/
DANOS 2009 Release Notes
DANOS 2009 Release Notes
- Scott Leishman
Owned by Scott Leishman
- 1 Overview
- 1.1 show version
- 2 Important changes
- 3 New Features
- 3.1 Integration of ntop's nDPI engine into the match criteria for firewall rules
- 3.2 User-defined applications
- 3.3 Intermediate System to Intermediate System (IS-IS) routing protocol
- 3.4 Originate firewall
- 3.5 Enhanced observability into the behaviour of the stateless/stateful firewall, zone-based firewall, local firewall, NAT and NAT64
- 3.6 Logging Enhancements
- 3.7 Protocol Dependent Mappings for SNAT
- 3.8 Address-group detail
- 3.9 NETCONF - Rollback support
- 3.10 Configure tech-support archive to exclude command-line history
- 3.11 copy file improvements
- 3.12 policy route route-map
- 3.13 Reset vpn commands removed
- 3.14 New show commands for bonding members
- 4 Resolved Security Vulnerabilities
Overview
Welcome to the 2009 (September 2020) version of DANOS.
The DANOS 2009 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 19.11 version of DPDK, and the 7.3.1 version of FRR.
show version
user@danos2009:~$ show version
Version: 2009
Description: DANOS 2009 (DANOS:Shipping:2009:20200923)
Built on: Mon Oct 12 10:47:04 UTC 2020
System type: Intel 64bit
Boot via: image
Hypervisor: KVM
HW model: Bochs
HW S/N: Not Specified
HW UUID: dba075fa-259e-499d-99b5-83cf71e8b767
Uptime: 13:39:04 up 2 min, 1 user, load average: 1.64, 0.47, 0.16 |
Important changes
Reminder about the default username and password
The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.
As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.
New Features
Integration of ntop's nDPI engine into the match criteria for firewall rules
Full details about this feature can be found at Deep Packet Inspection
resources group application-group <group-name> description <value>
resources group application-group <group-name> engine ndpi name <name>
resources group application-group <group-name> engine ndpi protocol <protocol>
resources group application-group <group-name> engine ndpi type <type>
security application firewall name <ruleset-name>
security application firewall name <ruleset-name> description <value>
security application firewall name <ruleset-name> no-match-action accept
security application firewall name <ruleset-name> no-match-action drop
security application firewall name <ruleset-name> rule <rule-number>
security application firewall name <ruleset-name> rule <rule-number> action accept
security application firewall name <ruleset-name> rule <rule-number> action drop
security application firewall name <ruleset-name> rule <rule-number> description <value>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi
security application firewall name <ruleset-name> rule <rule-number> engine ndpi name <application-name>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol <application-protocol>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi type <application-type>
security firewall name <ruleset-name> rule <tagnode> session application firewall <value>
show application engine ndpi name <value>
show application engine ndpi type <value> |
User-defined applications
User-defined applications can be defined using L3 / L4 rules. These user-defined applications can then be integrated into "security application firewall" and "resources group application-group" configurations.
service application rule <rule-number>
service application rule <rule-number> description <value>
service application rule <rule-number> destination address <value>
service application rule <rule-number> destination mac-address <value>
service application rule <rule-number> destination port <value>
service application rule <rule-number> disable
service application rule <rule-number> dscp [ af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 ]
service application rule <rule-number> dscp [ cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | va ]
service application rule <rule-number> dscp-group <value>
service application rule <rule-number> ethertype <value>
service application rule <rule-number> icmp
service application rule <rule-number> icmp group <value>
service application rule <rule-number> icmp name [ TOS-host-redirect | TOS-host-unreachable | TOS-network-redirect | TOS-network-unreachable ]
service application rule <rule-number> icmp name [ address-mask-reply | address-mask-request | communication-prohibited | destination-unreachable ]
service application rule <rule-number> icmp name [ echo-reply | echo-request | fragmentation-needed | host-precedence-violation | host-prohibited ]
