As the tradition dictates, the new weekly release candidate is available for download
Package updates
The following packages have been updated:
- Linux kernel to 4.14.75
- Mellanox network drivers to 4.4
Bug fixes
SNMP integration with routing protocols
The last bit configuration that is required for it to work is in now, and it should work as expected again. If it doesn't work for you, let us know!
VRRP not working in unicast mode when the RFC-compatible mode is selected
In T933 it was reported that if you configure VRRP in unicast mode and choose to use virtual MACs (RFC compatible mode), both nodes become masters. Now the config option required for this to work is inserted into keepalived config.
DHCP relay now handles the port option correctly
As reported in T938, DHCP relay would not handle the port option correctly. Now it does.
Tag nodes with whitespace
As reported in T253, it was possible to create a tag node with whitespace in its name (e.g. "set system login user "foo bar" authentication..."), but such configs would not be parsed correctly if you try to load them back.
In most cases attempts to create such nodes should be blocked at the syntax validation level, but since old configs with such nodes may exist, and it is impossible to disallow doing that completely at the set command level, we've added support for quoting such nodes properly in the code responsible for displaying and saving configs. Now such configs will load at least partially and produce more descriptive errors when disallowed by individual command syntax.
Commit archive problem with edit levels
The "run monitor traffic interface ... filter" commands now has full support for tcpdump filters
Compatibility notes
Username restrictions
Related to the whitespace issue, some commands had overly permissive syntax. The "system login user" username format has been restricted to the POSIX portable characters and length below 100 now (that's alphanumeric characters, underscores, hyphens, and dots). If usernames do not conform to the undeniably portable format (alphanumeric and underscores/hyphens only), you will receive a warning.
There may be old configs with unusual usernames, and they now may fail to load. If you run into issues with that restrictions, let us know.
The "inspect" action in firewall rules no longer exists
The "inspect" action was once used for the IPS/IDS functionality, but the IDS (it was Snort) was removed long before VyOS was forked from Vyatta. The now useless action, however, persisted.
Now we have removed it. We think the chance to see it in a real config is very low, and this should have no impact, but if you run into problems, leave a note in T59, and we'll make a migration script.
In other news
The 1.2.0/Crux repositories are now fully separated from the "current" branch repositories, in preparation for the LTS release. This reopens the "current" branch for experimental and potentially unsafe changes so that we can start working on new big rewrites, migration to newer Debian and other things required for the future 1.3.0 release.