1.4 Sagitta

1.4.1 (future release)

Configuration syntax changes (automatically migrated)

• T6505 Support VXLAN VLAN-VNI range mapping in CLI

New features and improvements

• T5878 Make the list of SSH server ciphers configurable

• T5949 Disable USB autosuspend

• T6320 WiFi: Enable support for 6GHz AccesPoints

• T6423 Require command definition nodes that have an owner to also have a priority

• T6424 ipsec: op-mode command to generate client profiles should honor common name of the CA node that signed the server certificate

• T6454 Explicitly set the default reverse proxy mode to HTTP

• T6462 wireless: add op-mode command for hostapd and wpa_supplicant logs

• T6473 bgp: missing completion helper for peer-groups inside a VRF

• T6477 Adding Loki plugin to Telegraf

• T6505 Support VXLAN VLAN-VNI range mapping in CLI

• T6538 Allow adding a geneve interface to the vrf.

• T6539 Add logging options to load-balancer reverse-proxy

• T6566 op-mode: "monitor bandwidth" add support for listing all interfaces concurrently

• T6576 op-mode: ntp: add support for NTP service restart via CLI

• T6614 Initial support for smoketesting op-mode commands

Bug fixes

• T2145 openvpn: server default topology net30 is incompatible with static client IPs for Windows clients

• T4287 wireless: cannot set regulatory domain

• T5514 Improve error handling when/if config.boot is deleted or missing

• T5552 'set system option performance throughput' enables IPv6 forwarding even if it's explicitly disabled with 'set system ipv6 disable-forwarding'

• T5725 protocol IS-IS configuration is empty if a tunnel does not have remote address

• T5947 [1.3.2 -> 1.4.0-RC1 Migration] Static ipv6 routes dropped

• T6148 Reset vpn ipsec command breaks tunnel and does not reset SAs that are down

• T6332 IPv6-only ISIS (or, in general, dual topology) is not working with other devices running frr

• T6401 Attempts to delete vlan-to-vni option causes an unhandled exception

• T6429 bug - isis metric-style not applied configuration

• T6431 monitor traceroute broken VRF support

• T6453 GRUB variables with `=` in a value are parsed improperly

• T6460 Showing DHCPv6 leases can fail due to DUID parsing issues

• T6463 reverse-proxy: service not reloaded when updating SSL certificate via PKI

• T6464 sstpc: interface not restarted when updating SSL certificate via PKI

• T6480 PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem

• T6484 Smoketest fails: fastnetmon killed due to OOM

• T6503 Command 'restart ssh' not working

• T6519 interfaces: 20-to-21 -> migration fails if new system has less ethernet interfaces

• T6523 Error: "nft table ip vyos_filter not found" when commiting prometheus-client

• T6559 vyos-configd should return commit error on config dependency error

• T6584 Revert addition of Linux Kernel MT7921 driver

• T6593 Release DHCP interface does not work

• T6600 ospf: smoketest "router ospf' not found in" for ldp sync

• T6602 interfaces: verify supplied VRF name on all interface types

• T6603 vrf: nftables conntrack ct_iface_map contains multiple identical entries

• T6605 `ConfigError()` behavior is wrong with running `vyos-configd`

• T6610 Missing minisign pub key from image

Other resolved issues

• T4026 PKI:  generate pki certificate sign <ca-name> is not working

• T5570 PAM config RADIUS  ignore for default and success

• T6290 SNMPD show logs systemstats_linux: unexpected header length

• T6379 "generate openvpn" uses "comp-lzo no", which leads to problems on Android-Clients

• T6446 Display the support URL from image build data in LTS builds

• T6486 Generate openvpn client-config ignores configured protocol type

• T6500 openconnect: add support for new multi ca-certificate CLI node

• T6524 Rewrite "release dhcp interface <interface>" to Python to drop remaining Perl dependencies

• T6592 Changing VRF on interface fails

• T6594 IPoE-server extended-scripts do not work

• T6597 wireless: hostapd occationly gets deactivated via systemd and causes loss in connectivity

• T6598 Unexpected podman version 4.3.1

1.4.0 (4th June 2024)

New features and improvements

• T3202 Enable wireguard debug messages by default

• T4022 Add package nat-rtsp-dkms

• T4393 sstp: add support for configuring host-name (SNI)

