - interface has two dhclient processes when link is unpluged and then plug again

• T4117 Does not possible to configure PoD/CoA for L2TP vpn

• T4153 Monitor bandwidth-test initiate not working

• T4177 Strip-private doesn't work for service monitoring

• T4312 Telegraf configuration doesn't accept IPs for URL

• T4533 Radius clients don’t  have simple permissions

• T4582 Router-advert: Preferred lifetime cannot equal valid lifetime in PIOs

• T4628 ConfigTree() throws ValueError() if tagNode contains whitespaces

• T4630 Prevent attempts to use the same interface as a source interface for pseudo-ethernet and MACsec at the same time

• T4642 proxy: hyphen not allowed in proxy URL

• T4648 PPPoE: Ignore default router from RA when PPPoE default-route is set to none

• T4664 Add validation to reject whitespace in tag node value names

• T4668 Adding/removing members from bond doesn't work/results in incorrect interface state

• T4671 linux-firmware package is missing symlinks defined in WHENCE file

• T4679 OpenVPN site-to-site incorrect check for IPv6 local and remote address

• T4680 Telegraf prometheus-client listen-address invalid format

• T4702 Wireguard peers configuration is not synchronized with CLI

• T4709 TCP MSS clamping broken in equuleus

• T4730 Conntrack-sync error - listen-address is not the correct type in config as it should be

• T4737 FRRouting/zebra 7.5.1 does not redistribute routes to other protocols

• T4799 PowerDNS >= 4.7 does not get reloaded by vyos-hostsd

• T4872 Op-mode show openvpn misses a case when parsing for tunnel IP

• T4884 Missing a community6 in snmpd config

• T4896 ospfv3: Fix broken not-advertise option

• T4902 snmpd: exclude container storage from monitoring

• T4918 Odd show interface behavior

• T4939 VRRP command  no-preempt not work as expected

• T4955 Openconnect radiusclient.conf generating with extra authserver

• T4975 CLI does not work after cutting off the power or reset

• T4978 KeyError: 'memory' container_config['memory'] on upgrading to 1.4-rolling-202302041536

• T4992 Incorrect check is_local_address for bgp neighbor with option ip_nonlocal_bind set

• T4993 Can't delete conntrack ignore rule

• T5009 op-mode command:  restart dhcp relay-agent not working

• T5011 Some interface drivers don't support min_mtu and max_mtu and verify_mtu check should be skipped

• T5017 Bug with validator interface-name

• T5047 Recreate only a specific container

• T5066 Different GRE tunnel but same tunnel keys error

• T5136 Possible config corruption on upgrade

• T5152 Telegraf agent hostname isn't qualified

• T5175 http-api: error in MultiPart parser for FastAPI version >= 0.91.0

• T5176 http-api: update vyos-http-api-tools for FastAPI security vulnerability

• T5186 QoS test cannot pass for 1.3

Other resolved issues

• T1288 FRR: rewrite staticd backend (/opt/vyatta/share/vyatta-cfg/templates/protocols/static/*)

• T1875 Add the ability to use network address as BGP neighbor (bgp listen range)

• T2913 Failure to install fpm while building builder docker image

• T3083 Add feature event-handler

• T3608 Standardize warnings from configure scripts

• T3810 webproxy squidguard rules don't work properly after rewriting to python.

• T4122 interface ip address config missing after upgrade from 1.2.8 to 1.3.0 (when redirect is configured?)

• T4262 install image doesn't respect chosen root partition size

• T4381 OpenVPN: Add "Tunnel IP" column in "show openvpn server" operational command

• T4511 IPv6 DNS lookup

• T4625 Update ocserv to current revision (1.1.6)

• T4652 Upgrade PowerDNS recursor to 4.7 series

• T4798 Migrate the file-exists validator away from Python

• T4832 dhcp: Add IPv6-only dhcp option support (RFC 8925)

• T4875 Replace Python validator 'interface-name' to avoid Python startup cost

• T4900 Cache intermediary results of get_config_diff in Config instance

• T4906 ipsec connections shows only one connection as up

• T4925 Need to add the possibility to configure Pseudo-Random Functions (PRF) in IKEv2

