DANOS 2009 Release Notes
- 1 Overview
- 1.1 show version
- 2 Important changes
- 3 New Features
- 3.1 Integration of ntop's nDPI engine into the match criteria for firewall rules
- 3.2 User-defined applications
- 3.3 Intermediate System to Intermediate System (IS-IS) routing protocol
- 3.4 Originate firewall
- 3.5 Enhanced observability into the behaviour of the stateless/stateful firewall, zone-based firewall, local firewall, NAT and NAT64
- 3.6 Logging Enhancements
- 3.7 Protocol Dependent Mappings for SNAT
- 3.8 Address-group detail
- 3.9 NETCONF - Rollback support
- 3.10 Configure tech-support archive to exclude command-line history
- 3.11 copy file improvements
- 3.12 policy route route-map
- 3.13 Reset vpn commands removed
- 3.14 New show commands for bonding members
- 4 Resolved Security Vulnerabilities
Overview
Welcome to the 2009 (September 2020) version of DANOS.
The DANOS 2009 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 19.11 version of DPDK, and the 7.3.1 version of FRR.
show version
user@danos2009:~$ show version
Version: 2009
Description: DANOS 2009 (DANOS:Shipping:2009:20200923)
Built on: Mon Oct 12 10:47:04 UTC 2020
System type: Intel 64bit
Boot via: image
Hypervisor: KVM
HW model: Bochs
HW S/N: Not Specified
HW UUID: dba075fa-259e-499d-99b5-83cf71e8b767
Uptime: 13:39:04 up 2 min, 1 user, load average: 1.64, 0.47, 0.16 |
Important changes
Reminder about the default username and password
The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.
As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.
New Features
Integration of ntop's nDPI engine into the match criteria for firewall rules
Full details about this feature can be found at https://danosproject.atlassian.net/wiki/spaces/DAN/pages/544243713
resources group application-group <group-name> description <value>
resources group application-group <group-name> engine ndpi name <name>
resources group application-group <group-name> engine ndpi protocol <protocol>
resources group application-group <group-name> engine ndpi type <type>
security application firewall name <ruleset-name>
security application firewall name <ruleset-name> description <value>
security application firewall name <ruleset-name> no-match-action accept
security application firewall name <ruleset-name> no-match-action drop
security application firewall name <ruleset-name> rule <rule-number>
security application firewall name <ruleset-name> rule <rule-number> action accept
security application firewall name <ruleset-name> rule <rule-number> action drop
security application firewall name <ruleset-name> rule <rule-number> description <value>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi
security application firewall name <ruleset-name> rule <rule-number> engine ndpi name <application-name>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol <application-protocol>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi type <application-type>
security firewall name <ruleset-name> rule <tagnode> session application firewall <value>
show application engine ndpi name <value>
show application engine ndpi type <value> |
User-defined applications
User-defined applications can be defined using L3 / L4 rules. These user-defined applications can then be integrated into "security application firewall" and "resources group application-group" configurations.
service application rule <rule-number>
service application rule <rule-number> description <value>
service application rule <rule-number> destination address <value>
service application rule <rule-number> destination mac-address <value>
service application rule <rule-number> destination port <value>
service application rule <rule-number> disable
service application rule <rule-number> dscp [ af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 ]
service application rule <rule-number> dscp [ cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | va ]
service application rule <rule-number> dscp-group <value>
service application rule <rule-number> ethertype <value>
service application rule <rule-number> icmp
service application rule <rule-number> icmp group <value>
service application rule <rule-number> icmp name [ TOS-host-redirect | TOS-host-unreachable | TOS-network-redirect | TOS-network-unreachable ]
service application rule <rule-number> icmp name [ address-mask-reply | address-mask-request | communication-prohibited | destination-unreachable ]
service application rule <rule-number> icmp name [ echo-reply | echo-request | fragmentation-needed | host-precedence-violation | host-prohibited ]
service application rule <rule-number> icmp name [ host-redirect | host-unknown | host-unreachable | ip-header-bad | network-prohibited ]
service application rule <rule-number> icmp name [ network-redirect | network-unknown | network-unreachable | parameter-problem ]
service application rule <rule-number> icmp name [ port-unreachable | precedence-cutoff | protocol-unreachable | redirect ]
service application rule <rule-number> icmp name [required-option-missing | router-advertisement | router-solicitation | source-quench ]
service application rule <rule-number> icmp name [ source-route-failed | time-exceeded | timestamp-reply | timestamp-request ]
service application rule <rule-number> icmp name [ttl-zero-during-reassembly | ttl-zero-during-transit ]
service application rule <rule-number> icmp type <type-number>
service application rule <rule-number> icmp type <type-number> code <value>
service application rule <rule-number> icmpv6
service application rule <rule-number> icmpv6 group <value>
service application rule <rule-number> icmpv6 name [ address-unreachable | bad-header | communication-prohibited | destination-unreachable ]
