DANOS 2012 Release Notes

Overview

Welcome to the 2012 (December 2020) version of DANOS.

The DANOS 2012 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 1911 version of DPDK, and the 7.4 version of FRR.

show version

1 2 3 4 user@danos2012:~$ show version Version: 2012 Description: DANOS 2012 (DANOS:Shipping:2012:20210114) Built on: Thu Jan 14 12:43:42 UTC 2021

Important changes

User Isolation

By default from DANOS 2012, users of "operator" and "admin" levels are logged into a restricted, isolated environment. This environment ensures these users may only interact with the underlying system via the DANOS operational and configuration infrastructure, by using separate IPC, network, mount, PID, and UTS namespaces.

For example, the "ip" utility is not installed in the restricted environment. Even if it were, the separate namespaces would prevent access to, or manipulation of, state of the underlying host system.

Users of the "superuser" level are not placed in an isolated environment. These users should observe no behaviour changes compared to earlier DANOS releases.

We strongly recommend keeping user isolation enabled to improve system security. However, it may be disabled via the configuration:

1 system login user-isolation disable

BGP behaviour changes

RFC 8212

By default, DANOS 2012 will no longer advertise routes to, or import routes from, eBGP peers unless import and export policies are configured. This default behaviour change is inherited from FRR 7.4 and defined by RFC 8212.

The value "(Policy)" in the output of the BGP summary show command(s) indicates that route import and/or export has been blocked due to a missing policy. For example:

1 2 3 4 5 6 7 8 9 10 11 12 $ show protocols bgp all summary IPv4 Unicast Summary: BGP router identifier 192.168.252.179, local AS number 65000 vrf-id 0 BGP table version 3 RIB entries 5, using 960 bytes of memory Peers 1, using 21 KiB of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt 10.10.2.2 4 65001 8 10 0 0 0 00:04:17 (Policy) (Policy) Total number of neighbors 1

Import/export policies can be applied on a neighbor or peer-group basis under the corresponding address-family configuration:

1 2 3 [routing routing-instance <name>] protocols bgp <asn> <peer-group-or-neighbor> address-family <af> distribute-list (import|export) <text> [routing routing-instance <name>] protocols bgp <asn> <peer-group-or-neighbor> address-family <af> filter-list (import|export) <text> [routing routing-instance <name>] protocols bgp <asn> <peer-group-or-neighbor> address-family <af> prefix-list (import|export) <text>

Alternatively, the RFC 8212 behaviour can be reverted (to that of previous DANOS/FRR releases) by setting "ebgp-requires-policy" to "disabled":

1 [routing routing-instance <instance-name>] protocols bgp <asn> parameters ebgp-requires-policy (enabled|disabled)

Network Advertisement

By default, DANOS 2012 will no longer advertise routes which are not present in the RIB. This default behaviour change is inherited from FRR 7.4.

This behaviour can be reverted by setting "import-check" to "disabled":

1 [routing routing-instance <instance-name>] protocols bgp <asn> parameters network import-check (enabled|disabled)

Reminder about the default username and password

The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.

As part of the installation process, the user has to enter a username and password manually. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

New Features

Enhancements to RSTP and spanning tree

The following configuration options have been added

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 interfaces bonding <tagnode> switch-group admin-edge interfaces bonding <tagnode> switch-group auto-edge interfaces bonding <tagnode> switch-group bpdu-filter interfaces bonding <tagnode> switch-group bpdu-guard interfaces bonding <tagnode> switch-group cost <value> interfaces bonding <tagnode> switch-group cost auto interfaces bonding <tagnode> switch-group network-port interfaces bonding <tagnode> switch-group point-to-point auto interfaces bonding <tagnode> switch-group point-to-point off interfaces bonding <tagnode> switch-group point-to-point on interfaces bonding <tagnode> switch-group priority <value> interfaces bonding <tagnode> switch-group pvst-filter interfaces bonding <tagnode> switch-group pvst-guard interfaces bonding <tagnode> switch-group restrict-tcn interfaces bonding <tagnode> switch-group root-block

which do the following:

1 2 3 4 5 6 7 8 9 10 11 12 admin-edge Enable Spanning Tree admin edge mode auto-edge Enable Spanning Tree automatic admin edge detection bpdu-filter Enable the Spanning Tree BPDU filter capability bpdu-guard Enable Spanning Tree BPDU guard cost Spanning Tree port cost network-port Enable Spanning Tree uni-directional link detection point-to-point Set point-to-point operational status priority Spanning Tree port priority (0 is highest priority) pvst-filter Enable the Spanning Tree PVST filter capability pvst-guard Enable the Spanning Tree PVST guard capability restrict-tcn Restrict propagation of Spanning Tree topology change notifications root-block Restrict ports ability to take Spanning Tree root role

L3 ingress and egress stateless ACLs

L3 ingress and egress stateless ACLs operate at the start and end of the packet path. They are different from the current stateless firewall rules because:

  1. The firewall is always stateful, even when only stateless rules exist.

    1. The firewall always reassembles fragments, which entails maintaining state.

    2. The firewall always attempts to match a packet against state entries, before it consults the ruleset.

  2. Reassembly can be triggered by the presence of a firewall, NAT, or PBR.

  3. By default, the presence of NAT state impacts firewall behaviour (firewall always attempts state lookup). This behaviour can be modified with the stateful firewall override functionality defined below.

  4. The firewall can never block router originated packets (which is desired for these L3 ACLs).

The filter action is only to affect L3 packets which are L3 processed. i.e. an L3 packet which is L2 forwarded between links in a VLAN will not be affected by this feature.

The L3 ingress/egress counters can be cleared and accessed using the following command hierarchies. See below for the full set of options.

1 2 clear security ip-packet-filter statistics show security ip-packet-filter statistics

So why use L3 ingress/egress ACLs?

  • Ingress ACLs are processed very early in the packet path, so the performance of drop actions will be superior compared to stateless firewall rules.

  • Egress ACLs can block router originated traffic.