• T4999 vyos.util backport dict_search_recursive

• T5007 Interface multicast setting is invalid

• T5008 MACsec CKN of 32 chars is not allowed in CLI, but works fine

• T5111 pppd-dns.service startup failed

• T5243 Default route is inactive if an interface has multiple ip addresses of the same subnet in 1.3.2 Equuleus

1.3.2 (7th November 2022)

New features and improvements

• T1375 Add clear  dhcp server  lease function

• T2580 Support for ip pools for ippoe

• T2683 no dual stack in system static-host-mapping host-name

• T2763 New SNMP resource request - SNMP over TCP

• T3318 Update Linux Kernel to v5.4.208 / 5.10.142

• T3785 Add unicode support to configtree backend

• T4260 Extend vyos.configdict.node_changed() to support recursiveness

• T4315 Telegraf - Output to prometheus

• T4336 isis: add support for MD5 authentication password on a circuit

• T4346 Deprecate "system ipv6 disable" option to disable address family within OS kernel

• T4373 PPPoE-server add multiplier option for shaper

• T4395 Extend show vpn debug

• T4421 Add support for floating point numbers in the numeric validator

• T4442 HTTP API add action "reset"

• T4456 NTP client in VRF tries to bind to interfaces outside VRF, logs many messages

• T4489 MPLS sysctl not persistent for tunnel interfaces

• T4507 IPoE-server add multiplier option for shaper

• T4509 Feature Request: DNS64

• T4515 Reduce telegraf binary size

• T4522 bond: add ability to specify mii monitor interval via CLI

• T4584 hostap: create custom package build

• T4614 OpenConnect split-dns directive

• T4647 Add Google Virtual NIC (gVNIC) support

Bug fixes

• T2194 "show firewall" garbled output

• T2654 Multiple names unable to be assigned to the same static mapping

• T3507 Bond with mode LACP show u/u in show interfaces even if peer is not configured

• T3714 Some sysctl custom parameters disappear after reboot

• T4206 Policy Based Routing with DHCP Interface Issue

• T4230 OpenVPN server configuration deleted after reboot when using a VRRP virtual-address

• T4294 Adding a new openvpn-option does not restart the OpenVPN process

• T4313 "generate public-key-command" throws unhandled exceptions when it cannot retrieve the key

• T4319 The command "set system ipv6 disable" doesn't work as expected.

• T4324 wwan: check alive script should only be run via cron if a wwan interface is configured at all

• T4330 MTU settings cannot be applied when IPv6 is disabled

• T4331 IPv6 link local addresses are not configured when an interface is in a VRF

• T4337 isis: IETF SPF delay algorithm can not be configured - results in vyos.frr.CommitError

• T4338 wwan: changing interface description should not trigger reconnect

• T4339 wwan: tab-completion results in "No such file or directory" if there is no WWAN interface

• T4341 login: disable user-account prior to deletion and wait until deletion is complete

• T4350 DMVPN opennhrp spokes dont work behind NAT

• T4354 Slave interfaces fall out from bonding during configuration change

• T4361 `vyos.config.exists()` does not work for nodes with multiple values

• T4363 salt-minion: default mine_interval option is not set

• T4366 geneve: interface is removed on changes to e.g. description

• T4369 OpenVPN: daemon not restarted on changes to "openvpn-option" CLI node

• T4388 dhcp-server: missing constraint on tftp-server-name option

• T4405 DHCP client sometimes ignores `no-default-route` option of an interface

• T4441 wwan: connection not possible after a change added after 1.3.1-S1 release

• T4447 DHCPv6 prefix delegation `sla-id` limited to 128

• T4468 web-proxy source group cannot start with a number bug

• T4510 set system static-host-mapping doesn't allow IPv4 and IPv6 for same name.

• T4513 Webproxy monitor commands do not work

• T4521 bond: ARP monitor interval is not configured despite set via CLI

• T4525 Delete interface from VRF and add it to bonding error

• T4527 Prevent to create VRF name default

• T4532 Flow-accounting IPv6 server/receiver bug

• T4534 bond: bridge: error out if member interface is assigned to a VRF instance

• T4537 MACsec not working with cipher gcm-aes-256

• T4538 Macsec does not work correctly when the interface status changes.