service application rule <rule-number> icmpv6 name [ echo-reply | echo-request | mobile-prefix-advertisement | mobile-prefix-solicitation ]
service application rule <rule-number> icmpv6 name [ multicast-listener-done | multicast-listener-query | multicast-listener-report ]
service application rule <rule-number> icmpv6 name [ neighbor-advertisement | neighbor-solicitation | no-route | packet-too-big ]
service application rule <rule-number> icmpv6 name [ parameter-problem | port-unreachable | redirect | router-advertisement ]
service application rule <rule-number> icmpv6 name [ router-solicitation | time-exceeded | ttl-zero-during-reassembly | ttl-zero-during-transit ]
service application rule <rule-number> icmpv6 name [ unknown-header-type | unknown-option ]
service application rule <rule-number> icmpv6 type <type-number>
service application rule <rule-number> icmpv6 type <type-number> code <value>
service application rule <rule-number> ipv6-route
service application rule <rule-number> ipv6-route type <value>
service application rule <rule-number> log
service application rule <rule-number> pcp <value>
service application rule <rule-number> protocol <value>
service application rule <rule-number> protocol-group <value>
service application rule <rule-number> source address <value>
service application rule <rule-number> source mac-address <value>
service application rule <rule-number> source port <value>
service application rule <rule-number> tcp
service application rule <rule-number> tcp flags <value>
service application rule <rule-number> then name <value>
service application rule <rule-number> then protocol <value>
service application rule <rule-number> then type <type-value>
security application firewall name <ruleset-name> rule <rule-number> group <application-group-name>
security application firewall name <ruleset-name> rule <rule-number> engine user
security application firewall name <ruleset-name> rule <rule-number> engine user name <value>
security application firewall name <ruleset-name> rule <rule-number> engine user protocol <value>
security application firewall name <ruleset-name> rule <rule-number> engine user type <value>
resources group application-group <group-name> engine user name <name>
resources group application-group <group-name> engine user protocol <protocol>
resources group application-group <group-name> engine user type <type> |
Intermediate System to Intermediate System (IS-IS) routing protocol
Operational commands are in this hierarchy:
Originate firewall
The "originate" firewall allow the filtering of all router originated traffic.
Enhanced observability into the behaviour of the stateless/stateful firewall, zone-based firewall, local firewall, NAT and NAT64
Logging Enhancements
This feature provides the ability to filter 'show log' output based on time, clear stored system logs, and to configure the amount of storage used for the system logs.
Protocol Dependent Mappings for SNAT
SNAT maps from an internal source address and ID (where ID can be a port number) to an external address and ID, by allocating these from a given pool. This feature adds support for three separate pools (rather than a single shared pool). One pool will be used for assigning TCP ports, another for assigning UDP ports, and the third one for ICMP and other protocols.
The following commands split out the TCP and UDP ports used.
Address-group detail
The show command displays the contents of dataplane address-group lists.
The "optimal" allows the user to determine the optimal set of subnets that may be used to represent an address-group.
NETCONF - Rollback support
Rollback is a feature that is currently available on the configuration CLI. The "rollback" command allows reverting the configuration to a previously committed configuration, perhaps to return to a known good configuration, or undo experimental configuration changes. This feature adds new NETCONF RPCs that make the rollback operation available to NETCONF clients.
Configure tech-support archive to exclude command-line history
There may be cases where the customer does not want to include the shell command history in the tech-support archive, as this might contain sensitive information.
copy file improvements
Expanded options for file copy.
policy route route-map
Following the issue identified in https://danosproject.atlassian.net/browse/DAN-121 the following changes were made:
Reset vpn commands removed
New show commands for bonding members
Resolved Security Vulnerabilities
The following security issues are resolved in this release:
CVE-2020-8619, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624: Debian DSA-4752-1 : bind9 - security update
CVE-2018-20346, CVE-2018-20506, CVE-2018-8740, CVE-2019-16168, CVE-2019-20218, CVE-2019-5827, CVE-2019-9936, CVE-2019-9937, CVE-2020-11655, CVE-2020-13434, CVE-2020-13630, CVE-2020-13632, CVE-2020-13871:Debian DLA-2340-1 : sqlite3 security update
CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1 : linux-5.4 new package
[DSA 4746-1] net-snmp security update
CVE-2020-16135: Debian DLA-2303-1 : libssh security update
CVE-2020-12762: Debian DLA-2301-1 : json-c security update
CVE-2019-5188: Debian DLA-2290-1 : e2fsprogs security update
CVE-2020-8177: Debian DLA-2295-1 : curl security update
CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707: Debian DSA-4735-1 : grub2 - security update
[DSA 4733-1] qemu security update
CVE-2019-18348 CVE-2020-8492 CVE-2020-14422: Debian DLA-2280-1 : python3.7 security update
[DSA 4728-1] qemu security update
[DSA 4723-1] xen security update
CVE-2018-19044 / CVE-2018-19045 / CVE-2018-19046: Insecure temporary file usage in keepalived
CVE-2020-3810: Debian DSA-4685-1 : apt - security update