1.1.0/リリースノート

提供: VyOS jp
2014年10月10日 (金) 04:40時点におけるHigebu (トーク | 投稿記録)による版

移動: 案内検索

概要

1.1.0 リリース ("helium" ブランチ) は、 1.0.x から機能を追加したリリースです。

新機能

実験的な機能:

新しいパイプ:

| strip-private — コンフィグモードの "show" コマンドの出力からプライベートな情報を除外します。

# show system login | strip-private 
 user xxxxxx {
     authentication {
         encrypted-password xxxxxx
     }
     level admin
 }

| commands — コンフィグモードの "show" コマンドの出力をコマンド形式に変換します。

# show interfaces tunnel | commands 
set tunnel tun0 encapsulation 'gre'
set tunnel tun0 local-ip '10.46.1.242'
set tunnel tun0 remote-ip '10.91.19.1'

アップグレードについて

Vyatta Core と VyOS 1.0.x は、 "add system image" により、アップグレード可能です。特別な手順はありません。

CLI の変更

コンフィグモード

既存機能に対する変更点:

コマンド ステータス コメント
set interfaces ethernet ethX pppoe X disable 追加 PPPoE のセッションを無効にする。
set interfaces ethernet eth0 pppoe 0 default-route <auto none force> 修正 強制的に PPPoE のセッションをデフォルトルートにする、 "force" オプションを追加。
set vpn pptp remote-access authentication require <chap pap mschap mschap-v2> 追加 特定の認証プロトコルを必須にする。
set interfaces openvpn vtunX server reject-unconfigured-clients 追加 "server client" 配下に設定されていないクライアントを拒否する。(OpenVPN の --ccd-exclusive オプション)
set interfaces openvpn <name> persistent-tunnel 追加 OpenVPN の --persist-run オプション。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip disable-arp-filter 追加 インターフェースの arp-filter を無効にする。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-accept 追加 インターフェースの arp-accept を有効にする。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-announce 追加 インターフェースの arp-announce を有効にする。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-ignore 追加 インターフェースの arp-ignore を有効にする。
set system options ctrl-alt-del-action <ignore reboot poweroff> 追加 Ctrl-Alt-Del の挙動を変更する。(デフォルトは ignore)
set firewall twa-hazards-protection <enable disable> 追加 RFC1337 TIME-WAIT assasination hazards の防御を有効、または無効にする。
set interfaces <type> <name> ip source-validation <disable loose strict> 追加 インターフェースのソースバリデーションの設定。
set interfaces ethernet ethX ipv6 router-advert name-server <ipv6 address> 追加 RAで広報するため、 RFC6106 のネームサーバを設定する。
set protocols rip passive-interface <interface-name or "default"> 修正 "default" オプションを追加。
set system syslog host <host> facility <facility> protocol (tcp udp) 追加 リモートの syslog のプロトコルを TCP または、 UDP に設定する。
set service snmp smux-peer <oid> 追加 SMUX peer OID を設定。
set vpn ipsec ike-group <group> proposal <proposal> dh-group <2 5 14-26> 修正 dh-group に 2、 5 に加えて、 14 から 26 を設定可能にした。
set vpn ipsec <ike-group esp-group> proposal <proposal> hash <md5 sha1 sha256 sha384 sha512> 修正 SHA2 を追加。
set vpn ipsec ike-group <group> key-exchange <ikev1 ikev2> 追加 鍵交換プロトコルのバージョンに IKEv2 を追加し、デフォルトを IKEv2 にした。
set vpn ipsec ike-group <group> mobike <enable disable> 追加 MOBIKE を有効、または無効にする。IKEv1 での、デフォルトは無効、 IKEv2でのデフォルトは有効。
set service ssh ciphers <ciphers list> 追加 リストを元に SSH の暗号方式を制限する。
set interfaces ... ip proxy-arp-pvlan 追加 インターフェースのプライベート VLAN のプロキシ ARP を有効にする。