  • Ingress and Egress ACLs can be expressed in named groups, making the construction and documentation of complex rules simpler.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 security ip-packet-filter group <group-name> counters security ip-packet-filter group <group-name> counters count packets security ip-packet-filter group <group-name> counters sharing per-interface security ip-packet-filter group <group-name> counters type security ip-packet-filter group <group-name> counters type auto-per-action security ip-packet-filter group <group-name> counters type auto-per-action action accept security ip-packet-filter group <group-name> counters type auto-per-action action drop security ip-packet-filter group <group-name> counters type auto-per-rule security ip-packet-filter group <group-name> description <value> security ip-packet-filter group <group-name> ip-version ipv4 security ip-packet-filter group <group-name> ip-version ipv6 security ip-packet-filter group <group-name> rule <number> action accept security ip-packet-filter group <group-name> rule <number> action drop security ip-packet-filter group <group-name> rule <number> description <value> security ip-packet-filter group <group-name> rule <number> disable security ip-packet-filter group <group-name> rule <number> match destination ipv4 host <value> security ip-packet-filter group <group-name> rule <number> match destination ipv4 prefix <value> security ip-packet-filter group <group-name> rule <number> match destination ipv6 host <value> security ip-packet-filter group <group-name> rule <number> match destination ipv6 prefix <value> security ip-packet-filter group <group-name> rule <number> match destination port number <value> security ip-packet-filter group <group-name> rule <number> match dscp name [ af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 ] security ip-packet-filter group <group-name> rule <number> match dscp name [ cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | va ] security ip-packet-filter group <group-name> rule <number> match dscp value <value> security ip-packet-filter group <group-name> rule <number> match fragment any security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-redirect security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-unreachable security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-redirect security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-unreachable security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-reply security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-request security ip-packet-filter group <group-name> rule <number> match icmp name communication-prohibited security ip-packet-filter group <group-name> rule <number> match icmp name destination-unreachable security ip-packet-filter group <group-name> rule <number> match icmp name echo-reply security ip-packet-filter group <group-name> rule <number> match icmp name echo-request security ip-packet-filter group <group-name> rule <number> match icmp name fragmentation-needed security ip-packet-filter group <group-name> rule <number> match icmp name host-precedence-violation security ip-packet-filter group <group-name> rule <number> match icmp name host-prohibited security ip-packet-filter group <group-name> rule <number> match icmp name host-redirect security ip-packet-filter group <group-name> rule <number> match icmp name host-unknown security ip-packet-filter group <group-name> rule <number> match icmp name host-unreachable security ip-packet-filter group <group-name> rule <number> match icmp name ip-header-bad security ip-packet-filter group <group-name> rule <number> match icmp name network-prohibited security ip-packet-filter group <group-name> rule <number> match icmp name network-redirect security ip-packet-filter group <group-name> rule <number> match icmp name network-unknown security ip-packet-filter group <group-name> rule <number> match icmp name network-unreachable security ip-packet-filter group <group-name> rule <number> match icmp name parameter-problem security ip-packet-filter group <group-name> rule <number> match icmp name port-unreachable security ip-packet-filter group <group-name> rule <number> match icmp name precedence-cutoff security ip-packet-filter group <group-name> rule <number> match icmp name protocol-unreachable security ip-packet-filter group <group-name> rule <number> match icmp name redirect security ip-packet-filter group <group-name> rule <number> match icmp name required-option-missing security ip-packet-filter group <group-name> rule <number> match icmp name router-advertisement security ip-packet-filter group <group-name> rule <number> match icmp name router-solicitation security ip-packet-filter group <group-name> rule <number> match icmp name source-quench security ip-packet-filter group <group-name> rule <number> match icmp name source-route-failed security ip-packet-filter group <group-name> rule <number> match icmp name time-exceeded security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-reply security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-request security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-reassembly security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-transit security ip-packet-filter group <group-name> rule <number> match icmp type <type-number> security ip-packet-filter group <group-name> rule <number> match icmp type <type-number> code <value> security ip-packet-filter group <group-name> rule <number> match icmpv6 class error security ip-packet-filter group <group-name> rule <number> match icmpv6 class info security ip-packet-filter group <group-name> rule <number> match icmpv6 name address-unreachable security ip-packet-filter group <group-name> rule <number> match icmpv6 name bad-header security ip-packet-filter group <group-name> rule <number> match icmpv6 name communication-prohibited security ip-packet-filter group <group-name> rule <number> match icmpv6 name destination-unreachable security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-reply security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-request security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-advertisement security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-solicitation security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-done security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-query security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-report security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-advertisement security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-solicitation security ip-packet-filter group <group-name> rule <number> match icmpv6 name no-route security ip-packet-filter group <group-name> rule <number> match icmpv6 name packet-too-big security ip-packet-filter group <group-name> rule <number> match icmpv6 name parameter-problem security ip-packet-filter group <group-name> rule <number> match icmpv6 name port-unreachable security ip-packet-filter group <group-name> rule <number> match icmpv6 name redirect security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-advertisement security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-solicitation security ip-packet-filter group <group-name> rule <number> match icmpv6 name time-exceeded security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-reassembly security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-transit security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-header-type security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-option security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number> security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number> code <value> security ip-packet-filter group <group-name> rule <number> match protocol base name [ dccp | esp | gre | icmp | igmp | ipv6-frag | ipv6-icmp | sctp | tcp | udp | updlite ] security ip-packet-filter group <group-name> rule <number> match protocol base number <value> security ip-packet-filter group <group-name> rule <number> match protocol final name [ dccp | esp | gre | icmp | igmp | ipv6-frag | ipv6-icmp | sctp | tcp | udp | updlite ] security ip-packet-filter group <group-name> rule <number> match protocol final number <value> security ip-packet-filter group <group-name> rule <number> match source ipv4 host <value> security ip-packet-filter group <group-name> rule <number> match source ipv4 prefix <value> security ip-packet-filter group <group-name> rule <number> match source ipv6 host <value> security ip-packet-filter group <group-name> rule <number> match source ipv6 prefix <value> security ip-packet-filter group <group-name> rule <number> match source port number <value> security ip-packet-filter group <group-name> rule <number> match ttl equals <value> security ip-packet-filter interface <interface-name> security ip-packet-filter interface <interface-name> in <value> security ip-packet-filter interface <interface-name> out <value>

BGP enhancements

Some default BGP behaviours have changed in DANOS 2012 (inherited from FRR 7.4). These changes can be reversed by applying the configuration. Please see the "Important Changes" section at the top of the document for further details.

