DANOS 2009 Release Notes

Overview

Welcome to the 2009 (September 2020) version of DANOS.

The DANOS 2009 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 19.11 version of DPDK, and the 7.3.1 version of FRR.

show version

1 2 3 4 5 6 7 8 9 10 11 user@danos2009:~$ show version Version: 2009 Description: DANOS 2009 (DANOS:Shipping:2009:20200923) Built on: Mon Oct 12 10:47:04 UTC 2020 System type: Intel 64bit Boot via: image Hypervisor: KVM HW model: Bochs HW S/N: Not Specified HW UUID: dba075fa-259e-499d-99b5-83cf71e8b767 Uptime: 13:39:04 up 2 min, 1 user, load average: 1.64, 0.47, 0.16

Important changes

Reminder about the default username and password

The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.

As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

New Features

Integration of ntop's nDPI engine into the match criteria for firewall rules

Full details about this feature can be found at https://danosproject.atlassian.net/wiki/spaces/DAN/pages/544243713/Deep+Packet+Inspection

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 resources group application-group <group-name> description <value> resources group application-group <group-name> engine ndpi name <name> resources group application-group <group-name> engine ndpi protocol <protocol> resources group application-group <group-name> engine ndpi type <type> security application firewall name <ruleset-name> security application firewall name <ruleset-name> description <value> security application firewall name <ruleset-name> no-match-action accept security application firewall name <ruleset-name> no-match-action drop security application firewall name <ruleset-name> rule <rule-number> security application firewall name <ruleset-name> rule <rule-number> action accept security application firewall name <ruleset-name> rule <rule-number> action drop security application firewall name <ruleset-name> rule <rule-number> description <value> security application firewall name <ruleset-name> rule <rule-number> engine ndpi security application firewall name <ruleset-name> rule <rule-number> engine ndpi name <application-name> security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol <application-protocol> security application firewall name <ruleset-name> rule <rule-number> engine ndpi type <application-type> security firewall name <ruleset-name> rule <tagnode> session application firewall <value> show application engine ndpi name <value> show application engine ndpi type <value>

User-defined applications

User-defined applications can be defined using L3 / L4 rules. These user-defined applications can then be integrated into "security application firewall" and "resources group application-group" configurations.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 service application rule <rule-number> service application rule <rule-number> description <value> service application rule <rule-number> destination address <value> service application rule <rule-number> destination mac-address <value> service application rule <rule-number> destination port <value> service application rule <rule-number> disable service application rule <rule-number> dscp [ af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 ] service application rule <rule-number> dscp [ cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | va ] service application rule <rule-number> dscp-group <value> service application rule <rule-number> ethertype <value> service application rule <rule-number> icmp service application rule <rule-number> icmp group <value> service application rule <rule-number> icmp name [ TOS-host-redirect | TOS-host-unreachable | TOS-network-redirect | TOS-network-unreachable ] service application rule <rule-number> icmp name [ address-mask-reply | address-mask-request | communication-prohibited | destination-unreachable ] service application rule <rule-number> icmp name [ echo-reply | echo-request | fragmentation-needed | host-precedence-violation | host-prohibited ] service application rule <rule-number> icmp name [ host-redirect | host-unknown | host-unreachable | ip-header-bad | network-prohibited ] service application rule <rule-number> icmp name [ network-redirect | network-unknown | network-unreachable | parameter-problem ] service application rule <rule-number> icmp name [ port-unreachable | precedence-cutoff | protocol-unreachable | redirect ] service application rule <rule-number> icmp name [required-option-missing | router-advertisement | router-solicitation | source-quench ] service application rule <rule-number> icmp name [ source-route-failed | time-exceeded | timestamp-reply | timestamp-request ] service application rule <rule-number> icmp name [ttl-zero-during-reassembly | ttl-zero-during-transit ] service application rule <rule-number> icmp type <type-number> service application rule <rule-number> icmp type <type-number> code <value> service application rule <rule-number> icmpv6 service application rule <rule-number> icmpv6 group <value> service application rule <rule-number> icmpv6 name [ address-unreachable | bad-header | communication-prohibited | destination-unreachable ] service application rule <rule-number> icmpv6 name [ echo-reply | echo-request | mobile-prefix-advertisement | mobile-prefix-solicitation ] service application rule <rule-number> icmpv6 name [ multicast-listener-done | multicast-listener-query | multicast-listener-report ] service application rule <rule-number> icmpv6 name [ neighbor-advertisement | neighbor-solicitation | no-route | packet-too-big ] service application rule <rule-number> icmpv6 name [ parameter-problem | port-unreachable | redirect | router-advertisement ] service application rule <rule-number> icmpv6 name [ router-solicitation | time-exceeded | ttl-zero-during-reassembly | ttl-zero-during-transit ] service application rule <rule-number> icmpv6 name [ unknown-header-type | unknown-option ] service application rule <rule-number> icmpv6 type <type-number> service application rule <rule-number> icmpv6 type <type-number> code <value> service application rule <rule-number> ipv6-route service application rule <rule-number> ipv6-route type <value> service application rule <rule-number> log service application rule <rule-number> pcp <value> service application rule <rule-number> protocol <value> service application rule <rule-number> protocol-group <value> service application rule <rule-number> source address <value> service application rule <rule-number> source mac-address <value> service application rule <rule-number> source port <value> service application rule <rule-number> tcp service application rule <rule-number> tcp flags <value> service application rule <rule-number> then name <value> service application rule <rule-number> then protocol <value> service application rule <rule-number> then type <type-value> security application firewall name <ruleset-name> rule <rule-number> group <application-group-name> security application firewall name <ruleset-name> rule <rule-number> engine user security application firewall name <ruleset-name> rule <rule-number> engine user name <value> security application firewall name <ruleset-name> rule <rule-number> engine user protocol <value> security application firewall name <ruleset-name> rule <rule-number> engine user type <value> resources group application-group <group-name> engine user name <name> resources group application-group <group-name> engine user protocol <protocol> resources group application-group <group-name> engine user type <type>

