提供: VyOS jp
移動: 案内検索
1,210行: 1,210行:
=== Notes ===
=== Notes ===
This release image includes an updated public key (A0FE6D7E).
[[Category: Release notes]]
[[Category: Release notes]]

2015年8月18日 (火) 07:14時点における版


1.1.0 リリース ("helium" ブランチ) は、 1.0.x から機能を追加したリリースです。




| strip-private — コンフィグモードの "show" コマンドの出力からプライベートな情報を除外します。

# show system login | strip-private 
 user xxxxxx {
     authentication {
         encrypted-password xxxxxx
     level admin

| commands — コンフィグモードの "show" コマンドの出力をコマンド形式に変換します。

# show interfaces tunnel | commands 
set tunnel tun0 encapsulation 'gre'
set tunnel tun0 local-ip ''
set tunnel tun0 remote-ip ''


Vyatta Core と VyOS 1.0.x は、 "add system image" により、アップグレード可能です。特別な手順はありません。

CLI の変更



コマンド ステータス コメント
set interfaces ethernet ethX pppoe X disable 追加 PPPoE のセッションを無効にする。
set interfaces ethernet eth0 pppoe 0 default-route <auto none force> 修正 強制的に PPPoE のセッションをデフォルトルートにする、 "force" オプションを追加。
set vpn pptp remote-access authentication require <chap pap mschap mschap-v2> 追加 特定の認証プロトコルを必須にする。
set interfaces openvpn vtunX server reject-unconfigured-clients 追加 "server client" 配下に設定されていないクライアントを拒否する。(OpenVPN の --ccd-exclusive オプション)
set interfaces openvpn <name> persistent-tunnel 追加 OpenVPN の --persist-run オプション。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip disable-arp-filter 追加 インターフェースの arp-filter を無効にする。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-accept 追加 インターフェースの arp-accept を有効にする。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-announce 追加 インターフェースの arp-announce を有効にする。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-ignore 追加 インターフェースの arp-ignore を有効にする。
set system options ctrl-alt-del-action <ignore reboot poweroff> 追加 Ctrl-Alt-Del の挙動を変更する。(デフォルトは ignore)
set firewall twa-hazards-protection <enable disable> 追加 RFC1337 TIME-WAIT assasination hazards の防御を有効、または無効にする。
set interfaces <type> <name> ip source-validation <disable loose strict> 追加 インターフェースのソースバリデーションの設定。
set interfaces ethernet ethX ipv6 router-advert name-server <ipv6 address> 追加 RAで広報するため、 RFC6106 のネームサーバを設定する。
set protocols rip passive-interface <interface-name or "default"> 修正 "default" オプションを追加。
set system syslog host <host> facility <facility> protocol (tcp udp) 追加 リモートの syslog のプロトコルを TCP または、 UDP に設定する。
set service snmp smux-peer <oid> 追加 SMUX peer OID を設定。
set vpn ipsec ike-group <group> proposal <proposal> dh-group <2 5 14-26> 修正 dh-group に 2、 5 に加えて、 14 から 26 を設定可能にした。
set vpn ipsec <ike-group esp-group> proposal <proposal> hash <md5 sha1 sha256 sha384 sha512> 修正 SHA2 を追加。
set vpn ipsec ike-group <group> key-exchange <ikev1 ikev2> 追加 鍵交換プロトコルのバージョンに IKEv2 を追加し、デフォルトを IKEv2 にした。
set vpn ipsec ike-group <group> mobike <enable disable> 追加 MOBIKE を有効、または無効にする。IKEv1 での、デフォルトは無効、 IKEv2でのデフォルトは有効。
set service ssh ciphers <ciphers list> 追加 リストを元に SSH の暗号方式を制限する。
set interfaces ... ip proxy-arp-pvlan 追加 インターフェースのプライベート VLAN のプロキシ ARP を有効にする。