オペレーションモード

コマンド ステータス コメント
restart webproxy clear-cache 追加 webproxy のキャッシュをクリアし、プロセスを再起動する。 (再起動なしにキャッシュをクリアすることはできない。)
force arp reply interface <interface name> address <MAC address> 追加 Gratuitous ARP 応答を特定のアドレスに送信する。
force arp request interface <interface name> address <MAC address> 追加 Gratuitous ARP 要求を特定のアドレスに送信する。
show system memory cache 修正 カーネルキャッシュの情報を表示する。
show ip route cache 非推奨 カーネルからルートキャッシュがなくなったため、何も返さない。

挙動の変更

コマンド/アクション/コンポーネント 変更内容 以前の挙動 変更理由
run generate openvpn key <file> Places the key file in /config/auth unless a full path is specified Used to place it in current user home dir Ease of use, persistence through upgrades
DHCPv6 server DHCPv6 server leases are now stored in /config Used to store it in /var/lib Persistence through upgrades
Firewall groups Firewall port-groups and address-groups now use native IPset range feature Used to call IPset repeatedly for each member Performance
Wireless First offered cipher is now CCMP Used to offer TKIP and then CCMP Some broken clients use the first offered cipher

解決済の課題

バグID 重要度 タイトル コントリビュータ
Bug #2 Enhancement Add a command to clear the squid web proxy cache Ewald van Geffen
Bug #7 Descriptions for openvpn interfaces are invisible in "show interfaces" Enhancement Alex Harpin
Bug #8 Enhancement 'generate openvpn key <filename>' should place the key file in the appropriate/suggested directory (/config/auth) Daniil Baturin
Bug #12 Provide a config parameter to administratively disable a pppoe session. Enhancement Daniil Baturin
Bug #13 Enhancement PPTP/L2TP: provide options to require or refuse individual authentication protocols Toni Cunyat
Bug #14 Enhancement openvpn - add ability on server to limit connection to clients with existing configuration files Daniil Baturin
Bug #19 Enhancement Add support for 802.1ad "Q-in-Q" VLANs Kim Hagen
Bug #21 Enhancement Add the ability to adjust system ARP settings via the CLI on a per interface basis Kim Hagen
Bug #37 Enhancement Add Linux Standards Base release package Kim Hagen, Daniil Baturin
Bug #39 Enhancement Add op-mode commands to send gratuitous ARP messages Daniil Baturin
Bug #45 Minor better input validation could avoid messy iptables error output for misconfigured ports Daniil Baturin
Bug #71 Minor "show system memory cache" gives "permission denied" message Kim Hagen
Bug #73 Enhancement Make Ctrl-Alt-Del behaviour configurable hydrajump
Bug #82 Enhancement Add support for Hyper-v vlan trunking Kernel developers
Bug #86 Minor Qos Bug with multiple class match rules Ubiquiti (Stig Thormodsrud), Carl Byington
Bug #87 Trivial Values for "authoritative" option don't show up in completion Daniil Baturin
Bug #97 Text System shows "Linux vyatta 3.3.8-1-amd64-vyatta" at login Daniil Baturin
Bug #99 Minor build-iso README is outdated Daniil Baturin
Bug #100 Enhancement Automate build environment setup Hiroyuki Sato
Bug #102 Trivial No completion for as-path-list in route-map rule Daniil Baturin
Bug #104 Enhancement Add an option to remove private information from displayed config Daniil Baturin
Bug #108 Enhancement Utilize Linux-specific implementation of RFC1337 Daniil Baturin
Bug #115 Minor Syntax: CLI allows users to commit namespaces reserved by IPTables (MARK, CONNMARK, etc.) Daniil Baturin
Bug #122 Minor DHCPv6 server lease file is written to /var/log which is not preserved through image upgrades Daniil Baturin