• T4565 vlan aware bridge not working with - Kernel: T3318: update Linux Kernel to v5.4.205 #249

• T4572 Add an option to force interface MTU to the value received from DHCP

• T4579 bridge: can not delete member interface CLI option when VLAN is enabled

• T4592 macsec: can not create two interfaces using the same source-interface

• T4616 openconnect: KeyError: 'local_users'

• T4618 Traffic policy not set on virtual interfaces

• T4632 VLAN-aware bridge not working

• T4653 Interface offload options are not applied correctly

• T4666 EAP-TLS no longer allows TLSv1.0 after T4537, T4584

Other resolved issues

• T4415 Include license/copyright files in the image but remove user documentation from /usr/share/doc to reduce its size

• T4430 Show firewall output with visual shift default rule

• T4629 Raised ConfigErrors contain dict instead of only the dict key

• T4654 RPKI cache incorrect description

1.3.1 (21th March 2022)

Security

• T4204 Update Accel-PPP to a newer revision

• T4310 CVE-2022-0778: infinite loop in OpenSSL certificate parsing

• T4311 CVE-2021-4034: local privilege escalation in PolKit

Configuration syntax changes (automatically migrated)

• T1972 Allow setting interface name for virtual_ipaddress in VRRP VRID

• T4273 ssh: Upgrade from 1.2.X to 1.3.0 breaks config

New features and improvements

• T1972 Allow setting interface name for virtual_ipaddress in VRRP VRID

• T2400 OpenVPN: dont restart server if no need

• T2764 Increase maximum number of NAT rules

• T3164 console-server ssh does not work with RADIUS PAM auth

• T3299 Allow the web proxy service to listen on all IP addresses

• T3854 Missing op-mode commands for conntrack-sync

• T3872 Add configurable telegraf monitoring service

• T4055 Add VRF support for HTTP(S) API service

• T4100 Firewall increase maximum number of rules

• T4120 [VXLAN] add ability to set multiple unicast-remotes

• T4128 keepalived: Upgrade package to add VRF support

• T4261 MACsec: add DHCP client support

Bug fixes

• T2922 The `vpn ipsec logging log-modes` miss the IPSec daemons state check

• T3380 "show vpn ike sa" does not display IPv6 peers

• T3686 Bridging OpenVPN tap with no local-address breaks

• T3914 VRRP rfc3768-compatibility doesn't work with unicast peers

• T3924 VRRP stops working with VRF

• T4002 firewall group network-group long names restriction incorrect behavior

• T4081 VRRP health-check script stops working when setting up a sync group

• T4087 IPsec IKE-group proposals limit of 10 pieces

• T4092 IKEv2 mobike commit failed with DMVPN nhrp

• T4093 SNMPv3 snmpd.conf generation bug

• T4101 commit-archive: Use of uninitialized value $source_address in concatenation

• T4104 RAID1: "add raid md0 member sda1" does not restore boot sector

• T4110 [IPV6-SSH/DNS}  enable IPv6 link local adresses as listen-address %eth0

• T4141 Set high-availability vrrp sync-group without members error

• T4142 Input ifbX interfaces not displayed in op-mode

• T4152 NHRP shortcut-target holding-time does not work

• T4154 Error add second gre tunnel with the same source interface

• T4165 Custom conntrack rules cannot be deleted

• T4168 IPsec VPN is impossible to restart when DMVPN is configured

• T4183 IPv6 link-local address not accepted as wireguard peer

• T4184 NTP allow-clients address doesn't work it allows to use ntp server for all addresses

• T4191 Lost access to host after VRF re-creating

• T4196 DHCP server client-prefix-length parameter results in non-functional leases

• T4203 Reconfigure DHCP client interface causes brief outages

• T4226 VRRP transition-script does not work for groups name which contains -(minus) sign

• T4228 bond: OS error thrown when two bonds use the same member

• T4233 ssh: sync regex for allow/deny usernames to "system login"

