Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

Overview

Welcome to the 2009 (September 2020) version of DANOS.

The DANOS 2009 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 19.11 version of DPDK, and the 7.3.1 version of FRR.

Important changes

Reminder about the default username and password

The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.

As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

New Features

Integration of ntop's nDPI engine into the match criteria for firewall rules

Full details about this feature can be found at Deep Packet Inspection 

resources group application-group <group-name> description <value>

resources group application-group <group-name> engine ndpi name <name>
resources group application-group <group-name> engine ndpi protocol <protocol>
resources group application-group <group-name> engine ndpi type <type>

security application firewall name <ruleset-name>
security application firewall name <ruleset-name> description <value>
security application firewall name <ruleset-name> no-match-action accept
security application firewall name <ruleset-name> no-match-action drop
security application firewall name <ruleset-name> rule <rule-number>
security application firewall name <ruleset-name> rule <rule-number> action accept
security application firewall name <ruleset-name> rule <rule-number> action drop
security application firewall name <ruleset-name> rule <rule-number> description <value>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi
security application firewall name <ruleset-name> rule <rule-number> engine ndpi name <application-name>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol <application-protocol>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi type <application-type>
security firewall name <ruleset-name> rule <tagnode> session application firewall <value>

show application engine ndpi name <value>
show application engine ndpi type <value>

User-defined applications

User-defined applications can be defined using L3 / L4 rules. These user-defined applications can then be integrated into "security application firewall" and "resources group application-group" configurations.

service application rule <rule-number>
service application rule <rule-number> description <value>
service application rule <rule-number> destination address <value>
service application rule <rule-number> destination mac-address <value>
service application rule <rule-number> destination port <value>
service application rule <rule-number> disable
service application rule <rule-number> dscp [ af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 ]
service application rule <rule-number> dscp [ cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | va ]
service application rule <rule-number> dscp-group <value>
service application rule <rule-number> ethertype <value>
service application rule <rule-number> icmp
service application rule <rule-number> icmp group <value>
service application rule <rule-number> icmp name [ TOS-host-redirect | TOS-host-unreachable | TOS-network-redirect | TOS-network-unreachable ]
service application rule <rule-number> icmp name [ address-mask-reply | address-mask-request | communication-prohibited | destination-unreachable ]
service application rule <rule-number> icmp name [ echo-reply | echo-request | fragmentation-needed | host-precedence-violation | host-prohibited ]
service application rule <rule-number> icmp name [ host-redirect | host-unknown | host-unreachable | ip-header-bad | network-prohibited ]
service application rule <rule-number> icmp name [ network-redirect | network-unknown | network-unreachable | parameter-problem ]
service application rule <rule-number> icmp name [ port-unreachable | precedence-cutoff | protocol-unreachable | redirect ]
service application rule <rule-number> icmp name [required-option-missing | router-advertisement | router-solicitation | source-quench ]
service application rule <rule-number> icmp name [ source-route-failed | time-exceeded | timestamp-reply | timestamp-request ]
service application rule <rule-number> icmp name [ttl-zero-during-reassembly | ttl-zero-during-transit ]
service application rule <rule-number> icmp type <type-number>
service application rule <rule-number> icmp type <type-number> code <value>
service application rule <rule-number> icmpv6
service application rule <rule-number> icmpv6 group <value>
service application rule <rule-number> icmpv6 name [ address-unreachable | bad-header | communication-prohibited | destination-unreachable ]
service application rule <rule-number> icmpv6 name [ echo-reply | echo-request | mobile-prefix-advertisement | mobile-prefix-solicitation ]
service application rule <rule-number> icmpv6 name [ multicast-listener-done | multicast-listener-query | multicast-listener-report ]
service application rule <rule-number> icmpv6 name [ neighbor-advertisement | neighbor-solicitation | no-route | packet-too-big ]
service application rule <rule-number> icmpv6 name [ parameter-problem | port-unreachable | redirect | router-advertisement ]
service application rule <rule-number> icmpv6 name [ router-solicitation | time-exceeded | ttl-zero-during-reassembly | ttl-zero-during-transit ]
service application rule <rule-number> icmpv6 name [ unknown-header-type |  unknown-option ]
service application rule <rule-number> icmpv6 type <type-number>
service application rule <rule-number> icmpv6 type <type-number> code <value>
service application rule <rule-number> ipv6-route
service application rule <rule-number> ipv6-route type <value>
service application rule <rule-number> log
service application rule <rule-number> pcp <value>
service application rule <rule-number> protocol <value>
service application rule <rule-number> protocol-group <value>
service application rule <rule-number> source address <value>
service application rule <rule-number> source mac-address <value>
service application rule <rule-number> source port <value>
service application rule <rule-number> tcp
service application rule <rule-number> tcp flags <value>
service application rule <rule-number> then name <value>
service application rule <rule-number> then protocol <value>
service application rule <rule-number> then type <type-value>

