Change Details

** Known issues ** * The RADIUS client library is still vulnerable to CVE-2024-3596 — a fix will be included in the next release (T7285). **Security** * Private SSH key reuse in the console server service (T7217). **Configuration syntax changes (automatically migrated)** * Add route-map and metric options to "redistribute table" in BGP (T7163). **New features and improvements** * Check architecture and flavor compatibility on upgrade attempts (T6389). * Add an option to assign static IP address to IPoE server users (T6628). * Add PPPoE server options to accept any service name and blank service name (T6685). * IPoE-server add the ability to configure Lua scripts for username mapping (T6872). * Add an option to start sessions with an unclassified packet to IPoE server (T6906). * Add source-vrf source option to route maps (T7158). * Add route-map and metric options to "redistribute table" in BGP (T7163). * Add port option to GENEVE tunnels (T7171). * Add a command to automatically upload tech-support report archives to a server (T7193). * Containers add capability CAP_MKNOD (T7204). * Add CLI to disable LDP establish hello packets (T7286). * pki: race condition for acme requested certificates - CA auto import only on the second run (T7299). **Bug fixes** * Shaper QoS policy does not recognize 'lowdelay' DSCP value (T681). * DHCP default route duplicated when moving interface between VRFs (T5103). * Conntrack logging doesnt seem to be working (T5471). * Raw output for system storage op mode causes exceptions on live CD (T6514). * VyOS local system users TACACS+ authorization requests do not work correctly (T6613). * Show log firewall not printing logs for default-actions for custom ruleset (T6636). * Strings with spaces in "set interfaces * address" cause an ipaddrcheck argument error (T6739). * Segmentation fault when checking incorrect IP ranges with ipaddrcheck (T6744). * Incorrect flow isolation policy parameters generated for CAKE QoS policies (T6790). * QoS policy priority-queue is broken by default (T6799). * Unhandled exception when setting priority-queue QoS policy type to random-detect (T6800). * The default route distance for PPPoE (210) in the migration script is incorrect and may break server availability (T6863). * Support matching ethertype in QoS policies (T6874). * Empty "ntp" CLI node causes a config migration error when upgrading from VyOS 1.3.x (T6911). * Offload RPS fails on CPUs with more than 32 cores (T6917). * PPPoE server does not allow listening on physical interfaces if VLANs are present in the configuration (T6936). * bfd: fix invalid generated template when no multi-hop profile is defined (T6945). * Missing cron file for geoip auto update (T6986). * lsb_release reports the system to be debian (T6992). * Use VyOS release-train in /etc/os-release codename over Debian release name (T7019). * Incorrect versions of libnss-mapuser and libpam-radius-auth are included in the build, breaking RADIUS authentication (T7020). * VRF name "up" is reserved and should not be used (T7024). * Missing 'version' in manifest.json will cause a timeout of 'make test' (T7031). * Disallow upgrades to non-matching flavors (T7034). * RADIUS source-address option does not work with IPv6 (T7039). * SSH Agent is not available for Git commit archive (T7048). * 'set service webproxy domain-noncache <domain>' command does not work (T7057). * Regression of T3240 in WIDE dhcp6c - Missing patch to support configuration of custom DUID (T7058). * Upgrade may fail on instances with limited memory due to insufficient space in /tmp/ (T7102). * DHCPv6 client is restarted on every change to the interface (T7135). * Cannot set an agent-address in sFlow if VRF is used (T7136). * "redistribute table" option in BGP does not work correctly (T7161). * VXLAN interfaces disappear if the parent wireguard interface was changed (T7166). * Fix sed pattern for change in OPAM install.sh (T7170). * vyos-domain-resolver not picking up non-default configuration values (T7176). * Firewall interface-group with a container interface fails validation on reboot (T7177). * Unhandled exception in SNMP v3 configuration without engineid. (T7180). * vyos-netplug-dhcp-client requires Config instead of ConfigTreeQuery (T7182). * bond: error message interpreted as list when it's a string and thus loosing information (T7191). * Bridge allows to specify the same member interface more than one time (T7192). * lldp: disable individual interface has no effect if 'all' is defined (T7194). * Remove unintended binary files from ipaddrcheck source tree and keep them from re-appearing (T7195). * VXLAN needs to make remote and group options mutually exclusive (T7219). * Unhandled template error in "generate ipsec profile ios-remote-access" (T7225). * LDP Hello packets are generated to answer incoming Hello before forming neighbor adjacency (T7226). * Proxmox grub console type should be tty0 by default (T7231). * DHCPv6: add smoketest verifying that there is no invalid syntax or parsing error for wide-dhcpv6-client (T7248). * Virtual-ethernet Interface vif mtu does not work (T7293). * image upgrade will replace symlinks with a copy (T7294). * ACME certificate updates fail due to missing timezone info (T7295). **Other resolved issues** * Use ipaddrcheck for validating IP address ranges (T6743). * VyOS' FRR is not linked against PCRE2, reducing BGP convergence performance (T6854). * Mark FastNetMon as deprecated (T6919). * Add an option to specify bootloaders to the image build arguments (T6922). * "monitor log" should have no output color at all (T6971). * iproute2: disable colored output by default (T6979). * Treat vyos-domain-resolver as a real service (T6983). * Extend smoketesting platform to also validate /etc/release | lsb_release content (T6999). * TACACS: extend smoketests with a live tac_plus server running as container (T7023). * Source NAT smoke tests fail due to an incorrect interface name (T7033). * RADIUS: extend smoketests with a live freeradius server running as container (T7038). * Allow general binary includes in flavor files (T7109). * Update ipaddrcheck versions and changelogs (T7199).

**Known issues** * The RADIUS client library is still vulnerable to CVE-2024-3596 — a fix will be included in the next release (T7285). **Security** * Private SSH key reuse in the console server service (T7217). **Configuration syntax changes (automatically migrated)** * Add route-map and metric options to "redistribute table" in BGP (T7163). **New features and improvements** * Check architecture and flavor compatibility on upgrade attempts (T6389). * Add an option to assign static IP address to IPoE server users (T6628). * Add PPPoE server options to accept any service name and blank service name (T6685). * IPoE-server add the ability to configure Lua scripts for username mapping (T6872). * Add an option to start sessions with an unclassified packet to IPoE server (T6906). * Add source-vrf source option to route maps (T7158). * Add route-map and metric options to "redistribute table" in BGP (T7163). * Add port option to GENEVE tunnels (T7171). * Add a command to automatically upload tech-support report archives to a server (T7193). * Containers add capability CAP_MKNOD (T7204). * Add CLI to disable LDP establish hello packets (T7286). * pki: race condition for acme requested certificates - CA auto import only on the second run (T7299). **Bug fixes** * Shaper QoS policy does not recognize 'lowdelay' DSCP value (T681). * DHCP default route duplicated when moving interface between VRFs (T5103). * Conntrack logging doesnt seem to be working (T5471). * Raw output for system storage op mode causes exceptions on live CD (T6514). * VyOS local system users TACACS+ authorization requests do not work correctly (T6613). * Show log firewall not printing logs for default-actions for custom ruleset (T6636). * Strings with spaces in "set interfaces * address" cause an ipaddrcheck argument error (T6739). * Segmentation fault when checking incorrect IP ranges with ipaddrcheck (T6744). * Incorrect flow isolation policy parameters generated for CAKE QoS policies (T6790). * QoS policy priority-queue is broken by default (T6799). * Unhandled exception when setting priority-queue QoS policy type to random-detect (T6800). * The default route distance for PPPoE (210) in the migration script is incorrect and may break server availability (T6863). * Support matching ethertype in QoS policies (T6874). * Empty "ntp" CLI node causes a config migration error when upgrading from VyOS 1.3.x (T6911). * Offload RPS fails on CPUs with more than 32 cores (T6917). * PPPoE server does not allow listening on physical interfaces if VLANs are present in the configuration (T6936). * bfd: fix invalid generated template when no multi-hop profile is defined (T6945). * Missing cron file for geoip auto update (T6986). * lsb_release reports the system to be debian (T6992). * Use VyOS release-train in /etc/os-release codename over Debian release name (T7019). * Incorrect versions of libnss-mapuser and libpam-radius-auth are included in the build, breaking RADIUS authentication (T7020). * VRF name "up" is reserved and should not be used (T7024). * Missing 'version' in