• T5386 Execute VRRP transition script when `set high-availability disable` is commited

• T5752 Check compatibility of new image tools with XCP-NG images

• T6293 add Mediatek MT7921 to defconfig

• T6339 Display the flavor name and build comment in "show version"

• T6395 Enable VFIO No-IOMMU support in kernel config

Bug fixes

• T4576 vpn l2tp logging level configuration

• T5527 Adjust for change in coreutils behavior on overlayfs

• T5939 [1.3.5 -> 1.4.0-RC1 Migration]  as-path-list Entries Get Messed Up

• T5940 [1.3.5 -> 1.4.0-RC1 Migration] commit-archive Fails to Migrate

• T6038 Losing default route after first reboot (cloud-init & DHCP)

• T6094 Destination Nat not Making Firewall Rules

• T6225 Unhandled exception when configuring random-detect QoS policy

• T6348 SNAT op-mode fails with flowtable offload entries

• T6356 Correct the syntax of config.boot.default [..., 'ntp', 'server'] from leaf node with value to tag node

• T6365 Negating interface names in NAT configuration causes invalid warnings

• T6377 PermissionError on /config/auth/letsencrypt/live/ when running show pki

• T6400 pki: unable to generate fingerprint for ACME issued certificates

• T6402 Invalid variables referenced in reverse proxy validation

• T6404 Include constraintGroup element in reference tree

• T6407 Generate ipsec profile error

• T6419 reverse-proxy: full CA chain is not build when verifying backend server

• T6421 host-name has no explicit priority to be set on system boot

Other resolved issues

• T1981 Allow route-map 'set src' to reference both IPv4 and IPv6

• T3493 DHCPv6 does not have prefix range validation

• T4519 DHCPv6: "set show dhcpv6 server leases" should show DUID instead of IAID_DUID

• T4909 Rewrite the NTP op mode in the new format

• T5351 VyOS deployed with cloud-init improperly saves config.boot

• T6022 set system image default-boot

• T6048 Exception in event handler script

• T6328 Add a warning message about deprecation of web proxy URL filtering

• T6333 non-free-firmware to trixie

• T6345 Source NAT Port Mapping setting of Fully-Random is superfluous in Kernels 5.0 onwards

• T6346 Boot to multi-user.target instead of graphical.target

• T6358 Container config option to enable host pid

• T6367 op-mode: commit-archive: TypeError: attribute name must be string, not 'NoneType'

• T6383 Incorrect completion for rollback-soft

• T6384 rollback-soft should tell the user to compare and commit

• T6391 load-balancing reverse-proxy: typo in timeout help

• T6396 MINOR Typo: set system conntrack timeout custom ipv4 rule X

• T6409 Remove unused parameter node from reverse-proxy backend

1.4.0-epa3 (14th May 2024)

Security

• T6324 CVE-2024-2961

Configuration syntax changes (automatically migrated)

• T5535 Move disable-directed-broadcast to firewall global-options

• T6171 Rename the DHCP server "failover" command to "high-availability mode"

• T6208 container: rename "cap-add" CLI node to "capability"

• T6216 Firewall group names that contain the '+' character break the config

• T6295 netns: disable incomplete support in VyOS 1.4 sagitta

New features and improvements

• T4309 Support network/address-groups and  ipv6-network/ipv6-address-groups in "conntrack ignore"

• T4903 Support IPv6 addresses in "set system conntrack ignore"

• T5364 Make it possible to set the PADO delay to 0

• T6127 Ability to view logs for rules with Offload not functional

• T6133 Add domain-name to commit-archive

• T6143 Increase configuration timeout range for service config-sync

• T6154 Installer should ask for password twice

• T6161 Add support for displaying container image data in JSON

• T6162 ixgbe: Add 1000BASE-BX support

• T6171 Rename the DHCP server "failover" command to "high-availability mode"

• T6176 image-tools: rationalize setting of console type

• T6184 image-tools: add op-mode command to set default boot console type

• T6192 Support running SSH server in more than one VRF

• T6226 Add "tcp-requece inspect-delay" to reverse proxy

• T6257 Add op mode commands for dynamic firewall address groups

• T6258 Add IPv6 base-reachable-time option to interfaces

• T6260 image-tools: remove the image directory if it fails to install due to insufficient drive space