security application firewall name <ruleset-name> rule <rule-number> group <application-group-name>
security application firewall name <ruleset-name> rule <rule-number> engine user
security application firewall name <ruleset-name> rule <rule-number> engine user name <value>
security application firewall name <ruleset-name> rule <rule-number> engine user protocol <value>
security application firewall name <ruleset-name> rule <rule-number> engine user type <value>

resources group application-group <group-name> engine user name <name>
resources group application-group <group-name> engine user protocol <protocol>
resources group application-group <group-name> engine user type <type>

Intermediate System to Intermediate System (IS-IS) routing protocol

interfaces dataplane <tagnode> ip isis instance <value>
interfaces dataplane <tagnode> isis circuit-type level-1
interfaces dataplane <tagnode> isis circuit-type level-1-2
interfaces dataplane <tagnode> isis circuit-type level-2-only
interfaces dataplane <tagnode> isis hello-interval level-1 <value>
interfaces dataplane <tagnode> isis hello-interval level-2 <value>
interfaces dataplane <tagnode> isis metric level-1 <value>
interfaces dataplane <tagnode> isis metric level-2 <value>
interfaces dataplane <tagnode> isis network point-to-point
interfaces dataplane <tagnode> isis passive
interfaces dataplane <tagnode> isis password
interfaces dataplane <tagnode> isis password clear <value>
interfaces dataplane <tagnode> isis password md5 <value>
interfaces dataplane <tagnode> isis priority level-1 <value>
interfaces dataplane <tagnode> isis priority level-2 <value>
interfaces dataplane <tagnode> vif <tagnode> ip isis instance <value>

interfaces loopback <tagnode> ip isis instance <value>
interfaces loopback <tagnode> isis circuit-type level-1
interfaces loopback <tagnode> isis circuit-type level-1-2
interfaces loopback <tagnode> isis circuit-type level-2-only
interfaces loopback <tagnode> isis hello-interval level-1 <value>
interfaces loopback <tagnode> isis hello-interval level-2 <value>
interfaces loopback <tagnode> isis metric level-1 <value>
interfaces loopback <tagnode> isis metric level-2 <value>
interfaces loopback <tagnode> isis network point-to-point
interfaces loopback <tagnode> isis passive
interfaces loopback <tagnode> isis password
interfaces loopback <tagnode> isis password clear <value>
interfaces loopback <tagnode> isis password md5 <value>
interfaces loopback <tagnode> isis priority level-1 <value>
interfaces loopback <tagnode> isis priority level-2 <value>