service application rule <rule-number> icmp name [ host-redirect | host-unknown | host-unreachable | ip-header-bad | network-prohibited ]
service application rule <rule-number> icmp name [ network-redirect | network-unknown | network-unreachable | parameter-problem ]
service application rule <rule-number> icmp name [ port-unreachable | precedence-cutoff | protocol-unreachable | redirect ]
service application rule <rule-number> icmp name [required-option-missing | router-advertisement | router-solicitation | source-quench ]
service application rule <rule-number> icmp name [ source-route-failed | time-exceeded | timestamp-reply | timestamp-request ]
service application rule <rule-number> icmp name [ttl-zero-during-reassembly | ttl-zero-during-transit ]
service application rule <rule-number> icmp type <type-number>
service application rule <rule-number> icmp type <type-number> code <value>
service application rule <rule-number> icmpv6
service application rule <rule-number> icmpv6 group <value>
service application rule <rule-number> icmpv6 name [ address-unreachable | bad-header | communication-prohibited | destination-unreachable ]
service application rule <rule-number> icmpv6 name [ echo-reply | echo-request | mobile-prefix-advertisement | mobile-prefix-solicitation ]
service application rule <rule-number> icmpv6 name [ multicast-listener-done | multicast-listener-query | multicast-listener-report ]
service application rule <rule-number> icmpv6 name [ neighbor-advertisement | neighbor-solicitation | no-route | packet-too-big ]
service application rule <rule-number> icmpv6 name [ parameter-problem | port-unreachable | redirect | router-advertisement ]
service application rule <rule-number> icmpv6 name [ router-solicitation | time-exceeded | ttl-zero-during-reassembly | ttl-zero-during-transit ]
service application rule <rule-number> icmpv6 name [ unknown-header-type | unknown-option ]
service application rule <rule-number> icmpv6 type <type-number>
service application rule <rule-number> icmpv6 type <type-number> code <value>
service application rule <rule-number> ipv6-route
service application rule <rule-number> ipv6-route type <value>
service application rule <rule-number> log
service application rule <rule-number> pcp <value>
service application rule <rule-number> protocol <value>
service application rule <rule-number> protocol-group <value>
service application rule <rule-number> source address <value>
service application rule <rule-number> source mac-address <value>
service application rule <rule-number> source port <value>
service application rule <rule-number> tcp
service application rule <rule-number> tcp flags <value>
service application rule <rule-number> then name <value>
service application rule <rule-number> then protocol <value>
service application rule <rule-number> then type <type-value>
security application firewall name <ruleset-name> rule <rule-number> group <application-group-name>
security application firewall name <ruleset-name> rule <rule-number> engine user
security application firewall name <ruleset-name> rule <rule-number> engine user name <value>
security application firewall name <ruleset-name> rule <rule-number> engine user protocol <value>
security application firewall name <ruleset-name> rule <rule-number> engine user type <value>
resources group application-group <group-name> engine user name <name>
resources group application-group <group-name> engine user protocol <protocol>
resources group application-group <group-name> engine user type <type> |
Intermediate System to Intermediate System (IS-IS) routing protocol
interfaces dataplane <tagnode> ip isis instance <value>
interfaces dataplane <tagnode> isis circuit-type level-1
interfaces dataplane <tagnode> isis circuit-type level-1-2
interfaces dataplane <tagnode> isis circuit-type level-2-only
interfaces dataplane <tagnode> isis hello-interval level-1 <value>
interfaces dataplane <tagnode> isis hello-interval level-2 <value>
interfaces dataplane <tagnode> isis metric level-1 <value>
interfaces dataplane <tagnode> isis metric level-2 <value>
interfaces dataplane <tagnode> isis network point-to-point
interfaces dataplane <tagnode> isis passive
interfaces dataplane <tagnode> isis password
interfaces dataplane <tagnode> isis password clear <value>
interfaces dataplane <tagnode> isis password md5 <value>
interfaces dataplane <tagnode> isis priority level-1 <value>
interfaces dataplane <tagnode> isis priority level-2 <value>
interfaces dataplane <tagnode> vif <tagnode> ip isis instance <value>