コマンド ステータス コメント
restart webproxy clear-cache 追加 webproxy のキャッシュをクリアし、プロセスを再起動する。 (再起動なしにキャッシュをクリアすることはできない。)
force arp reply interface <interface name> address <MAC address> 追加 Gratuitous ARP 応答を特定のアドレスに送信する。
force arp request interface <interface name> address <MAC address> 追加 Gratuitous ARP 要求を特定のアドレスに送信する。
show system memory cache 修正 カーネルキャッシュの情報を表示する。
show ip route cache 非推奨 カーネルからルートキャッシュがなくなったため、何も返さない。


コマンド/アクション/コンポーネント 変更内容 以前の挙動 変更理由
run generate openvpn key <file> フルパスを指定しない限り、 /config/auth に鍵ファイルを配置する。 カレントユーザのホームディレクトリに配置。 使いやすさのため、アップグレード時の永続性のため。
DHCPv6 server DHCPv6 サーバのリースファイルを /config 配下に配置。 /var/lib 配下に配置。 アップグレード時の永続性のため。
Firewall groups ファイアウォールの port-groups と address-groups で、ネイティブな IPset range の機能を使用。 それぞれのメンバ毎に繰り返し IPset を呼び出し。 パフォーマンス向上のため。
Wireless 最初に提案する暗号方式を CCMP に変更。 TKIP を提案した後、 CCMP を提案。 いくつかのクライアントでは、最初に提案した暗号方式を使用するため。