Intermediate System to Intermediate System (IS-IS) routing protocol

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 interfaces dataplane <tagnode> ip isis instance <value> interfaces dataplane <tagnode> isis circuit-type level-1 interfaces dataplane <tagnode> isis circuit-type level-1-2 interfaces dataplane <tagnode> isis circuit-type level-2-only interfaces dataplane <tagnode> isis hello-interval level-1 <value> interfaces dataplane <tagnode> isis hello-interval level-2 <value> interfaces dataplane <tagnode> isis metric level-1 <value> interfaces dataplane <tagnode> isis metric level-2 <value> interfaces dataplane <tagnode> isis network point-to-point interfaces dataplane <tagnode> isis passive interfaces dataplane <tagnode> isis password interfaces dataplane <tagnode> isis password clear <value> interfaces dataplane <tagnode> isis password md5 <value> interfaces dataplane <tagnode> isis priority level-1 <value> interfaces dataplane <tagnode> isis priority level-2 <value> interfaces dataplane <tagnode> vif <tagnode> ip isis instance <value> interfaces loopback <tagnode> ip isis instance <value> interfaces loopback <tagnode> isis circuit-type level-1 interfaces loopback <tagnode> isis circuit-type level-1-2 interfaces loopback <tagnode> isis circuit-type level-2-only interfaces loopback <tagnode> isis hello-interval level-1 <value> interfaces loopback <tagnode> isis hello-interval level-2 <value> interfaces loopback <tagnode> isis metric level-1 <value> interfaces loopback <tagnode> isis metric level-2 <value> interfaces loopback <tagnode> isis network point-to-point interfaces loopback <tagnode> isis passive interfaces loopback <tagnode> isis password interfaces loopback <tagnode> isis password clear <value> interfaces loopback <tagnode> isis password md5 <value> interfaces loopback <tagnode> isis priority level-1 <value> interfaces loopback <tagnode> isis priority level-2 <value> protocols isis <area-tag> protocols isis <area-tag> area-password clear <value> protocols isis <area-tag> area-password md5 <value> protocols isis <area-tag> default-information originate ipv4 <level> protocols isis <area-tag> default-information originate ipv6 <level> protocols isis <area-tag> domain-password clear <value> protocols isis <area-tag> domain-password md5 <value> protocols isis <area-tag> is-type level-1 protocols isis <area-tag> is-type level-1-2 protocols isis <area-tag> is-type level-2-only protocols isis <area-tag> log-adjacency-changes protocols isis <area-tag> lsp-gen-interval level-1 <value> protocols isis <area-tag> lsp-gen-interval level-2 <value> protocols isis <area-tag> lsp-mtu <value> protocols isis <area-tag> lsp-refresh-interval level-1 <value> protocols isis <area-tag> lsp-refresh-interval level-2 <value> protocols isis <area-tag> max-lsp-lifetime level-1 <value> protocols isis <area-tag> max-lsp-lifetime level-2 <value> protocols isis <area-tag> metric-style narrow protocols isis <area-tag> metric-style transition protocols