Bug #128 Trivial IpSet.pm still calls ipset for each port in a port-range making a complex firewall boot last ages Paweł Pierścionek, Daniil Baturin
Bug #129 Text Extra quote in "set protocols ospf distance global" help string Trick van Staveren
Bug #147 Enhancement Please implement BCP38 (Reverse Path Filtering) Ubiquiti (Stig Thormodsrud)
Bug #149 Enhancement Please implement VrrpV6 Florian Fuessl
Bug #152 Enhancement Router Advertisment RFC4191 Specific Routes and RFC6106 DNS configuration not impimented in CLI and Vyos configuration Ivan Malyarchuk
Bug #159 Enhancement Feature Request: Support for "dummy" interface configuration Daniil Baturin
Bug #160 Minor Invalid DHCP configuration can cause dhcpd to silently fail Alex Harpin
Bug #170 Enhancement Add unmanaged L2TPv3 support Yuya Kusakabe
Bug #171 Minor Non-optimal partition alignment in installer hydrajump, Daniil Baturin
Bug #178 Major Please *don't* remove non-PAE capability Daniil Baturin
Bug #181 Minor Check to verify private key may fail for certain valid keys Ralf Ertzinger
Bug #182 Minor System DHCP client behavior overrides hard-coded DNS settings Alex Harpin
Bug #186 Enhancement RIP passive-interface "default" missing from config template Kim Hagen
Bug #195 Enhancement Send message to remote syslog server over UDP or TCP Abdelouahed Haitoute
Bug #196 Enhancement Add smuxpeer in snmpd.conf Abdelouahed Haitoute
Bug #197 Enhancement Add support for additional DH groups to IPsec Ryan Riske
Bug #200 Major UNIONTYPE=overlayfs seems to break helium iso builds since 2014-04-25 Patrick van Staveren, Hiroyuki Sato, Kim Hagen, Daniil Baturin
Bug #204 Minor wireless-hostapd: ensure the cipher value given is used by hostapd Alex Harpin
Bug #205 Minor wireless-hostapd: set the default cipers to CCMP TKIP Alex Harpin
Bug #218 Text traffic-policy help is hard to understand Hiroyuki Sato
Bug #220 Enhancement Add support for SHA2 hashes Rian Riske
Bug #221 Minor Openvpn server mode makes remote client loose default openvpn on dhcp renew Toni Cunyat
Bug #222 Enhancement Initial IKEv2 Support Jeff Leung
Bug #223 Minor Remove automatic IKE version negoiation Jeff Leung
Bug #224 Enhancement Initial MOBIKE Configuration Support Jeff Leung
Bug #225 Minor wireless-config: fix "use of uninitialized value" warning Alex Harpin
Bug #230 Major radvd only respecting last interface in radvd.conf Daniil Baturin
Bug #233 Major task-scheduler: restart script missing Ubiquiti (Stig Thormodsrud)
Bug #234 Minor task-scheduler should verify valid cron file name Ubiquiti (Stig Thormodsrud)
Bug #237 Enhancement Add support for cipher and macs overrides in SSH server neutralrockets
Bug #239 Enhancement Getting the version number by using dpkg will not work when upgrading to newer version of debian. Kim Hagen
Bug #241 Major IPsec VPN allows protected traffic out unencrypted before IKE negotiation completes Ryan Riske
Bug #245 Minor vyos constant "failed to get vmstats" spam to /var/log/messages from vmware-tools vmsvc Kim Hagen
Bug #246 Enhancement Allow configuring/changing VyOS Linux bridge /sys multicast IGMP querier settings Daniil Baturin
Bug #247 Major VyOS helium Linux 3.13 kernel .config doesn't have vmxnet3 driver enabled/available Kim Hagen
Bug #250 Trivial Helium build fail Cause "Untrusted packages could compromise your system's security" Alex Harpin
Bug #251 Enhancement Add ability to convert config mode "show" output to set commands Daniil Baturin