1 2 3 4 5 6 7 8 protocols bgp <tagnode> parameters ebgp-requires-policy disabled protocols bgp <tagnode> parameters ebgp-requires-policy enabled protocols bgp <tagnode> parameters network import-check disabled protocols bgp <tagnode> parameters network import-check enabled routing routing-instance <instance-name> protocols bgp <tagnode> parameters ebgp-requires-policy disabled routing routing-instance <instance-name> protocols bgp <tagnode> parameters ebgp-requires-policy enabled routing routing-instance <instance-name> protocols bgp <tagnode> parameters network import-check disabled routing routing-instance <instance-name> protocols bgp <tagnode> parameters network import-check enabled

IS-IS enhancements

Additional IS-IS functionality has been exposed in the DANOS configuration. Thanks to Niral Networks for their contributions here.

IPv6 Support

1 2 3 interfaces dataplane <tagnode> ipv6 isis instance <value> interfaces dataplane <tagnode> vif <tagnode> ipv6 isis instance <value> interfaces loopback <tagnode> ipv6 isis instance <value>

Topologies

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 interfaces dataplane <tagnode> isis topology ipv4-mgmt interfaces dataplane <tagnode> isis topology ipv4-multicast interfaces dataplane <tagnode> isis topology ipv4-unicast interfaces dataplane <tagnode> isis topology ipv6-dstsrc interfaces dataplane <tagnode> isis topology ipv6-mgmt interfaces dataplane <tagnode> isis topology ipv6-multicast interfaces dataplane <tagnode> isis topology ipv6-unicast interfaces loopback <tagnode> isis topology ipv4-mgmt interfaces loopback <tagnode> isis topology ipv4-multicast interfaces loopback <tagnode> isis topology ipv4-unicast interfaces loopback <tagnode> isis topology ipv6-dstsrc interfaces loopback <tagnode> isis topology ipv6-mgmt interfaces loopback <tagnode> isis topology ipv6-multicast interfaces loopback <tagnode> isis topology ipv6-unicast protocols isis <area-tag> topology ipv4-mgmt protocols isis <area-tag> topology ipv4-mgmt overload protocols isis <area-tag> topology ipv4-multicast protocols isis <area-tag> topology ipv4-multicast overload protocols isis <area-tag> topology ipv4-unicast protocols isis <area-tag> topology ipv4-unicast overload protocols isis <area-tag> topology ipv6-dstsrc protocols isis <area-tag> topology ipv6-dstsrc overload protocols isis <area-tag> topology ipv6-mgmt protocols isis <area-tag> topology ipv6-mgmt overload protocols isis <area-tag> topology ipv6-multicast protocols isis <area-tag> topology ipv6-multicast overload protocols isis <area-tag> topology ipv6-unicast protocols isis <area-tag> topology ipv6-unicast overload

Switch VIF Support

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 interfaces switch <name> vif <tagnode> ip isis instance <value> interfaces switch <name> vif <tagnode> ipv6 isis instance <value> interfaces switch <name> vif <tagnode> isis circuit-type level-1 interfaces switch <name> vif <tagnode> isis circuit-type level-1-2 interfaces switch <name> vif <tagnode> isis circuit-type level-2-only interfaces switch <name> vif <tagnode> isis hello-interval level-1 <value> interfaces switch <name> vif <tagnode> isis hello-interval level-2 <value> interfaces switch <name> vif <tagnode> isis metric level-1 <value> interfaces switch <name> vif <tagnode> isis metric level-2 <value> interfaces switch <name> vif <tagnode> isis network point-to-point interfaces switch <name> vif <tagnode> isis passive interfaces switch <name> vif <tagnode> isis password interfaces switch <name> vif <tagnode> isis password clear <value> interfaces switch <name> vif <tagnode> isis password md5 <value> interfaces switch <name> vif <tagnode> isis priority level-1 <value> interfaces switch <name> vif <tagnode> isis priority level-2 <value> interfaces switch <name> vif <tagnode> isis topology ipv4-mgmt interfaces switch <name> vif <tagnode> isis topology ipv4-multicast interfaces switch <name> vif <tagnode> isis topology ipv4-unicast interfaces switch <name> vif <tagnode> isis topology ipv6-dstsrc interfaces switch <name> vif <tagnode> isis topology ipv6-mgmt interfaces switch <name> vif <tagnode> isis topology ipv6-multicast interfaces switch <name> vif <tagnode> isis topology ipv6-unicast

Traffic Engineering

1 2 protocols isis <area-tag> mpls-te protocols isis <area-tag> mpls-te router-address <value>

Stateful firewall override

This feature allows SNAT/DNAT rules to be configured to not automatically install a pinhole for return traffic matching the NAT sessions.  This means a user can have a firewall configuration that affects traffic matching a NAT session.