isis <area-tag> metric-style wide protocols isis <area-tag> net <value> protocols isis <area-tag> redistribute ipv4 bgp level-1 protocols isis <area-tag> redistribute ipv4 bgp level-2 protocols isis <area-tag> redistribute ipv4 connected level-1 protocols isis <area-tag> redistribute ipv4 connected level-2 protocols isis <area-tag> redistribute ipv4 kernel level-1 protocols isis <area-tag> redistribute ipv4 kernel level-2 protocols isis <area-tag> redistribute ipv4 ospf level-1 protocols isis <area-tag> redistribute ipv4 ospf level-2 protocols isis <area-tag> redistribute ipv4 rip level-1 protocols isis <area-tag> redistribute ipv4 rip level-2 protocols isis <area-tag> redistribute ipv4 static level-1 protocols isis <area-tag> redistribute ipv4 static level-2 protocols isis <area-tag> redistribute ipv6 bgp level-1 protocols isis <area-tag> redistribute ipv6 bgp level-2 protocols isis <area-tag> redistribute ipv6 connected level-1 protocols isis <area-tag> redistribute ipv6 connected level-2 protocols isis <area-tag> redistribute ipv6 kernel level-1 protocols isis <area-tag> redistribute ipv6 kernel level-2 protocols isis <area-tag> redistribute ipv6 ospf level-1 protocols isis <area-tag> redistribute ipv6 ospf level-2 protocols isis <area-tag> redistribute ipv6 rip level-1 protocols isis <area-tag> redistribute ipv6 rip level-2 protocols isis <area-tag> redistribute ipv6 static level-1 protocols isis <area-tag> redistribute ipv6 static level-2 protocols isis <area-tag> set-overload-bit protocols isis <area-tag> spf-delay-ietf protocols isis <area-tag> spf-delay-ietf holddown <value> protocols isis <area-tag> spf-delay-ietf init-delay <value> protocols isis <area-tag> spf-delay-ietf long-delay <value> protocols isis <area-tag> spf-delay-ietf short-delay <value> protocols isis <area-tag> spf-delay-ietf time-to-learn <value> protocols isis <area-tag> spf-interval level-1 <value> protocols isis <area-tag> spf-interval level-2 <value>

Operational commands are in this hierarchy:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 user@danos2009:~$ show protocols isis Possible completions: database Show ISIS Link state database hostname Show IS-IS Dynamic hostname mapping interface Show ISIS interface mpls-te Show MPLS-TE specific commands neighbor Show ISIS neighbor adjacencies spf-delay-ietf Show SPF delay IETF information summary Show summary topology Show IS-IS paths to Intermediate Systems user@danos2009:~$ monitor protocol isis Possible completions: disable Disable ISIS Monitor enable Enable ISIS Monitor user@danos2009:~$

Originate firewall

The "originate" firewall allow the filtering of all router originated traffic.

1 2 3 interfaces switch <name> vif <tagnode> firewall originate <value> interfaces dataplane <tagnode> firewall originate <value> interfaces loopback <tagnode> firewall originate <value>

Enhanced observability into the behaviour of the stateless/stateful firewall, zone-based firewall, local firewall, NAT and NAT64