Bug #255 Minor dnsmasq returns 127.0.1.1 to clients requesting the VyOS router's name Daniil Baturin, Paul Gear
Bug #256 Major When for reboot, Configuration of L2TPv3 is not load ftoyama
Bug #258 Major Unable to add l2tp_ip module for L2TPv3 over ip ftoyama
Bug #259 Major unable to delete tunnel Daniil Baturin
Bug #261 Minor Quotes in snmpd.conf sysLocation and sysContact not required Alex Harpin
Bug #263 Major vyos-kernel: enable atheros wireless drivers in the helium 3.13 kernel Alex Harpin
Bug #265 Trivial linux-firmware: remove deprecated ar9170usb firmware Alex Harpin
Bug #266 Major vyos-kernel: enable atheros HTC drivers in the helium 3.13 kernel Alex Harpin
Bug #267 Major vyos-kernel: enable atheros USB drivers in the helium 3.13 kernel Alex Harpin
Bug #268 Major linux-firmware: add carl9170 firmware required by kernel module Alex Harpin
Bug #269 Trivial GRUB menu says it's an AWS AMI even if it's not Daniil Baturin
Bug #270 Enhancement Add an option to always replace default route Ewald van Geffen
Bug #271 Enhancement Add an event handling mechanism Daniil Baturin, Jon Andersson
Bug #274 Trivial IPv6 RA "send-advert", "other-config-flag", and "managed-flag" lack value completion Daniil Baturin
Bug #276 Enhancement vyos-kernel: update config files for the latest kernel Alex Harpin
Bug #280 Enhancement vyos-kernel: enable realtek rtl8723ae kernel modules for all configs Alex Harpin
Bug #281 Enhancement vyos-kernel: enable kernel stack overflow protection for all configs Alex Harpin
Bug #283 Enhancement vyos-kernel: disable kernel debugging for all configs Alex Harpin
Bug #295 Minor wireless-hostapd: set default ciphers used based on the wpa mode Alex Harpin
Bug #296 Text Tidy up output on "show dhcp server leases" Alex Harpin
Bug #297 Enhancement Sticky incoming connection support for WLB Ewald van Geffen
Bug #300 Major Entering configuration mode as root screws up running config permissions Daniil Baturin
Bug #301 Major Enable VXLAN kernel module for 586-vyos kernel version Alex Harpin
Bug #303 Minor tail is not working (tailing) Alex Harpin, Daniil Baturin
Bug #305 Minor Allow interfaces with dhcp addresses to be deleted Alex Harpin
Bug #306 Enhancement Add proxy_arp_pvlan support Shane Short, Daniil Baturin
Bug #309 Enhancement Expand 'set system allow-dhcp-nameservers' logic Alex Harpin
Bug #314 Enhancement Rename allow-dhcp-nameservers and change to typeless Alex Harpin
Bug #317 Enhancement vyatta-cfg-vpn: add libnfnetlink-dev to build dependencies Alex Harpin
Bug #318 Enhancement Add support for persistent tunnels (--persist-tun) in OpenVPN Alex Harpin
Bug #320 Text Tidy up output on "show openvpn <type> status" messages Alex Harpin
Bug #321 Major Shaping does not work for PPPoE interfaces Alex Harpin
Bug #326 Major Import patch from Redhat for CVE-2014-7169 Alex Harpin, Daniil Baturin
Bug #331 Trivial Show vpn ipsec status always returns "no IP on interface..." Trick van Staveren
Bug #332 Minor Prevent duplicate local rsa key includes Alex Harpin
Bug #333 Major Return correct path for pppoe or pppoa interfaces Alex Harpin
Bug #337 Major After upgrade from 1.0.3 to 1.1.0beta1, VRRP unable to communicate with other node Daniil Baturin
Bug #341 Minor Allow dhcp and dhcpv6 addresses to be deleted Alex Harpin

開発環境の変更

  • Added "tools/setup-vyos-build-env" script that automatically setups basic ISO build dependencies.