• T4234 Show firewall partly broken in 1.3.x

• T4237 Conntrack-sync error - error adding listen-address command

• T4240 Cannot add wlan0 to bridge via configure

• T4241 ocserv openconnect looks broken in recent bulds of 1.3 Equuleus

• T4242 ethernet speed/duplex can never be switched back to auto/auto

• T4258 [DHCP-SERVER]  error parameter on Failover

• T4259 The conntrackd daemon can be started wrongly

• T4263 vyos.util.leaf_node_changed() dos not honor valueLess nodes

• T4264 vxlan: interface is destroyed and rebuild on description change

• T4267 Error - Missing required "ip key" parameter

• T4273 ssh: Upgrade from 1.2.X to 1.3.0 breaks config

• T4297 Interface configuration saving fails for ice/iavf based interfaces because they can't change speed/duplex settings

• T4377 generate tech-support archive includes previous archives

Other resolved issues

• T4227 Typo in help completion of hello-time option of bridge interface

• T4255 Unexpected print of dict bridge on delete

• T4476 Next steps after installation is not communicated properly to new users

1.3.0 (21th December 2021)

Breaking changes

• T3350 OpenVPN config file generation broken

• T3866 Configs with DNS forwarding listening on OpenVPN interfaces or interfaces without a fixed address cannot be migrated to the new syntax

Configuration syntax changes (automatically migrated)

• T2162 migration script for router-advert sets link-mtu 0 on bridge interfaces

• T2691 Upgrade from 1.2.5 to 1.3-rolling-202007040117 results in broken config due to case mismatch

• T3293 RPKI migration script errors out after CLI rewrite

New features and improvements

• T3704 Add ability to interact with Areca RAID adapers

• T3745 op-mode IPSec show vpn ipse sa sorting

• T3912 Use a more informative default post-login banner

• T3945 Add route-map for bgp aggregate-address

• T3971 Ability to build ISO images for XCP-NG hypervisor

• T4012 Add VRF support for TFTP

• T4013 Add pkg cloudwatch for AWS images

• T4046 Sflow - Add Source address parameter

• T4049 support command-style output with compare command

• T4082 Add op mode command to restart ldpd

• T4084 Dehardcode the default login banner

Bug fixes

• T1624 Failed to set up config session

• T1710 [equuleus] buster: add patch to fix live-build missing key error

• T1847 set_level incorrectly handles path given as empty string

• T1876 IPSec VTI tunnels are deleted after rekey and dangling around as A/D

• T2009 Ethernet Interface always stays down

• T2022 When RADIUS config is active, local logins won't work

• T2082 WireGuard broken after merging T2057

• T2158 Commit fails if ethernet interface doesn't support flow control (pause)

• T2162 migration script for router-advert sets link-mtu 0 on bridge interfaces

• T2164 Package libstrongswan-standard-plugins missing from image

• T2167 vyos.ifconfig.get_mac() broken

• T2176 'WiFiIf' object has no attribute 'set_state'

• T2177 Commit fails on adding disabled interface to bridge

• T2241 Changing settings on an interface causes it to fall out of bridge

• T2273 OpenVPN no longer starts in latest rolling, migrate to systemd

• T2283 openvpn not starting: ccd path in template not moved to /run/openvpn/ccd

• T2293 OpenVPN: UnboundLocalError after merging server_network PullRequest

• T2318 dns-forwarding migration script breaks with invalid interface name

• T2337 hw-id gone missing from interfaces after upgrade to 1.3-rolling-202004191028

• T2427 Interface addressing broken since fix for T2372 was merged

• T2466 live-build encounters apt dependency problem when building with local packages

• T2578 ipaddrcheck unaware of /31 host addresses - can no longer assign /31 mask to interface addresses

• T2600 RADIUS system login configuration rendered wrongly

• T2624 Serial Console: fix migration script for configured powersave and no console

• T2642 sshd fails to start due to configuration error

• T2678 High RAM usage on SSH logins with lots of IPv6 routes in the routing table.

• T2682 VRF aware services - connection no longer possible after system reboot

• T2691 Upgrade from 1.2.5 to 1.3-rolling-202007040117 results in broken config due to case mismatch

• T2746 IPv6 link-local addresses not configured

• T2758 router-advert: 'infinity' is not a valid integer number

• T2886 RADIUS authentication broken only returns operator level

• T2894 bond: lacp: member interfaces get removed once bond interface has vlans configured

• T2952 configd: timeout breaks synchronization of messages, causing freeze

• T3208 Does not possible to change user password

• T3350 OpenVPN config file generation broken

• T3370 dhcp: Invalid domain name "private"

• T3699 login: verify selected "system login user" name is not already used by the base system.