• T6267 Improve commit failure messages for wireless interface configuration

• T6278 Attempt hint for console type during image install

• T6291 Add op mode commands for displaying LACP information for bonding interfaces

• T6306 EVPN-MH - missing options in uplink ports

Bug fixes

• T2590 DHCPv6 not updating nameservers and search domains since replacing isc-dhcp-client with WIDE dhcp6c

• T3655 NAT doesn't work correctly with VRF

• T4718 DHCP server listen-address doesn't take effect if the interface is in a VRF

• T5164 op cmd: "show dhcp server leases state" with available options does not show any result

• T5862 Default MTU is not acceptable in some environments

• T5875 login: removing and re-adding a user keeps the home directory but changes the UID, thus SSH keys no longer work

• T5996 Incorrect behavior for backslash escapes in config save and compare commands

• T6082 BGP doesn't allow the same local AS and remote AS in peer groups

• T6085 VTI interfaces are in UP state by default

• T6089 [1.3.6->1.4.0-epa1 Migration] "ospf passive-interface default" incorrectly added

• T6090 Migration of "policy route" configs fails due to TCP flag case sensitivity

• T6100 NAT config migration error in 1.4.0-epa1 if invalid address/network defined in 1.3.6 version

• T6106 Improve the commit error message for the case when route-reflector-client option is defined in a peer-group

• T6119 Use a compliant TOML parser

• T6130 [1.3.6->1.4.0-epa2 Migration] BGP "set community" missing

• T6131 Disabling openvpn interface(s) causes OSPF to fail to load on reboot

• T6136 Configuring a dynamic address group, config script did not check whether the group was created

• T6138 Conntrack table op-mode fails with flowtable offload entries

• T6145 Service config-sync does not rely on priorities

• T6147 Conntrack not working as expected with global state-policy

• T6149 Update node_data when merging nodes in reference tree generation

• T6152 Kernel panic for ZimaBoard 232

• T6160 Unhandled exception when configuring IS-IS

• T6165 grub: vyos-grub-update failed to start on "slow" systems

• T6167 VNI not set on VRF after reboot

• T6168 "add system image" does not set the default boot image to the current console type in compatibility mode

• T6169 DNS forwarding configuration rejects underscores in SRV records

• T6173 Build Causes Errors When "--version" Contains Slashes ("/")

• T6175 op-mode: "renew dhcp interface <name>" does not check if it's an actual DHCP interface

• T6178 reverse-proxy doesn't check that a certificate exists at set time

• T6179 Incorrect HAProxy config generated for reverse-proxy rules with url-path

• T6186 'set system image default-boot' fails to find images that actually do exist in the system

• T6189 BGP L3VPN connectivity is broken after re-enabling VRF

• T6191 Policy route set-mss option is not working correctly

• T6193 dhcp-client: invalid warning "is not a DHCP interface but uses DHCP name-server option" for VLAN interfaces

• T6196 route-map and summary-only do not work in BGP aggregation at the same time

• T6197 Validation error in the IPoE server interface client-subnet option

• T6202 Multi-Protocol BGP is broken by 6PE patch in upstream FRR 9.1

• T6205 ipoe: error in migration script logic while renaming mac-address to mac

• T6206 L2tp smoketest fails if vyos-configd is running

• T6207 image-tools: restore ability to copy config.boot.default on image install

• T6213 Validations in firewall groups mistakenly reject correct configurations

• T6216 Firewall group names that contain the '+' character break the config

• T6218 Container network interface in VRF fails to generate IPv6 link-local address

• T6221 Enabling VRF breaks connectivity

• T6222 VRRP rfc3768-compatibility not working correctly when resulting interface name is over 15 characters

• T6241 Updating CRL in "pki" config does not update OpenVPN

• T6243 Update vyos-http-api-tools for package idna security advisory

• T6250 "policy route-map set table" cannot be deleted from the rule

• T6252 GRE tunnels don't allow configuring MTU larger than 8024

• T6255 Static table description should not contain white-space

• T6263 Commit failures when trying to set an IGMP group with source address on an interface

• T6269 Polixy route "set table" option is not working correctly

• T6272 PPPoE configuration does not load after deleting a PPPoE interface from the system

• T6276 Do not call config dependencies on script error

• T6283 Cannot delete as-path prepend from policy when it contains more than one AS