バグID 重要度 タイトル コントリビュータ
Bug #2 Enhancement Add a command to clear the squid web proxy cache Ewald van Geffen
Bug #7 Descriptions for openvpn interfaces are invisible in "show interfaces" Enhancement Alex Harpin
Bug #8 Enhancement 'generate openvpn key <filename>' should place the key file in the appropriate/suggested directory (/config/auth) Daniil Baturin
Bug #12 Provide a config parameter to administratively disable a pppoe session. Enhancement Daniil Baturin
Bug #13 Enhancement PPTP/L2TP: provide options to require or refuse individual authentication protocols Toni Cunyat
Bug #14 Enhancement openvpn - add ability on server to limit connection to clients with existing configuration files Daniil Baturin
Bug #19 Enhancement Add support for 802.1ad "Q-in-Q" VLANs Kim Hagen
Bug #21 Enhancement Add the ability to adjust system ARP settings via the CLI on a per interface basis Kim Hagen
Bug #37 Enhancement Add Linux Standards Base release package Kim Hagen, Daniil Baturin
Bug #39 Enhancement Add op-mode commands to send gratuitous ARP messages Daniil Baturin
Bug #45 Minor better input validation could avoid messy iptables error output for misconfigured ports Daniil Baturin
Bug #71 Minor "show system memory cache" gives "permission denied" message Kim Hagen
Bug #73 Enhancement Make Ctrl-Alt-Del behaviour configurable hydrajump
Bug #82 Enhancement Add support for Hyper-v vlan trunking Kernel developers
Bug #86 Minor Qos Bug with multiple class match rules Ubiquiti (Stig Thormodsrud), Carl Byington
Bug #87 Trivial Values for "authoritative" option don't show up in completion Daniil Baturin
Bug #97 Text System shows "Linux vyatta 3.3.8-1-amd64-vyatta" at login Daniil Baturin
Bug #99 Minor build-iso README is outdated Daniil Baturin
Bug #100 Enhancement Automate build environment setup Hiroyuki Sato
Bug #102 Trivial No completion for as-path-list in route-map rule Daniil Baturin
Bug #104 Enhancement Add an option to remove private information from displayed config Daniil Baturin
Bug #108 Enhancement Utilize Linux-specific implementation of RFC1337 Daniil Baturin
Bug #115 Minor Syntax: CLI allows users to commit namespaces reserved by IPTables (MARK, CONNMARK, etc.) Daniil Baturin
Bug #122 Minor DHCPv6 server lease file is written to /var/log which is not preserved through image upgrades Daniil Baturin
Bug #128 Trivial IpSet.pm still calls ipset for each port in a port-range making a complex firewall boot last ages Paweł Pierścionek, Daniil Baturin
Bug #129 Text Extra quote in "set protocols ospf distance global" help string Trick van Staveren
Bug #147 Enhancement Please implement BCP38 (Reverse Path Filtering) Ubiquiti (Stig Thormodsrud)
Bug #149 Enhancement Please implement VrrpV6 Florian Fuessl
Bug #152 Enhancement Router Advertisment RFC4191 Specific Routes and RFC6106 DNS configuration not impimented in CLI and Vyos configuration Ivan Malyarchuk
Bug #159 Enhancement Feature Request: Support for "dummy" interface configuration Daniil Baturin
Bug #160 Minor Invalid DHCP configuration can cause dhcpd to silently fail Alex Harpin
Bug #170 Enhancement Add unmanaged L2TPv3 support Yuya Kusakabe
Bug #171 Minor Non-optimal partition alignment in installer hydrajump, Daniil Baturin
Bug #178 Major Please *don't* remove non-PAE capability Daniil Baturin
Bug #181 Minor Check to verify private key may fail for certain valid keys Ralf Ertzinger
Bug #182 Minor System DHCP client behavior overrides hard-coded DNS settings Alex Harpin
Bug #186 Enhancement RIP passive-interface "default" missing from config template Kim Hagen
Bug #195 Enhancement Send message to remote syslog server over UDP or TCP Abdelouahed Haitoute
Bug #196 Enhancement Add smuxpeer in snmpd.conf Abdelouahed Haitoute
Bug #197 Enhancement Add support for additional DH groups to IPsec Ryan Riske
Bug #200 Major UNIONTYPE=overlayfs seems to break helium iso builds since 2014-04-25 Patrick van Staveren, Hiroyuki Sato, Kim Hagen, Daniil Baturin
Bug #204 Minor wireless-hostapd: ensure the cipher value given is used by hostapd Alex Harpin
Bug #205 Minor wireless-hostapd: set the default cipers to CCMP TKIP Alex Harpin
Bug #218 Text traffic-policy help is hard to understand Hiroyuki Sato
Bug #220 Enhancement Add support for SHA2 hashes Rian Riske
Bug #221 Minor Openvpn server mode makes remote client loose default openvpn on dhcp renew Toni Cunyat
Bug #222 Enhancement Initial IKEv2 Support Jeff Leung
Bug #223 Minor Remove automatic IKE version negoiation Jeff Leung
Bug #224 Enhancement Initial MOBIKE Configuration Support Jeff Leung