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 show dataplane statistics firewall ip show dataplane statistics firewall ip brief show dataplane statistics firewall ip category <value> show dataplane statistics firewall ip detail show dataplane statistics firewall ip interface <value> show dataplane statistics firewall ip non-zero show dataplane statistics firewall ip6 show dataplane statistics firewall ip6 brief show dataplane statistics firewall ip6 category <value> show dataplane statistics firewall ip6 detail show dataplane statistics firewall ip6 interface <value> show dataplane statistics firewall ip6 non-zero show dataplane statistics firewall l2 show dataplane statistics firewall l2 brief show dataplane statistics firewall l2 category <value> show dataplane statistics firewall l2 detail show dataplane statistics firewall l2 interface <value> show dataplane statistics firewall l2 non-zero show dataplane statistics firewall local show dataplane statistics firewall local brief show dataplane statistics firewall local category <value> show dataplane statistics firewall local detail show dataplane statistics firewall local interface <value> show dataplane statistics firewall local non-zero show dataplane statistics nat64 show dataplane statistics nat64 brief show dataplane statistics nat64 category <value> show dataplane statistics nat64 detail show dataplane statistics nat64 interface <value> show dataplane statistics nat64 non-zero clear dataplane statistics firewall clear dataplane statistics firewall ip clear dataplane statistics firewall ip category <value> clear dataplane statistics firewall ip direction <value> clear dataplane statistics firewall ip interface <value> clear dataplane statistics firewall ip6 clear dataplane statistics firewall ip6 category <value> clear dataplane statistics firewall ip6 direction <value> clear dataplane statistics firewall ip6 interface <value> clear dataplane statistics firewall l2 clear dataplane statistics firewall l2 category <value> clear dataplane statistics firewall l2 direction <value> clear dataplane statistics firewall l2 interface <value> clear dataplane statistics firewall local clear dataplane statistics firewall local category <value> clear dataplane statistics firewall local direction <value> clear dataplane statistics firewall local interface <value> clear dataplane statistics nat64 clear dataplane statistics nat64 category <value> clear dataplane statistics nat64 direction <value> clear dataplane statistics nat64 interface <value>

Logging Enhancements

This feature provides the ability to filter 'show log' output based on time, clear stored system logs, and to configure the amount of storage used for the system logs.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 system journal storage size <value> show journal show journal level <value> show journal level <value> since <value> show journal level <value> since <value> until <value> show journal level <value> until <value> show journal since <value> show journal since <value> until <value> show journal tail show journal tail <number> <number> show journal until <value> show log audit show log cgnat show log level <value> since <value> show log level <value> since <value> until <value> show log level <value> until <value> show log since <value> show log since <value> until <value> show log until <value> clear log

Protocol Dependent Mappings for SNAT

SNAT maps from an internal source address and ID (where ID can be a port number) to an external address and ID, by allocating these from a given pool.  This feature adds support for three separate pools (rather than a single shared pool).  One pool will be used for assigning TCP ports, another for assigning UDP ports, and the third one for ICMP and other protocols.

The following commands split out the TCP and UDP ports used.

1 2 3 show nat source statistics show nat destination statistics show nat nat64 rules

Address-group detail

The show command displays the contents of dataplane address-group lists.

The "optimal" allows the user to determine the optimal set of subnets that may be used to represent an address-group.

1 2 3 4 5 6 7 show address-group ipv4 list show address-group ipv4 optimal show address-group ipv6 list show address-group ipv6 optimal show address-group name <value> show address-group name <value> optimal show address-group optimal

NETCONF - Rollback support

Rollback is a feature that is currently available on the configuration CLI. The "rollback" command allows reverting the configuration to a previously committed configuration, perhaps to return to a known good configuration, or undo experimental configuration changes. This feature adds new NETCONF RPCs that make the rollback operation available to NETCONF clients.

Configure tech-support archive to exclude command-line history

There may be cases where the customer does not want to include the shell command history in the tech-support archive, as this might contain sensitive information.

1 generate tech-support archive option exclude-command-history

copy file improvements

Expanded options for file copy.

1 2 3 4 5 6 7 8 9 10 11 12 copy file routing-instance <value> <value> to <value> skip-host-validation copy file routing-instance <value> <value> to <value> source-interface <value> skip-host-validation copy file routing-instance <value> <value> to <value> user <value> password <value> skip-host-validation copy file routing-instance <value> <value> to <value> user <value> password <value> source-interface <value> skip-host-validation copy file routing-instance <value> <value> to <value> user <value> skip-host-validation copy file routing-instance <value> <value> to <value> user <value> source-interface <value> skip-host-validation copy file <source> to <destination> skip-host-validation copy file <source> to <destination> source-interface <interface> skip-host-validation copy file <source> to <destination> user <user> password <password> skip-host-validation copy file <source> to <destination> user <user> password <password> source-interface <interface> skip-host-validation copy file <source> to <destination> user <user> skip-host-validation copy file <source> to <destination> user <user> source-interface <interface> skip-host-validation