• T6284 IPoE server op mode commands do not show IPv6 addresses

• T6299 Building VyOS (Dockerized) current ISO fails dues to unmet dependencies podman : Depends: libgpgme11t64 (>= 1.4.1) but it is not installable

• T6305 IPoE interface wildcard validation error in firewall rules

• T6307 procps is missing from vyos-1x build dependencies

• T6317 VLAN doesn't work on a bridge with a wireless interface member

• T6329 Firewall - Error while printing groups

Other resolved issues

• T4516 Rewrite system image manipulation tools in Python

• T5535 Move disable-directed-broadcast to firewall global-options

• T6146 Add python script to get all priorities of service or section from XML

• T6159 "show openvpn server" prints a superfluous "OpenVPN status on vtunx" message for every client connection

• T6180 Add application of mask to configtree

• T6185 Simplify marshalling of section and config data for config-sync

• T6187 Use correct CPU counts adjusted for SMT when necessary

• T6195 dropbear: package upgrade 2022.83-1 -> 2022.83-1+deb12u1

• T6198 configverify: add common helper for PKI certificate validation

• T6203 Remove references to the obsolete vyos.xml module (superseded by vyos.xml_ref)

• T6208 container: rename "cap-add" CLI node to "capability"

• T6234 PPPoE-server pado-delay refactoring

• T6245 Unhandled exception in "show openvpn server"

• T6295 netns: disable incomplete support in VyOS 1.4 sagitta

• T6327 Drop boot console type ttyUSB (USB serial)

• T6330 release.pref.chroot indentation broken

1.4.0-epa2 (15th March 2024)

Configuration syntax changes (automatically migrated)

• T6079 dhcp: migration fails for duplicate static-mapping

New features and improvements

• T4977 Babel routing protocol support

• T5504 Make it possible to set more than one peer-address in unicast VRRP

• T5530 Add LFA to IS-IS

• T5631 Ability to export the current configuration in JSON format

• T5717 ospfv3 - add  allow to set metric-type to ospf redistribution while frr docs says its possible.

• T5772 Require HTTPS API server configurations to include at least one key if key-based auth is used

• T5781 Add ability to add additional minisign keys

• T6057 Add ability to disable syslog for conntrackd

• T6060 op-mode: container: support removing all container images at once

• T6087 ospfv3: add support to redistribute IS-IS routes

Bug fixes

• T2998 SNMP v3 oid "exclude" option doesn't work

• T4270 When "ignore-hosts-file" is unset, local hostname of the router resolves to 127.0.1.1 in the DNS forwarding service

• T5121 Incorrect "architecture" config loaded

• T5646 QoS policy limiter broken if class without match

• T5909 Container registry with authentication prevents config load (section container) after reboot

• T6004 Missing RPKI boot priority prevents it from loading

• T6020 VRRP health-check script is not applied correctly in keepalived.conf

• T6054 load-balancing wan - doesn't configure a list of ports

• T6055 PKI error: "failed to install x value" when executed the command from conf mode

• T6061 connection-status nat destination firewall filter not working in 1.4.0-epa1

• T6069 HTTP API segfault during concurrent configuration requests

• T6070 bnx2x NIC causes a commit error due to incorrect implementation of EEE status reading

• T6073 Conntrack/NAT not being disabled when VRFs are defined

• T6074 container: do not allow deleting images which have a container running

• T6079 dhcp: migration fails for duplicate static-mapping

• T6081 QoS policy shaper target and interval wrong calcuations

• T6084 OpenNHRP DMVPN configuration file clean after reboot if we have any IPSec configuration

• T6086 NAT does not work with network-groups

• T6093 Incorrect dhcp-options vendor-class-id regex

• T6096 Config commits are not synced properly because 00vyos-sync is deleted by vyos-router

• T6098 Description doesnt seem to allow for non international characters

• T6104 Regression in commit-archive for non-interactive configuration

• T6107 Nginx does not allow big config queries for configure endpoint API

• T6141 Trying to set PADO delay in PPPoE server without also configuring the session options causes a commit failure

Other resolved issues

• T2199 Rewrite firewall in new XML/Python style

• T5738 Extend XML building blocks

• T5870 ipsec remote access VPN: add x509 ("pubkey") authentication

• T5959 Streamline dns forwarding service

• T6071 firewall: CLI description limit of 256 characters cause config upgrade issues

• T6075 Applying firewall rules with a non-existent interface group

• T6077 banner: implement ASCII contest winner default logo

• T6083 ethtool: move string parsing to JSON parsing

• T6095 Tab completion for "set interfaces wireless wlan0 country-code" incorrect country "uk"

• T6214 Error when using some constraints

1.4.0-epa1 (22th February 2024)

Security

• T4915 Minisign verification failure == pass??