Bug #225 Minor wireless-config: fix "use of uninitialized value" warning Alex Harpin
Bug #230 Major radvd only respecting last interface in radvd.conf Daniil Baturin
Bug #233 Major task-scheduler: restart script missing Ubiquiti (Stig Thormodsrud)
Bug #234 Minor task-scheduler should verify valid cron file name Ubiquiti (Stig Thormodsrud)
Bug #237 Enhancement Add support for cipher and macs overrides in SSH server neutralrockets
Bug #239 Enhancement Getting the version number by using dpkg will not work when upgrading to newer version of debian. Kim Hagen
Bug #241 Major IPsec VPN allows protected traffic out unencrypted before IKE negotiation completes Ryan Riske
Bug #245 Minor vyos constant "failed to get vmstats" spam to /var/log/messages from vmware-tools vmsvc Kim Hagen
Bug #246 Enhancement Allow configuring/changing VyOS Linux bridge /sys multicast IGMP querier settings Daniil Baturin
Bug #247 Major VyOS helium Linux 3.13 kernel .config doesn't have vmxnet3 driver enabled/available Kim Hagen
Bug #250 Trivial Helium build fail Cause "Untrusted packages could compromise your system's security" Alex Harpin
Bug #251 Enhancement Add ability to convert config mode "show" output to set commands Daniil Baturin
Bug #255 Minor dnsmasq returns to clients requesting the VyOS router's name Daniil Baturin, Paul Gear
Bug #256 Major When for reboot, Configuration of L2TPv3 is not load ftoyama
Bug #258 Major Unable to add l2tp_ip module for L2TPv3 over ip ftoyama
Bug #259 Major unable to delete tunnel Daniil Baturin
Bug #261 Minor Quotes in snmpd.conf sysLocation and sysContact not required Alex Harpin
Bug #263 Major vyos-kernel: enable atheros wireless drivers in the helium 3.13 kernel Alex Harpin
Bug #265 Trivial linux-firmware: remove deprecated ar9170usb firmware Alex Harpin
Bug #266 Major vyos-kernel: enable atheros HTC drivers in the helium 3.13 kernel Alex Harpin
Bug #267 Major vyos-kernel: enable atheros USB drivers in the helium 3.13 kernel Alex Harpin
Bug #268 Major linux-firmware: add carl9170 firmware required by kernel module Alex Harpin
Bug #269 Trivial GRUB menu says it's an AWS AMI even if it's not Daniil Baturin
Bug #270 Enhancement Add an option to always replace default route Ewald van Geffen
Bug #271 Enhancement Add an event handling mechanism Daniil Baturin, Jon Andersson
Bug #274 Trivial IPv6 RA "send-advert", "other-config-flag", and "managed-flag" lack value completion Daniil Baturin
Bug #276 Enhancement vyos-kernel: update config files for the latest kernel Alex Harpin
Bug #280 Enhancement vyos-kernel: enable realtek rtl8723ae kernel modules for all configs Alex Harpin
Bug #281 Enhancement vyos-kernel: enable kernel stack overflow protection for all configs Alex Harpin
Bug #283 Enhancement vyos-kernel: disable kernel debugging for all configs Alex Harpin
Bug #295 Minor wireless-hostapd: set default ciphers used based on the wpa mode Alex Harpin
Bug #296 Text Tidy up output on "show dhcp server leases" Alex Harpin
Bug #297 Enhancement Sticky incoming connection support for WLB Ewald van Geffen
Bug #300 Major Entering configuration mode as root screws up running config permissions Daniil Baturin
Bug #301 Major Enable VXLAN kernel module for 586-vyos kernel version Alex Harpin
Bug #303 Minor tail is not working (tailing) Alex Harpin, Daniil Baturin
Bug #305 Minor Allow interfaces with dhcp addresses to be deleted Alex Harpin
Bug #306 Enhancement Add proxy_arp_pvlan support Shane Short, Daniil Baturin
Bug #309 Enhancement Expand 'set system allow-dhcp-nameservers' logic Alex Harpin
Bug #314 Enhancement Rename allow-dhcp-nameservers and change to typeless Alex Harpin
Bug #317 Enhancement vyatta-cfg-vpn: add libnfnetlink-dev to build dependencies Alex Harpin
Bug #318 Enhancement Add support for persistent tunnels (--persist-tun) in OpenVPN Alex Harpin
Bug #320 Text Tidy up output on "show openvpn <type> status" messages Alex Harpin
Bug #321 Major Shaping does not work for PPPoE interfaces Alex Harpin
Bug #326 Major Import patch from Redhat for CVE-2014-7169 Alex Harpin, Daniil Baturin
Bug #331 Trivial Show vpn ipsec status always returns "no IP on interface..." Trick van Staveren
Bug #332 Minor Prevent duplicate local rsa key includes Alex Harpin
Bug #333 Major Return correct path for pppoe or pppoa interfaces Alex Harpin
Bug #337 Major After upgrade from 1.0.3 to 1.1.0beta1, VRRP unable to communicate with other node Daniil Baturin
Bug #341 Minor Allow dhcp and dhcpv6 addresses to be deleted Alex Harpin