• T3707 Ping incorrect ip host checks

• T3822 OpenVPN processes do not have permission to read key files generated with `run generate openvpn key`

• T3866 Configs with DNS forwarding listening on OpenVPN interfaces or interfaces without a fixed address cannot be migrated to the new syntax

• T3886 DHCP server can not start

• T3887 Removal of IPv6 BGP-peer with peer-group may trigger problems

• T3913 VRF traffic fails after upgrade from 1.3.0-RC6 to 1.3.0-EPA1/2

• T3934 Openconnect VPN broken: ocserv-worker general protection fault on client connect

• T3962 Image cannot be built without open-vm-tools

• T3972 Removing vif-c interface raises KeyError

• T4015 Update Accel-PPP to a newer revision

• T4019 Smoketests for SSTP and openconnect fails

• T4033 VRRP - Error security when setting scripts

• T4035 Geneve interfaces aren't displayed by operational mode commands

• T4052 Validator return traceback on VRRP configuration with the script path not in config dir

• T4053 VRRP impossible to set scripts out of the /config directory

• T4167 DMVPN apply wrong param on the first configuration

• T4201 Firewall - ICMPv6 matches not working as expected on 1.3.0

• T4268 Elevated LA while using VyOS monitoring feature

• T4296 Interface config injected by Cloud-Init may interfere with VyOS native

• T4344 DHCP statistics not matching, conf-mode generates incorrect pool name with dash

• T4571 Sflow with vrf configured does not use vrf to validate agent-address IP from vrf-configured interfaces

Other resolved issues

• T1497 "set system name-server" generates invalid/incorrect resolv.conf

• T1606 Rolling release no longer boots after adding hostname daemon

• T1676 [equuleus] buster: update GRUB boot parameters during upgrade

• T2129 XML schema: tagNode not allowed on first level in new XML op-mode definition

• T2389 BGP community-list unknown command

• T2722 get_config_dict() and key_mangling=('-', '_') will alter CLI data for tagNodes

• T3182 Main blocker Task for FRR 7.4/7.5 series update

• T3293 RPKI migration script errors out after CLI rewrite

• T3302 Make vyos-configd relay stdout from scripts to the user's console

• T3687 IS-IS is missing IPv6 support

• T3689 static ipv6 route doesn't deleted in some cases

• T3695 OpenConnect reports commit success when ocserv fails to start due to SSL cert/key file issues

• T3697 Impossible to delete IPsec completely

• T3711 service router-advert interface <name> dnssl option has no effects

• T3725 show configuration in json format

• T3735 Configuration with multiple network addresses of firewall network-group via colud-init fails

• T4065 IPSEC configuration error: connection to unix:///var/run/charon.ctl failed: No such file or directory

• T4088 Fix typo in login banner

• T4115 reboot in <x> not working as expected

• T4198 Error shown on commit

1.3.0-epa3 (5th November 2021)

Configuration syntax changes (automatically migrated)

• T3925 Tunnel: dhcp-interface not implemented - use source-interface instead

New features and improvements

• T3927 Kernel: Enable kernel support for HW offload of the TLS protocol

• T3942 Generate IPSec debug archive from op-mode

Bug fixes

• T3610 DHCP-Server creation for not primary IP address fails

• T3846 dmvpn configuration not reapllied after "restart vpn"

• T3921 tunnel: KeyError when using dhcp-interface

• T3922 NHRP: delete fails

• T3925 Tunnel: dhcp-interface not implemented - use source-interface instead

• T3926 strip-private does not sanitize "cisco-authentication" from NHRP configuration

• T3941 "show vpn ipsec sa" shows established time of parent SA not child SA's

• T3943 "netflow source-ip" prevents image upgrades if IP address does not exist locally

• T3944 VRRP fails over when adding new group to master

• T3954 FTDI cable makes VyOS sagitta latest hang, /dev/serial unpopulated, config system error

• T3956 GRE tunnel - unable to move from source-interface to source-address, commit error

• T4004 IPsec ike-group parameters are not saved correctly (after reboot)