manifest.json will cause a timeout of 'make test' (T7031). * Disallow upgrades to non-matching flavors (T7034). * RADIUS source-address option does not work with IPv6 (T7039). * SSH Agent is not available for Git commit archive (T7048). * 'set service webproxy domain-noncache <domain>' command does not work (T7057). * Regression of T3240 in WIDE dhcp6c - Missing patch to support configuration of custom DUID (T7058). * Upgrade may fail on instances with limited memory due to insufficient space in /tmp/ (T7102). * DHCPv6 client is restarted on every change to the interface (T7135). * Cannot set an agent-address in sFlow if VRF is used (T7136). * "redistribute table" option in BGP does not work correctly (T7161). * VXLAN interfaces disappear if the parent wireguard interface was changed (T7166). * Fix sed pattern for change in OPAM install.sh (T7170). * vyos-domain-resolver not picking up non-default configuration values (T7176). * Firewall interface-group with a container interface fails validation on reboot (T7177). * Unhandled exception in SNMP v3 configuration without engineid. (T7180). * vyos-netplug-dhcp-client requires Config instead of ConfigTreeQuery (T7182). * bond: error message interpreted as list when it's a string and thus loosing information (T7191). * Bridge allows to specify the same member interface more than one time (T7192). * lldp: disable individual interface has no effect if 'all' is defined (T7194). * Remove unintended binary files from ipaddrcheck source tree and keep them from re-appearing (T7195). * VXLAN needs to make remote and group options mutually exclusive (T7219). * Unhandled template error in "generate ipsec profile ios-remote-access" (T7225). * LDP Hello packets are generated to answer incoming Hello before forming neighbor adjacency (T7226). * Proxmox grub console type should be tty0 by default (T7231). * DHCPv6: add smoketest verifying that there is no invalid syntax or parsing error for wide-dhcpv6-client (T7248). * Virtual-ethernet Interface vif mtu does not work (T7293). * image upgrade will replace symlinks with a copy (T7294). * ACME certificate updates fail due to missing timezone info (T7295). **Other resolved issues** * Use ipaddrcheck for validating IP address ranges (T6743). * VyOS' FRR is not linked against PCRE2, reducing BGP convergence performance (T6854). * Mark FastNetMon as deprecated (T6919). * Add an option to specify bootloaders to the image build arguments (T6922). * "monitor log" should have no output color at all (T6971). * iproute2: disable colored output by default (T6979). * Treat vyos-domain-resolver as a real service (T6983). * Extend smoketesting platform to also validate /etc/release | lsb_release content (T6999). * TACACS: extend smoketests with a live tac_plus server running as container (T7023). * Source NAT smoke tests fail due to an incorrect interface name (T7033). * RADIUS: extend smoketests with a live freeradius server running as container (T7038). * Allow general binary includes in flavor files (T7109). * Update ipaddrcheck versions and changelogs (T7199).

** **Known issues **** * The RADIUS client library is still vulnerable to CVE-2024-3596 — a fix will be included in the next release (T7285). **Security** * Private SSH key reuse in the console server service (T7217). **Configuration syntax changes (automatically migrated)** * Add route-map and metric options to "redistribute table" in BGP (T7163). **New features and improvements** * Check architecture and flavor compatibility on upgrade attempts (T6389). * Add an option to assign static IP address to IPoE server users (T6628). * Add PPPoE server options to accept any service name and blank service name (T6685). * IPoE-server add the ability to configure Lua scripts for username mapping (T6872). * Add an option to start sessions with an unclassified packet to IPoE server (T6906). * Add source-vrf source option to route maps (T7158). * Add route-map and metric options to "redistribute table" in BGP (T7163). * Add port option to GENEVE tunnels (T7171). * Add a command to automatically upload tech-support report archives to a server (T7193). * Containers add capability CAP_MKNOD (T7204). * Add CLI to disable LDP establish hello packets (T7286). * pki: race condition for acme requested certificates - CA auto import only on the second run (T7299). **Bug fixes** * Shaper QoS policy does not recognize 'lowdelay' DSCP value (T681). * DHCP default route duplicated when moving interface between VRFs (T5103). * Conntrack logging doesnt seem to be working (T5471). * Raw output for system storage op mode causes exceptions on