interfaces loopback <tagnode> ip isis instance <value>
interfaces loopback <tagnode> isis circuit-type level-1
interfaces loopback <tagnode> isis circuit-type level-1-2
interfaces loopback <tagnode> isis circuit-type level-2-only
interfaces loopback <tagnode> isis hello-interval level-1 <value>
interfaces loopback <tagnode> isis hello-interval level-2 <value>
interfaces loopback <tagnode> isis metric level-1 <value>
interfaces loopback <tagnode> isis metric level-2 <value>
interfaces loopback <tagnode> isis network point-to-point
interfaces loopback <tagnode> isis passive
interfaces loopback <tagnode> isis password
interfaces loopback <tagnode> isis password clear <value>
interfaces loopback <tagnode> isis password md5 <value>
interfaces loopback <tagnode> isis priority level-1 <value>
interfaces loopback <tagnode> isis priority level-2 <value>
protocols isis <area-tag>
protocols isis <area-tag> area-password clear <value>
protocols isis <area-tag> area-password md5 <value>
protocols isis <area-tag> default-information originate ipv4 <level>
protocols isis <area-tag> default-information originate ipv6 <level>
protocols isis <area-tag> domain-password clear <value>
protocols isis <area-tag> domain-password md5 <value>
protocols isis <area-tag> is-type level-1
protocols isis <area-tag> is-type level-1-2
protocols isis <area-tag> is-type level-2-only
protocols isis <area-tag> log-adjacency-changes
protocols isis <area-tag> lsp-gen-interval level-1 <value>
protocols isis <area-tag> lsp-gen-interval level-2 <value>
protocols isis <area-tag> lsp-mtu <value>
protocols isis <area-tag> lsp-refresh-interval level-1 <value>
protocols isis <area-tag> lsp-refresh-interval level-2 <value>
protocols isis <area-tag> max-lsp-lifetime level-1 <value>
protocols isis <area-tag> max-lsp-lifetime level-2 <value>
protocols isis <area-tag> metric-style narrow
protocols isis <area-tag> metric-style transition
protocols isis <area-tag> metric-style wide
protocols isis <area-tag> net <value>
protocols isis <area-tag> redistribute ipv4 bgp level-1
protocols isis <area-tag> redistribute ipv4 bgp level-2
protocols isis <area-tag> redistribute ipv4 connected level-1
protocols isis <area-tag> redistribute ipv4 connected level-2
protocols isis <area-tag> redistribute ipv4 kernel level-1
protocols isis <area-tag> redistribute ipv4 kernel level-2
protocols isis <area-tag> redistribute ipv4 ospf level-1
protocols isis <area-tag> redistribute ipv4 ospf level-2
protocols isis <area-tag> redistribute ipv4 rip level-1
protocols isis <area-tag> redistribute ipv4 rip level-2
protocols isis <area-tag> redistribute ipv4 static level-1
protocols isis <area-tag> redistribute ipv4 static level-2
protocols isis <area-tag> redistribute ipv6 bgp level-1
protocols isis <area-tag> redistribute ipv6 bgp level-2
protocols isis <area-tag> redistribute ipv6 connected level-1
protocols isis <area-tag> redistribute ipv6 connected level-2
protocols isis <area-tag> redistribute ipv6 kernel level-1
protocols isis <area-tag> redistribute ipv6 kernel level-2
protocols isis <area-tag> redistribute ipv6 ospf level-1
protocols isis <area-tag> redistribute ipv6 ospf level-2
protocols isis <area-tag> redistribute ipv6 rip level-1
protocols isis <area-tag> redistribute ipv6 rip level-2
protocols isis <area-tag> redistribute ipv6 static level-1
protocols isis <area-tag> redistribute ipv6 static level-2
protocols isis <area-tag> set-overload-bit
protocols isis <area-tag> spf-delay-ietf
protocols isis <area-tag> spf-delay-ietf holddown <value>
protocols isis <area-tag> spf-delay-ietf init-delay <value>
protocols isis <area-tag> spf-delay-ietf long-delay <value>
protocols isis <area-tag> spf-delay-ietf short-delay <value>
protocols isis <area-tag> spf-delay-ietf time-to-learn <value>
protocols isis <area-tag> spf-interval level-1 <value>
protocols isis <area-tag> spf-interval level-2 <value>Operational commands are in this hierarchy:
user@danos2009:~$ show protocols isis
Possible completions:
database Show ISIS Link state database
hostname Show IS-IS Dynamic hostname mapping
interface Show ISIS interface
mpls-te Show MPLS-TE specific commands
neighbor Show ISIS neighbor adjacencies
spf-delay-ietf Show SPF delay IETF information
summary Show summary
topology Show IS-IS paths to Intermediate Systems
user@danos2009:~$ monitor protocol isis
Possible completions:
disable Disable ISIS Monitor
enable Enable ISIS Monitor
user@danos2009:~$Originate firewall
The "originate" firewall allow the filtering of all router originated traffic.