• T4034 "make xcp-ng-iso" still includes vyos-xe-guest-utilities

Other resolved issues

• T3188 Tunnel local-ip to dhcp-interface Change Fails to Update

• T3341 Wrong behavior of the "reset vpn ipsec-peer XXX tunnel XXX" command

• T3626 Configuring and disabling DHCP Server

• T3918 DHCPv6 prefix delegation incorrect verify error

• T3920 dhclient exit hook script 01-vyos-cleanup causes too many arguments error

• T3990 WATCHFRR: crashlog and per-thread log buffering unavailable (due to files left behind in /var/tmp/frr/ after reboot)

• T4005 Feature Request: IPsec IKEv1 + IKEv2 for one peer

1.3.0-epa2 (18th October 2021)

New features and improvements

• T3277 DNS Forwarding - reverse zones

• T3885 dhcpv6-pd: randomly generated DUID is not persisted

• T3890 dhcp(v6): provide op-mode commands to retrieve both server and client logfiles

• T3899 Add support for hd44780 LCD displays

Bug fixes

• T3750 pdns-recursor 4.4 issue with dont-query and private DNS servers

• T3874 D-Link Ethernet Interface not working.

• T3877 VRRP always enabled rfc3768-compatibility even when not specified

• T3878 get_config_dict() no_tag_node_value_mangle has no effect

• T3879 GPG key verification fails when upgrading from a 1.3 beta version

• T3883 VRF - Delette vrf config on interface

• T3893 MGRE Tunnel commit crash If sit tunnel available

• T3894 Tunnel Commit Failed if system does not have `eth0`

• T3904 NTP pool associations silently fail

Other resolved issues

• T3422 Dynamic DNS doesn't allow zone field with cloudflare protocol

• T3425 Scripts from the /config/scripts/ folder do not run on live system

• T3880 EFI boot shows error on display

• T3882 Upgrade PowerDNs recursor to 4.5 series

• T3888 Incorrect warning when poweroff command executed from configure mode.

• T3889 Migrate to journalctl when reading daemon logs

1.3.0-epa1 (30th September 2021)

Configuration syntax changes (automatically migrated)

• T3672 DHCP-FO with multiple subnets results in invalid/non-functioning dhcpd.conf configuration file output

• T3779 Backport all 1.4 IS-IS features and configuration to 1.3 except VRF

• T3804 cli: Migrate and merge "system name-servers-dhcp" into "system name-server"

• T3842 Backport DHCP server improvements from VyOS 1.4 sagitta to 1.3 equuleus

New features and improvements

• T1099 Openvpn: use config files instead of one long command.

• T1154 use of local cache to build iso

• T1176 FRR - BGP replicating routes

• T1350 VRRP transition script will be executed once only

• T3716 Linux kernel parameters ignore_routes_with_link_down- ignore disconnected routing connections

• T3779 Backport all 1.4 IS-IS features and configuration to 1.3 except VRF

• T3789 Add custom validator for base64 encoded CLI data

• T3803 Add source-address option to the ping CLI

• T3804 cli: Migrate and merge "system name-servers-dhcp" into "system name-server"

• T3840 dns forwarding: Cache size should allow values > 10k

• T3841 dhcp-server: add ping-check option to CLI

• T3842 Backport DHCP server improvements from VyOS 1.4 sagitta to 1.3 equuleus

• T3857 reboot: send wall message to all users for information

• T3859 Add "log-adjacency-changes" to ospfv3 process

Bug fixes

• T945 Unable to change configuration after changing it from script (vbash + script-template)

• T1148 epa2 BGP peers initiate before config is fully loaded, routes leak.

• T1249 multiple PBR rules can set to a single interface

• T1894 FRR config not loaded after daemons segfault or restart

• T2019 LLDP wrong config generation for interface 'all'

• T2127 restart dhcp server reports a failure

• T2161 snmpd cannot start if ipv6 disabled

• T2328 dhcpv6 server not starting (disable check reversed?)