live CD (T6514). * VyOS local system users TACACS+ authorization requests do not work correctly (T6613). * Show log firewall not printing logs for default-actions for custom ruleset (T6636). * Strings with spaces in "set interfaces * address" cause an ipaddrcheck argument error (T6739). * Segmentation fault when checking incorrect IP ranges with ipaddrcheck (T6744). * Incorrect flow isolation policy parameters generated for CAKE QoS policies (T6790). * QoS policy priority-queue is broken by default (T6799). * Unhandled exception when setting priority-queue QoS policy type to random-detect (T6800). * The default route distance for PPPoE (210) in the migration script is incorrect and may break server availability (T6863). * Support matching ethertype in QoS policies (T6874). * Empty "ntp" CLI node causes a config migration error when upgrading from VyOS 1.3.x (T6911). * Offload RPS fails on CPUs with more than 32 cores (T6917). * PPPoE server does not allow listening on physical interfaces if VLANs are present in the configuration (T6936). * bfd: fix invalid generated template when no multi-hop profile is defined (T6945). * Missing cron file for geoip auto update (T6986). * lsb_release reports the system to be debian (T6992). * Use VyOS release-train in /etc/os-release codename over Debian release name (T7019). * Incorrect versions of libnss-mapuser and libpam-radius-auth are included in the build, breaking RADIUS authentication (T7020). * VRF name "up" is reserved and should not be used (T7024). * Missing 'version' in manifest.json will cause a timeout of 'make test' (T7031). * Disallow upgrades to non-matching flavors (T7034). * RADIUS source-address option does not work with IPv6 (T7039). * SSH Agent is not available for Git commit archive (T7048). * 'set service webproxy domain-noncache <domain>' command does not work (T7057). * Regression of T3240 in WIDE dhcp6c - Missing patch to support configuration of custom DUID (T7058). * Upgrade may fail on instances with limited memory due to insufficient space in /tmp/ (T7102). * DHCPv6 client is restarted on every change to the interface (T7135). * Cannot set an agent-address in sFlow if VRF is used (T7136). * "redistribute table" option in BGP does not work correctly (T7161). * VXLAN interfaces disappear if the parent wireguard interface was changed (T7166). * Fix sed pattern for change in OPAM install.sh (T7170). * vyos-domain-resolver not picking up non-default configuration values (T7176). * Firewall interface-group with a container interface fails validation on reboot (T7177). * Unhandled exception in SNMP v3 configuration without engineid. (T7180). * vyos-netplug-dhcp-client requires Config instead of ConfigTreeQuery (T7182). * bond: error message interpreted as list when it's a string and thus loosing information (T7191). * Bridge allows to specify the same member interface more than one time (T7192). * lldp: disable individual interface has no effect if 'all' is defined (T7194). * Remove unintended binary files from ipaddrcheck source tree and keep them from re-appearing (T7195). * VXLAN needs to make remote and group options mutually exclusive (T7219). * Unhandled template error in "generate ipsec profile ios-remote-access" (T7225). * LDP Hello packets are generated to answer incoming Hello before forming neighbor adjacency (T7226). * Proxmox grub console type should be tty0 by default (T7231). * DHCPv6: add smoketest verifying that there is no invalid syntax or parsing error for wide-dhcpv6-client (T7248). * Virtual-ethernet Interface vif mtu does not work (T7293). * image upgrade will replace symlinks with a copy (T7294). * ACME certificate updates fail due to missing timezone info (T7295). **Other resolved issues** * Use ipaddrcheck for validating IP address ranges (T6743). * VyOS' FRR is not linked against PCRE2, reducing BGP convergence performance (T6854). * Mark FastNetMon as deprecated (T6919). * Add an option to specify bootloaders to the image build arguments (T6922). * "monitor log" should have no output color at all (T6971). * iproute2: disable colored output by default (T6979). * Treat vyos-domain-resolver as a real service (T6983). * Extend smoketesting platform to also validate /etc/release | lsb_release content (T6999). * TACACS: extend smoketests with a live tac_plus server running as container (T7023). * Source NAT smoke tests fail due to an incorrect interface name (T7033). * RADIUS: extend smoketests with a live freeradius server running as container (T7038). * Allow general binary includes in flavor files (T7109). * Update ipaddrcheck versions and changelogs (T7199).