interfaces switch <name> vif <tagnode> firewall originate <value>
interfaces dataplane <tagnode> firewall originate <value>
interfaces loopback <tagnode> firewall originate <value> |
Enhanced observability into the behaviour of the stateless/stateful firewall, zone-based firewall, local firewall, NAT and NAT64
show dataplane statistics firewall ip
show dataplane statistics firewall ip brief
show dataplane statistics firewall ip category <value>
show dataplane statistics firewall ip detail
show dataplane statistics firewall ip interface <value>
show dataplane statistics firewall ip non-zero
show dataplane statistics firewall ip6
show dataplane statistics firewall ip6 brief
show dataplane statistics firewall ip6 category <value>
show dataplane statistics firewall ip6 detail
show dataplane statistics firewall ip6 interface <value>
show dataplane statistics firewall ip6 non-zero
show dataplane statistics firewall l2
show dataplane statistics firewall l2 brief
show dataplane statistics firewall l2 category <value>
show dataplane statistics firewall l2 detail
show dataplane statistics firewall l2 interface <value>
show dataplane statistics firewall l2 non-zero
show dataplane statistics firewall local
show dataplane statistics firewall local brief
show dataplane statistics firewall local category <value>
show dataplane statistics firewall local detail
show dataplane statistics firewall local interface <value>
show dataplane statistics firewall local non-zero
show dataplane statistics nat64
show dataplane statistics nat64 brief
show dataplane statistics nat64 category <value>
show dataplane statistics nat64 detail
show dataplane statistics nat64 interface <value>
show dataplane statistics nat64 non-zero
clear dataplane statistics firewall
clear dataplane statistics firewall ip
clear dataplane statistics firewall ip category <value>
clear dataplane statistics firewall ip direction <value>
clear dataplane statistics firewall ip interface <value>
clear dataplane statistics firewall ip6
clear dataplane statistics firewall ip6 category <value>
clear dataplane statistics firewall ip6 direction <value>
clear dataplane statistics firewall ip6 interface <value>
clear dataplane statistics firewall l2
clear dataplane statistics firewall l2 category <value>
clear dataplane statistics firewall l2 direction <value>
clear dataplane statistics firewall l2 interface <value>
clear dataplane statistics firewall local
clear dataplane statistics firewall local category <value>
clear dataplane statistics firewall local direction <value>
clear dataplane statistics firewall local interface <value>
clear dataplane statistics nat64
clear dataplane statistics nat64 category <value>
clear dataplane statistics nat64 direction <value>
clear dataplane statistics nat64 interface <value> |
Logging Enhancements
This feature provides the ability to filter 'show log' output based on time, clear stored system logs, and to configure the amount of storage used for the system logs.
system journal storage size <value>
show journal
show journal level <value>
show journal level <value> since <value>
show journal level <value> since <value> until <value>
show journal level <value> until <value>
show journal since <value>
show journal since <value> until <value>
show journal tail
show journal tail <number> <number>
show journal until <value>
show log audit
show log cgnat
show log level <value> since <value>
show log level <value> since <value> until <value>
show log level <value> until <value>
show log since <value>
show log since <value> until <value>
show log until <value>
clear log |
Protocol Dependent Mappings for SNAT
SNAT maps from an internal source address and ID (where ID can be a port number) to an external address and ID, by allocating these from a given pool. This feature adds support for three separate pools (rather than a single shared pool). One pool will be used for assigning TCP ports, another for assigning UDP ports, and the third one for ICMP and other protocols.
The following commands split out the TCP and UDP ports used.
show nat source statistics
show nat destination statistics
show nat nat64 rules |
Address-group detail
The show command displays the contents of dataplane address-group lists.
The "optimal" allows the user to determine the optimal set of subnets that may be used to represent an address-group.
show address-group ipv4 list
show address-group ipv4 optimal
show address-group ipv6 list
show address-group ipv6 optimal
show address-group name <value>
show address-group name <value> optimal
show address-group optimal |
NETCONF - Rollback support
Rollback is a feature that is currently available on the configuration CLI. The "rollback" command allows reverting the configuration to a previously committed configuration, perhaps to return to a known good configuration, or undo experimental configuration changes. This feature adds new NETCONF RPCs that make the rollback operation available to NETCONF clients.
Configure tech-support archive to exclude command-line history
There may be cases where the customer does not want to include the shell command history in the tech-support archive, as this might contain sensitive information.
generate tech-support archive option exclude-command-history |
copy file improvements
Expanded options for file copy.