  • Added "tools/setup-vyos-build-env" script that automatically setups basic ISO build dependencies.



リリース日: 2014/12/8

ダウンロード: http://packages.vyos.net/iso/release/1.1.1/



既知の問題 / ワークアラウンド

Due to an issue with the OpenSSL package used for Helium, the 64-bit image released for 1.1.0 caused segmentation faults when using SSH on this platform. This is due to a failure of the SSH host key creation process on this platform. The 1.1.1 release contains a downgraded version of the OpenSSL package, correcting this issue, while this is investigated (Bug #345)


バグID 重要度 タイトル コントリビュータ
Bug #147 Enhancement Please implement BCP38 (Reverse Path Filtering Ubiquiti Networks (Stig Thormodsrud), Ryan Riske
Bug #191 Minor ipv6 BGP Clear via soft in/out agusr
Bug #312 Minor OpenVPN CLI allows remote and local address to be the same Daniil Baturin
Bug #334 Minor DHCP sends incorrect hostname to client when use-host-decl-names is on Alex Harpin
Bug #336 Major Login block deleted on reboot when user does not have password Alex Harpin
Bug #340 Minor configuration backup command doesn't work Alex Harpin
Bug #342 Minor Password reset only works for the "vyos" user Alex Harpin
Bug #350 Major LDAP Auth through Vyos Daniil Baturin
Bug #351 Major there is mistake into squid.conf Daniil Baturin
Bug #354 Major PPTP doesn't work when required authentication protocol is not specified Daniil Baturin
Bug #355 Enchancement vyatta-cfg-system: set default vyos password hash to sha-512 when reset Alex Harpin
Bug #364 Minor ppp potential local privilege escalation CVE-2014-3158 Toni Cunyat
Bug #381 Major VxLAN's "link" option does not work Hiroshi Umehara


Release date: 2015 January 22


Several vulnerabilities in NTP have been fixed: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295.


Before the fix for Bug #415 the system allowed using "authentication remote-id" option for peers with "@something names" but didn't use it in any way; it used to be undefined and undocumented behaviour. Now remote-id option overrides the peer name id in this case. If you left it configured by mistake in a "@something" peer, remove it.


バグID 重要度 タイトル コントリビュータ
Bug #345 Major SSH command returns "Segmentation fault" Debian team, Hiroyuki Sato, Alex Harpin
Bug #348 Minor Pre-shared key regex is too restrictive Daniil Baturin
Bug #350 Major Squidguard is built without LDAP support Igor Golubkov, Alex Harpin
Bug #358 Major Can't reach other side of VTI IPsec tunnel but can see packets on VTI interface Alex Harpin
Bug #388 Major IKEv2 SA's are not shown in "show vpn ipsec sa" Jason Hendry
Bug #395 Major IKEv2 Strongswan Re-Authentication Bug Jason Hendry
Bug #396 Minor Fix "show vpn ike sa" when reauth=no Jason Hendry
Bug #398 Minor "show vpn ipsec sa" does not show left/right subnets with IKEv2 Jason Hendry
Bug #403 Major Multiple users changing the running config may cause config subsystem internal errors Alex Harpin
Bug #405 Major VTI Routing broken over ipsec Alex Harpin
Bug #411 Minor Loading SSH key with spaces in comment fails Jared Baldridge
Bug #414 Minor Site-to-site IPsec config script doesn't quote local id properly Daniil Baturin
Bug #415 Minor remote-id option doesn't override rightid for peers with @id names Daniil Baturin
Bug #418 Major ntp: import RedHat patch to fix CVE-2014-9293 RedHat
Bug #419 Minor ntp: import RedHat patch to fix CVE-2014-9294 RedHat
Bug #420 Major ntp: import RedHat patch to fix CVE-2014-9295 RedHat
Bug #421 Minor ntp: import RedHat patch to fix CVE-2014-9296 RedHat
Bug #431 Minor IKEv2 SA Information Sometimes Fails Jason Hendry
Bug #438 Minor show host domain replies (none) Alex Harpin
Bug #451 Trivial Update pre-shared secret key help for single quotes Alex Harpin