• T2430 cannot delete specific route static next-hop

• T2432 dhcpd: Can't create new lease file: Permission denied

• T2434 Duplicate Address Detection Breaks Interfaces

• T2525 OSPFv3 missing route map, not establishing

• T2623 Creating sit tunnel fails with “Can not set “local” for tunnel sit tun1 at tunnel creation”

• T2738 Modifying configuration in the "interfaces" section from VRRP transition scripts causes configuration lockup and high CPU utilization

• T2759 validate-value prints error messages from validators that fail even if overall validation succeeds

• T2800 Pseudo-Ethernet: source-interface must not be member of a bridge

• T2895 VPN IPsec "leftsubnet" declared 2 times

• T2920 Commit crash when adding the second mGRE tunnel with the same key

• T2931 Unicode decode error causes vyos.configd service to restart

• T2941 Using a non-ASCII character in the description field causes UnicodeDecodeError in configsource.py

• T3076 Router reboot adds unwanted 'conntrack-sync mcast-group '225.0.0.50'' line to configuration

• T3196 No NAT translations showing up

• T3219 Typo in openvpn server client config for IPv6 iroute

• T3601 Error in ssh keys for vmware cloud-init if ssh keys is left empty.

• T3637 vrf: bind-to-all didn't work properly

• T3672 DHCP-FO with multiple subnets results in invalid/non-functioning dhcpd.conf configuration file output

• T3708 isisd and gre-bridge commit error

• T3731 verify_accel_ppp_base_service return wrong config error for SSP

• T3738 openvpn fails if server and authentication are configured

• T3740 HTTPs API breaks when the address is IPv6

• T3756 VyOS generates invalid QR code for wireguard clients

• T3772 VRRP virtual interfaces are not shown in show interfaces

• T3773 Delete the "show system integrity" command (to prepare for a re-implementation)

• T3777 adding IPv6 EUI64 address fails commit in 1.3.0-rc6

• T3781 Revert the NAT implementation in 1.3 back to iptables

• T3782 Ingress Shaping with IFB No Longer Functional with 1.3

• T3783 "set protocols isis spf-delay-ietf" is not working

• T3786 GRE tunnel source address 0.0.0.0 error

• T3788 Keys are not allowed with ipip and sit tunnels

• T3790 Does not possible to configure PPTP static ip-address to users

• T3792 login: A hypen present in a username from "system login user" is replaced by an underscore

• T3797 show interface errors with vrrp configuration

• T3802 Commit fails if ethernet interface doesn't support flow control

• T3805 OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface

• T3806 Don't set link local ipv6 address if MTU less then 1280

• T3807 Op Command "show interfaces wireguard"  does not show the output

• T3808 ipsec is mistakenly restarted after delete

• T3816 Error after entering outbound-interface command in NAT

• T3850 Dots are no longer allowed in SSH public key names

• T3860 Error on pppoe, tunnel and wireguard interfaces for IPv6 EUI64 addresses

• T3867 vxlan: multicast group address is not validated

Other resolved issues

• T1202 Add `hvinfo` to the packages directory

• T1214 Add `ipaddrcheck` to the packages directory

• T1236 Update Linux Kernel

• T2027 get_config_dict is failing when the configuration section is empty/missing

• T2555 XML op-mode generation scripts silently discard XML nodes

• T2727 Add a dotted decimal value validator

• T2927 isc-dhcpd release and expiry events never execute

• T3217 Save FRR configuration on each commit

• T3234 multi_to_list fails in certain cases, with root cause an element redundancy in XML interface-definitions

• T3254 Dynamic DNS status shows incorrect last update time

• T3291 Fault on setting offload RPS with single-core CPU

• T3362 1.3 - RC1 ifb redirect failing to commit

• T3381 Change GRE tunnel failed

• T3396 syslog can't be configured with an ipv6 literal destination in 1.2.x

• T3431 Show version all bug

• T3537 Unable to override the default OSPFv3 link cost for wireguard interface

• T3634 Add op command option for ping for do not fragment bit to be set

• T3683 VXLAN not accept ipv6 and source-interface options and mtu bug

• T3730 op-mode conntrack-sync miss some functions

• T3732 override-default helper should support adding defaultValues to default less nodes

• T3768 Remove early syntaxVersion implementation

• T3776 Rename FRR daemon restart op-mode commands

• T3814 wireguard: commit error showing incorrect peer name from the configured name

• T3819 Upgrade Salt Stack 3002.3 -> 3003 release train

• T3820 PowerDNS recursor - update from 4.3 -> 4.4 to sync with current