Breaking changes

• T5605 Do not generate keysize option in OpenVPN configs

Configuration syntax changes (automatically migrated)

• T1991 Rework time services

• T5877 Reduce unnecessary nesting in system domain-search path and improve smoketest

New features and improvements

• T160 Support NAT64

• T1991 Rework time services

• T4221 Add a template filter for converting scalars to single-item lists

• T4883 Add a description field for routing tables

• T4940 Interface debugging

• T5122 Move "archive-areas" to defaults.toml to support "non-free-firmware" repository

• T5418 Allow arbitrary subnets in PPPoE client IP pools

• T5449 Add options for TCP MSS probing

• T5497 Add ability to resequence rule numbers for firewall

• T5615 Narrow down spurious name conflict with mdns

• T5877 Reduce unnecessary nesting in system domain-search path and improve smoketest

• T5965 WWAN modems using raw-ip do not work with dhclient/dhcp6c

• T5972 login: add possibility to disable individual local user accounts

Bug fixes

• T2113 OpenVPN Options error: you cannot use --verify-x509-name with --compat-names or --no-name-remapping

• T2700 Redirecting traffic from PPPoE interface to IFB fails

• T2801 conntrack-tools flooding logs

• T3681 The VMware Tools resume script did not run successfully in this virtual machine.

• T3774 atop logs are not limited in size

• T3902 Firewall does not load on boot, address-group not found, even though it exists

• T4796 build-vyos-image ignores multiple options

• T5239 Host name and domain name missing from the FRR configuration

• T5245 Wireless interfaces do not get IPv6 link-local address assigned

• T5376 Conntrack FTP helper does not work properly

• T5890 OTP key generation is broken

• T5926 IPSEC does not apply after l2tp configuration was changed

• T5977 nftables: Operation not supported when using match-ipsec in outbound firewall

• T6005 Error on adding a wireguard interface to OSPFv3

• T6043 VxLAN and bridge error bug

• T6056 Applying 'system static-host-mapping'  command calls unnecessary snmpd restart

• T6064 Can not build VyOS if repository it not cloned to a branch

Other resolved issues

• T671 Identify and remove dead code

• T874 Support for Two Factor Authentication for CLI access via Google Authenticator/OTP

• T1311 WAN load-balancing can't flush connections when conntrack-sync is enabled

• T1436 Config entries with default values do not correctly show as changed

• T1487 DNS (pdns_recursor) stats logs not saved to disk

• T2433 Improve CLI value validator performance

• T3337 Add possibility to serve static DNS zones from the router

• T3471 DHCP hook is not able to detect all running DHCP instances

• T3474 Revisit storing syntax version of interface definitions in XML file

• T3522 policy based routing not working

• T3574 Add constraintGroup for combining validators with logical AND

• T3642 PKI configuration

• T3722 op-mode IPSec show vpn ike sa always shows L-TIME 0

• T3766 containers: Expanding options for networking and building containers

• T4723 Error when issuing 'show flow-accounting interface pppoe0'

• T4761 Add a generic URL validator

• T4795 Cleanup custom python validators

• T4951 Add an op mode exception for cases when operations fail due to insufficient system resources

• T5109 Improve OCaml XML validator

• T5195 Break up the vyos.util module

• T5348 Service config-sync can freeze the secondary router if it has commit-archive location

• T5605 Do not generate keysize option in OpenVPN configs

• T5754 Update to StrongSwan 5.9.11

• T5846 Refactor and simplify DUID definition in conf-mode

• T5903 NHRP don´t start on reboot from version 1.5-rolling-202401010026

• T6001 Add option to enable resolve-via-default

• T6015 "journalctl_charon" file does not contain data in the generated "ipsec debug-archive" file

• T6050 Wrong scripting commands descriptions in accel-ppp services

• T6078 Update ethtool to 6.6