Release date: 2015 January 28




Release date: 2015 March 09




オペレーションモードのコマンド "show shutdown" は "show poweroff" に変更されました。


バグID 重要度 タイトル コントリビュータ
Bug #35 Minor Unable to configure webproxy listen-address when it's associated with an OpenVPN tunnel interface Igor Golubkov, Alex Harpin
Bug #130 Minor VRRP group description is not displayed Alex Harpin
Bug #298 Minor On shutdown the SSH session on the client does not get disconnected Alex Harpin
Bug #329 Minor L2TP IPSec does not accept connections if PSK contains special characters Alex Harpin
Bug #343 Minor "Malformed lease" when we have an abandoned DHCP lease Alex Harpin
Bug #367 Minor Incorrect PFS config generation in DMVPN Kim Hagen
Bug #377 Trivial Pipe (for conversion) to commands should only be available in config context Daniil Baturin
Bug #382 Minor Removing system ipv6 forwarding causes script error Carl Byington, Hiroyuki Sato
Bug #400 Major OpenVPN denial of service vulnerability (CVE-2014-8104) OpenVPN maintainers
Bug #401 Minor IKEv2 SA Info not displaying when rekeying is disabled Jason Hendry
Bug #402 Minor "show vpn ike sa" displays the wrong information for DH-group Jason Hendry
Bug #423 Major Webproxy ldap auth with spaces in binddn and ldap port with squidGuard Igor Golubkov
Bug #433 Minor reject-unconfigured-clients statement does not work Sean Maguire, Alex Harpin
Bug #441 Minor wan-load-balance service does not reliably daemonize Chris Wadge, Alex Harpin
Bug #453 Text vyatta-wireless: update wpa passphrase help for single quotes Alex Harpin
Bug #460 Enhancement vyatta-op: update the system poweroff cli command to be script based Alex Harpin
Bug #461 Enhancement vyatta-op: replace 'show shutdown' with 'show poweroff' and use script Alex Harpin
Bug #468 Minor resolv.conf - invalid format causing extra DNS request Andreas Sundstrom, Alex Harpin
Bug #483 Enhancement linux-firmware: add Intel iwlwifi firmwares Firmware authors
Bug #487 Trivial Non-commited firewall names do not autocomplete Daniil Baturin
Bug #490 Major Can't commit dhcpv6-options for client on ethernet interface Daniil Baturin
Bug #491 Minor DHCPv6 client CLI allows temporary and parameters-only to be configured at the same time Daniil Baturin
Bug #492 Minor DHCPv6 client CLI doesn't fail commit in case of errors Daniil Baturin
Bug #498 Major Operator level users are allowed to execute remote commands via SSH Daniil Baturin


Release date: 2015 March 25



下記のセキュリティに関する不具合は 0.9.8zfで解決しました。

  • CVE-2015-0287 (memory corruption in ASN.1 parsing).
  • CVE-2015-0286 (denial of service in ASN1_TYPE_cmp() function).
  • CVE-2015-0289 (NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service).
  • CVE-2015-0293 (denial of service via a crafted SSLv2 CLIENT-MASTER-KEY message).
  • CVE-2015-0209 (malformed EC private key may result in memory corruption).
  • CVE-2015-0288 (missing input sanitising in the X509_to_X509_REQ() function might result in denial of service).


Bug ID Severity Title Contributor
Bug #473 Minor VIF Interfaces do not set MTU properly at boot for Jumbo Frames Alex Harpin
Bug #508 Major dhcpv6-options doesn't work on VIF interfaces Benjamin Beret
Bug #521 Major If a quagga daemon crashes, it can't be restarted Daniil Baturin
Bug #522 Major Update OpenSSL to upstream version 0.9.8zf OpenSSL developers, Alex Harpin (packaging)
Bug #528 Major Removing "address-family ipv6-unicast" from a BGP neighbor removes the whole neighbor Daniil Baturin
Bug #529 Trivial vyatta-cfg-quagga builds useless packages Daniil Baturin


リリース日: 2015/08/17




Bug ID Severity Title Contributor
Bug #406 Minor No completion for uncommited firewall group names in rulesets Daniil Baturin
Bug #434 Minor Client configuration file not configured unless client options present Alex Harpin
Bug #509 Text Top Level CLI help Merge bad formatting Alex Harpin
Bug #517 Minor commit-archive with scp location fails on self signed ssh keys Alex Harpin
Bug #541 Major Creation of L2TPv3 interface with IPv6 endpoints fails Daniil Baturin
Bug #557 Major 'delete system login user' doesn't remove the user Alex Harpin
Bug #567 Minor The strip-private command fails to remove SSH keys Alex Harpin
Bug #573 Major missing encrypted-password breaks user config node Alex Harpin