copy file routing-instance <value> <value> to <value> skip-host-validation
copy file routing-instance <value> <value> to <value> source-interface <value> skip-host-validation
copy file routing-instance <value> <value> to <value> user <value> password <value> skip-host-validation
copy file routing-instance <value> <value> to <value> user <value> password <value> source-interface <value> skip-host-validation
copy file routing-instance <value> <value> to <value> user <value> skip-host-validation
copy file routing-instance <value> <value> to <value> user <value> source-interface <value> skip-host-validation
copy file <source> to <destination> skip-host-validation
copy file <source> to <destination> source-interface <interface> skip-host-validation
copy file <source> to <destination> user <user> password <password> skip-host-validation
copy file <source> to <destination> user <user> password <password> source-interface <interface> skip-host-validation
copy file <source> to <destination> user <user> skip-host-validation
copy file <source> to <destination> user <user> source-interface <interface> skip-host-validation |
policy route route-map
Following the issue identified in https://danosproject.atlassian.net/browse/DAN-121 the following changes were made:
Removed:
policy route route-map <tagnode> rule <tagnode> match extcommunity exact-match
policy route route-map <tagnode> rule <tagnode> match ip source-protocol bgp
policy route route-map <tagnode> rule <tagnode> match ip source-protocol connected
policy route route-map <tagnode> rule <tagnode> match ip source-protocol kernel
policy route route-map <tagnode> rule <tagnode> match ip source-protocol ospf
policy route route-map <tagnode> rule <tagnode> match ip source-protocol rip
policy route route-map <tagnode> rule <tagnode> match ip source-protocol static
policy route route-map <tagnode> rule <tagnode> match ipv6 nexthop
policy route route-map <tagnode> rule <tagnode> match ipv6 nexthop access-list <value>
policy route route-map <tagnode> rule <tagnode> match ipv6 nexthop prefix-list <value>
policy route route-map <tagnode> rule <tagnode> match ipv6 peer
policy route route-map <tagnode> rule <tagnode> match ipv6 peer access-list <value>
policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol bgp
policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol connected
policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol kernel
policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol ospfv3
policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol ripng
policy route route-map <tagnode> rule <tagnode> match ipv6 source-protocol static
policy route route-map <tagnode> rule <tagnode> set delete-extcommunity <value>
policy route route-map <tagnode> rule <tagnode> set extcommunity rt <value>
policy route route-map <tagnode> rule <tagnode> set level level-1
policy route route-map <tagnode> rule <tagnode> set level level-1-2
policy route route-map <tagnode> rule <tagnode> set level level-2
policy route route-map <tagnode> rule <tagnode> set prepend-as own-as <value>
Added:
policy route route-map <tagnode> rule <tagnode> match source-protocol bgp
policy route route-map <tagnode> rule <tagnode> match source-protocol connected
policy route route-map <tagnode> rule <tagnode> match source-protocol kernel
policy route route-map <tagnode> rule <tagnode> match source-protocol ospf
policy route route-map <tagnode> rule <tagnode> match source-protocol ospfv3
policy route route-map <tagnode> rule <tagnode> match source-protocol rip
policy route route-map <tagnode> rule <tagnode> match source-protocol ripng
policy route route-map <tagnode> rule <tagnode> match source-protocol static |
Reset vpn commands removed
Removed:
reset vpn ipsec-profile <value>
reset vpn ipsec-profile <value> tunnel <value>
reset vpn ipsec-remote-access-client <value>
reset vpn remote-access all
reset vpn remote-access interface <value>
reset vpn remote-access user <value> |
New show commands for bonding members
show interfaces bonding <if-name> members
show interfaces bonding members |
Resolved Security Vulnerabilities
The following security issues are resolved in this release:
CVE-2020-8619, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624: Debian DSA-4752-1 : bind9 - security update
CVE-2018-20346, CVE-2018-20506, CVE-2018-8740, CVE-2019-16168, CVE-2019-20218, CVE-2019-5827, CVE-2019-9936, CVE-2019-9937, CVE-2020-11655, CVE-2020-13434, CVE-2020-13630, CVE-2020-13632, CVE-2020-13871:Debian DLA-2340-1 : sqlite3 security update
CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1 : linux-5.4 new package
[DSA 4746-1] net-snmp security update
CVE-2020-16135: Debian DLA-2303-1 : libssh security update
CVE-2020-12762: Debian DLA-2301-1 : json-c security update
CVE-2019-5188: Debian DLA-2290-1 : e2fsprogs security update
CVE-2020-8177: Debian DLA-2295-1 : curl security update
CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707: Debian DSA-4735-1 : grub2 - security update
[DSA 4733-1] qemu security update
CVE-2019-18348 CVE-2020-8492 CVE-2020-14422: Debian DLA-2280-1 : python3.7 security update
[DSA 4728-1] qemu security update
[DSA 4723-1] xen security update
CVE-2018-19044 / CVE-2018-19045 / CVE-2018-19046: Insecure temporary file usage in keepalived
CVE-2020-3810: Debian DSA-4685-1 : apt - security update
, multiple selections available,
Related content
DANOS 2005 Release Notes
DANOS 2005 Release Notes
More like this
DANOS 2105 Release Notes
DANOS 2105 Release Notes
More like this
Upcoming DANOS 2009 release
Upcoming DANOS 2009 release
More like this
DANOS 2009 released
DANOS 2009 released
More like this
DANOS 2012 released
DANOS 2012 released
More like this
DANOS 2105 released
DANOS 2105 released
More like this