protocols isis <area-tag>
protocols isis <area-tag> area-password clear <value>
protocols isis <area-tag> area-password md5 <value>
protocols isis <area-tag> default-information originate ipv4 <level>
protocols isis <area-tag> default-information originate ipv6 <level>
protocols isis <area-tag> domain-password clear <value>
protocols isis <area-tag> domain-password md5 <value>
protocols isis <area-tag> is-type level-1
protocols isis <area-tag> is-type level-1-2
protocols isis <area-tag> is-type level-2-only
protocols isis <area-tag> log-adjacency-changes
protocols isis <area-tag> lsp-gen-interval level-1 <value>
protocols isis <area-tag> lsp-gen-interval level-2 <value>
protocols isis <area-tag> lsp-mtu <value>
protocols isis <area-tag> lsp-refresh-interval level-1 <value>
protocols isis <area-tag> lsp-refresh-interval level-2 <value>
protocols isis <area-tag> max-lsp-lifetime level-1 <value>
protocols isis <area-tag> max-lsp-lifetime level-2 <value>
protocols isis <area-tag> metric-style narrow
protocols isis <area-tag> metric-style transition
protocols isis <area-tag> metric-style wide
protocols isis <area-tag> net <value>
protocols isis <area-tag> redistribute ipv4 bgp level-1
protocols isis <area-tag> redistribute ipv4 bgp level-2
protocols isis <area-tag> redistribute ipv4 connected level-1
protocols isis <area-tag> redistribute ipv4 connected level-2
protocols isis <area-tag> redistribute ipv4 kernel level-1
protocols isis <area-tag> redistribute ipv4 kernel level-2
protocols isis <area-tag> redistribute ipv4 ospf level-1
protocols isis <area-tag> redistribute ipv4 ospf level-2
protocols isis <area-tag> redistribute ipv4 rip level-1
protocols isis <area-tag> redistribute ipv4 rip level-2
protocols isis <area-tag> redistribute ipv4 static level-1
protocols isis <area-tag> redistribute ipv4 static level-2
protocols isis <area-tag> redistribute ipv6 bgp level-1
protocols isis <area-tag> redistribute ipv6 bgp level-2
protocols isis <area-tag> redistribute ipv6 connected level-1
protocols isis <area-tag> redistribute ipv6 connected level-2
protocols isis <area-tag> redistribute ipv6 kernel level-1
protocols isis <area-tag> redistribute ipv6 kernel level-2
protocols isis <area-tag> redistribute ipv6 ospf level-1
protocols isis <area-tag> redistribute ipv6 ospf level-2
protocols isis <area-tag> redistribute ipv6 rip level-1
protocols isis <area-tag> redistribute ipv6 rip level-2
protocols isis <area-tag> redistribute ipv6 static level-1
protocols isis <area-tag> redistribute ipv6 static level-2
protocols isis <area-tag> set-overload-bit
protocols isis <area-tag> spf-delay-ietf
protocols isis <area-tag> spf-delay-ietf holddown <value>
protocols isis <area-tag> spf-delay-ietf init-delay <value>
protocols isis <area-tag> spf-delay-ietf long-delay <value>
protocols isis <area-tag> spf-delay-ietf short-delay <value>
protocols isis <area-tag> spf-delay-ietf time-to-learn <value>
protocols isis <area-tag> spf-interval level-1 <value>
protocols isis <area-tag> spf-interval level-2 <value>

Originate firewall

The "originate" firewall allow the filtering of all router originated traffic.

interfaces switch <name> vif <tagnode> firewall originate <value>
interfaces dataplane <tagnode> firewall originate <value>
interfaces loopback <tagnode> firewall originate <value>

Enhanced observability into the behaviour of the stateless/stateful firewall, zone-based firewall, local firewall, NAT and NAT64

show dataplane statistics firewall ip
show dataplane statistics firewall ip brief
show dataplane statistics firewall ip category <value>
show dataplane statistics firewall ip detail
show dataplane statistics firewall ip interface <value>
show dataplane statistics firewall ip non-zero
show dataplane statistics firewall ip6
show dataplane statistics firewall ip6 brief
show dataplane statistics firewall ip6 category <value>
show dataplane statistics firewall ip6 detail
show dataplane statistics firewall ip6 interface <value>
show dataplane statistics firewall ip6 non-zero
show dataplane statistics firewall l2
show dataplane statistics firewall l2 brief
show dataplane statistics firewall l2 category <value>
show dataplane statistics firewall l2 detail
show dataplane statistics firewall l2 interface <value>
show dataplane statistics firewall l2 non-zero
show dataplane statistics firewall local
show dataplane statistics firewall local brief
show dataplane statistics firewall local category <value>
show dataplane statistics firewall local detail
show dataplane statistics firewall local interface <value>
show dataplane statistics firewall local non-zero
show dataplane statistics nat64
show dataplane statistics nat64 brief
show dataplane statistics nat64 category <value>
show dataplane statistics nat64 detail
show dataplane statistics nat64 interface <value>
show dataplane statistics nat64 non-zero