policy route route-map

Following the issue identified in  https://danosproject.atlassian.net/browse/DAN-121 the following changes were made:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 Removed: policy route route-map <tagnode> rule <tagnode> match extcommunity exact-match policy route route-map <tagnode> rule <tagnode> match ip source-protocol bgp policy route route-map <tagnode> rule <tagnode> match ip source-protocol connected policy route route-map <tagnode> rule <tagnode> match ip source-protocol kernel policy route route-map <tagnode> rule <tagnode> match ip source-protocol ospf policy route route-map <tagnode> rule <tagnode> match ip source-protocol rip policy route route-map <tagnode> rule <tagnode> match ip source-protocol static policy route route-map <tagnode> rule <tagnode> match ipv6 nexthop policy route route-map <tagnode> rule <tagnode> match ipv6 nexthop access-list <value> policy route route-map <tagnode> rule <tagnode> match ipv6 nexthop prefix-list <value> policy route route-map <tagnode> rule <tagnode> match ipv6 peer policy route route-map <tagnode> rule <tagnode> match ipv6 peer access-list <value> policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol bgp policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol connected policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol kernel policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol ospfv3 policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol ripng policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol static policy route route-map <tagnode> rule <tagnode> set delete-extcommunity <value> policy route route-map <tagnode> rule <tagnode> set extcommunity rt <value> policy route route-map <tagnode> rule <tagnode> set level level-1 policy route route-map <tagnode> rule <tagnode> set level level-1-2 policy route route-map <tagnode> rule <tagnode> set level level-2 policy route route-map <tagnode> rule <tagnode> set prepend-as own-as <value> Added: policy route route-map <tagnode> rule <tagnode> match source-protocol bgp policy route route-map <tagnode> rule <tagnode> match source-protocol connected policy route route-map <tagnode> rule <tagnode> match source-protocol kernel policy route route-map <tagnode> rule <tagnode> match source-protocol ospf policy route route-map <tagnode> rule <tagnode> match source-protocol ospfv3 policy route route-map <tagnode> rule <tagnode> match source-protocol rip policy route route-map <tagnode> rule <tagnode> match source-protocol ripng policy route route-map <tagnode> rule <tagnode> match source-protocol static

Reset vpn commands removed

1 2 3 4 5 6 7 Removed: reset vpn ipsec-profile <value> reset vpn ipsec-profile <value> tunnel <value> reset vpn ipsec-remote-access-client <value> reset vpn remote-access all reset vpn remote-access interface <value> reset vpn remote-access user <value>

New show commands for bonding members

1 2 show interfaces bonding <if-name> members show interfaces bonding members

Resolved Security Vulnerabilities

The following security issues are resolved in this release:

  • CVE-2020-8619, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624: Debian DSA-4752-1 : bind9 - security update

  • CVE-2018-20346, CVE-2018-20506, CVE-2018-8740, CVE-2019-16168, CVE-2019-20218, CVE-2019-5827, CVE-2019-9936, CVE-2019-9937, CVE-2020-11655, CVE-2020-13434, CVE-2020-13630, CVE-2020-13632, CVE-2020-13871:Debian DLA-2340-1 : sqlite3 security update

  • CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1 : linux-5.4 new package

  • [DSA 4746-1] net-snmp security update

  • CVE-2020-16135: Debian DLA-2303-1 : libssh security update

  • CVE-2020-12762: Debian DLA-2301-1 : json-c security update

  • CVE-2019-5188: Debian DLA-2290-1 : e2fsprogs security update

  • CVE-2020-8177: Debian DLA-2295-1 : curl security update

  • CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707: Debian DSA-4735-1 : grub2 - security update

  • [DSA 4733-1] qemu security update

  • CVE-2019-18348 CVE-2020-8492 CVE-2020-14422: Debian DLA-2280-1 : python3.7 security update

  • [DSA 4728-1] qemu security update

  • [DSA 4723-1] xen security update

  • CVE-2018-19044 / CVE-2018-19045 / CVE-2018-19046: Insecure temporary file usage in keepalived

  • CVE-2020-3810: Debian DSA-4685-1 : apt - security update