clear dataplane statistics firewall
clear dataplane statistics firewall ip
clear dataplane statistics firewall ip category <value>
clear dataplane statistics firewall ip direction <value>
clear dataplane statistics firewall ip interface <value>
clear dataplane statistics firewall ip6
clear dataplane statistics firewall ip6 category <value>
clear dataplane statistics firewall ip6 direction <value>
clear dataplane statistics firewall ip6 interface <value>
clear dataplane statistics firewall l2
clear dataplane statistics firewall l2 category <value>
clear dataplane statistics firewall l2 direction <value>
clear dataplane statistics firewall l2 interface <value>
clear dataplane statistics firewall local
clear dataplane statistics firewall local category <value>
clear dataplane statistics firewall local direction <value>
clear dataplane statistics firewall local interface <value>
clear dataplane statistics nat64
clear dataplane statistics nat64 category <value>
clear dataplane statistics nat64 direction <value>
clear dataplane statistics nat64 interface <value>

Logging Enhancements

This feature provides the ability to filter 'show log' output based on time, clear stored system logs, and to configure the amount of storage used for the system logs.

system journal storage size <value>

show journal
show journal level <value>
show journal level <value> since <value>
show journal level <value> since <value> until <value>
show journal level <value> until <value>
show journal since <value>
show journal since <value> until <value>
show journal tail
show journal tail <number> <number>
show journal until <value>
show log audit
show log cgnat
show log level <value> since <value>
show log level <value> since <value> until <value>
show log level <value> until <value>
show log since <value>
show log since <value> until <value>
show log until <value>

clear log

Protocol Dependent Mappings for SNAT

SNAT maps from an internal source address and ID (where ID can be a port number) to an external address and ID, by allocating these from a given pool.  This feature adds support for three separate pools (rather than a single shared pool).  One pool will be used for assigning TCP ports, another for assigning UDP ports, and the third one for ICMP and other protocols.

The following commands split out the TCP and UDP ports used.

show nat source statistics
show nat destination statistics
show nat nat64 rules

Address-group detail

The show command displays the contents of dataplane address-group lists.

The "optimal" allows the user to determine the optimal set of subnets that may be used to represent an address-group.

show address-group ipv4 list
show address-group ipv4 optimal
show address-group ipv6 list
show address-group ipv6 optimal
show address-group name <value>
show address-group name <value> optimal
show address-group optimal

NETCONF - Rollback support

Rollback is a feature that is currently available on the configuration CLI. The "rollback" command allows reverting the configuration to a previously committed configuration, perhaps to return to a known good configuration, or undo experimental configuration changes. This feature adds new NETCONF RPCs that make the rollback operation available to NETCONF clients.

Configure tech-support archive to exclude command-line history

There may be cases where the customer does not want to include the shell command history in the tech-support archive, as this might contain sensitive information.

generate tech-support archive option exclude-command-history

copy file improvements

Expanded options for file copy.

copy file routing-instance <value> <value> to <value> skip-host-validation
copy file routing-instance <value> <value> to <value> source-interface <value> skip-host-validation
copy file routing-instance <value> <value> to <value> user <value> password <value> skip-host-validation
copy file routing-instance <value> <value> to <value> user <value> password <value> source-interface <value> skip-host-validation
copy file routing-instance <value> <value> to <value> user <value> skip-host-validation
copy file routing-instance <value> <value> to <value> user <value> source-interface <value> skip-host-validation
copy file <source> to <destination> skip-host-validation
copy file <source> to <destination> source-interface <interface> skip-host-validation
copy file <source> to <destination> user <user> password <password> skip-host-validation
copy file <source> to <destination> user <user> password <password> source-interface <interface> skip-host-validation
copy file <source> to <destination> user <user> skip-host-validation
copy file <source> to <destination> user <user> source-interface <interface> skip-host-validation

policy route route-map

Following the issue identified in  https://danosproject.atlassian.net/browse/DAN-121 the following changes were made:

Removed:
  policy route route-map <tagnode> rule <tagnode> match extcommunity exact-match
  policy route route-map <tagnode> rule <tagnode> match ip source-protocol bgp
  policy route route-map <tagnode> rule <tagnode> match ip source-protocol connected
  policy route route-map <tagnode> rule <tagnode> match ip source-protocol kernel
  policy route route-map <tagnode> rule <tagnode> match ip source-protocol ospf
  policy route route-map <tagnode> rule <tagnode> match ip source-protocol rip
  policy route route-map <tagnode> rule <tagnode> match ip source-protocol static
  policy route route-map <tagnode> rule <tagnode> match ipv6 nexthop
  policy route route-map <tagnode> rule <tagnode> match ipv6 nexthop access-list <value>
  policy route route-map <tagnode> rule <tagnode> match ipv6 nexthop prefix-list <value>
  policy route route-map <tagnode> rule <tagnode> match ipv6 peer
  policy route route-map <tagnode> rule <tagnode> match ipv6 peer access-list <value>
  policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol bgp
  policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol connected
  policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol kernel
  policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol ospfv3
  policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol ripng
  policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol static
  policy route route-map <tagnode> rule <tagnode> set delete-extcommunity <value>
  policy route route-map <tagnode> rule <tagnode> set extcommunity rt <value>
  policy route route-map <tagnode> rule <tagnode> set level level-1
  policy route route-map <tagnode> rule <tagnode> set level level-1-2
  policy route route-map <tagnode> rule <tagnode> set level level-2
  policy route route-map <tagnode> rule <tagnode> set prepend-as own-as <value>

Added:
  policy route route-map <tagnode> rule <tagnode> match source-protocol bgp
  policy route route-map <tagnode> rule <tagnode> match source-protocol connected
  policy route route-map <tagnode> rule <tagnode> match source-protocol kernel
  policy route route-map <tagnode> rule <tagnode> match source-protocol ospf
  policy route route-map <tagnode> rule <tagnode> match source-protocol ospfv3
  policy route route-map <tagnode> rule <tagnode> match source-protocol rip
  policy route route-map <tagnode> rule <tagnode> match source-protocol ripng
  policy route route-map <tagnode> rule <tagnode> match source-protocol static

Reset vpn commands removed

Removed:
  reset vpn ipsec-profile <value>
  reset vpn ipsec-profile <value> tunnel <value>
  reset vpn ipsec-remote-access-client <value>
  reset vpn remote-access all
  reset vpn remote-access interface <value>
  reset vpn remote-access user <value>

New show commands for bonding members

show interfaces bonding <if-name> members
show interfaces bonding members

Resolved Security Vulnerabilities

The following security issues are resolved in this release:

  • CVE-2020-8619, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624: Debian DSA-4752-1 : bind9 - security update

  • CVE-2018-20346, CVE-2018-20506, CVE-2018-8740, CVE-2019-16168, CVE-2019-20218, CVE-2019-5827, CVE-2019-9936, CVE-2019-9937, CVE-2020-11655, CVE-2020-13434, CVE-2020-13630, CVE-2020-13632, CVE-2020-13871:Debian DLA-2340-1 : sqlite3 security update

  • CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1 : linux-5.4 new package

  • [DSA 4746-1] net-snmp security update

  • CVE-2020-16135: Debian DLA-2303-1 : libssh security update

  • CVE-2020-12762: Debian DLA-2301-1 : json-c security update

  • CVE-2019-5188: Debian DLA-2290-1 : e2fsprogs security update

  • CVE-2020-8177: Debian DLA-2295-1 : curl security update

  • CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707: Debian DSA-4735-1 : grub2 - security update

  • [DSA 4733-1] qemu security update

  • CVE-2019-18348 CVE-2020-8492 CVE-2020-14422: Debian DLA-2280-1 : python3.7 security update

  • [DSA 4728-1] qemu security update

  • [DSA 4723-1] xen security update

  • CVE-2018-19044 / CVE-2018-19045 / CVE-2018-19046: Insecure temporary file usage in keepalived

  • CVE-2020-3810: Debian DSA-4685-1 : apt - security update

  • No labels