1 2 3 4 service nat destination explicit-firewall-pinhole service nat destination rule <tagnode> firewall-pinhole service nat source explicit-firewall-pinhole service nat source rule <tagnode> firewall-pinhole

User isolation in a restricted environment

Please see the "Important Changes" section at the top of this document for an overview of the user isolation functionality.

User isolation may be disabled using the below command.

1 system login user-isolation disable

With user-isolation enabled the underlying system's directories aren't accessible to operator and admin-level users. This causes a problem for the admin-level users that may need to retain files across system reboots and upgrades.

The shared-storage configuration can define virtual storage mounted on directories accessible to the isolated operator and admin-level users. At the time of configuration, these directories must be empty. Users should log out from all of their login sessions for these configurations to take effect.

These shared directories are created as a virtual filesystem backed up by a file in the underlying file system. The filename is derived from the shared directory name.

1 2 3 system login user-isolation shared-storage <path> system login user-isolation shared-storage <path> allow-exec system login user-isolation shared-storage <path> size <value>

Allow isolated users read-only access to directories via the "copy file" and "show file" operational mode commands.

1 system login user-isolation read-only-directory <value>

Storage block device configuration

Scheduler

I/O schedulers attempt to improve throughput by reordering request access into a linear order based on the logical addresses of the data and trying to group these together. While this may increase overall throughput, it may lead to some I/O requests waiting for too long, causing latency issues. I/O schedulers attempt to balance the need for high throughput while sharing I/O requests amongst processes fairly.

Configuration is now provided to allow particular schedulers to be used for the block devices attached to the system.

1 2 system storage block-device <name> scheduler deadline system storage block-device <name> scheduler none

To view scheduler information for the block devices attached to the system, use the following new operational mode command:

1 show system storage block-device

Periodic TRIM

fstrim is used on a mounted filesystem to discard (or "trim") blocks which are not in use by the filesystem. This is useful for solid-state drives (SSDs) and thinly-provisioned storage. By default, fstrim will discard all unused blocks in the filesystem.

The configuration is now provided to enable periodic trimming of the filesystem.

1 2 3 4 5 6 system storage block-device <name> discard-unused-blocks system storage block-device <name> discard-unused-blocks repeat-interval daily system storage block-device <name> discard-unused-blocks repeat-interval hourly system storage block-device <name> discard-unused-blocks repeat-interval monthly system storage block-device <name> discard-unused-blocks repeat-interval weekly system storage block-device <name> discard-unused-blocks start-time <value>

A TRIM operation can also be run on-demand, using the following new operational mode command:

1 clear block-device <block-device-name | all> unused-blocks

TACACS+

Command Accounting Start Records

When enabled, a TACACS+ command accounting record is issued, with a start_time attribute, before a modelled NOS command being executed.

1 system tacplus-options accounting command-start-records

In addition, command accounting stop records now also include the corresponding start_time attribute. This happens regardless of whether "command-start-records" has been enabled.

Debug Logs

TACACS+ debugging logs are no longer emitted by default in DANOS 2012. Use the below configuration to re-enable the logs.

1 system tacplus-options log debug

Offline Timer

Use this command to define the minimum period during which the system will not perform any TACACS+ transactions following failure.

The offline period is triggered following a failure to connect to all TACACS+ servers. This can be due to either failed connection attempts, or because all configured servers have an active hold-down timer while attempting to connect to a server, or a combination.

When the running offline timer expires, the system will once again attempt to perform TACACS+ transactions. In most cases, the TACACS+ login provider will request a connection check immediately after the timer expires. If this succeeds the local fallback user login is once again locked (if TACACS+ login is enforced via the auth-chain configuration). Otherwise, a failure will cause the offline timer to be restarted, and the TACACS+ component will enter offline mode again.

1 system tacplus-options offline-timer <value>

The global offline timer, and all per-server hold down timers, maybe reset with the below operational mode command:

1 reset system tacplus suppression-timers

Disable Server

Use this command to prevent the use of a given TACACS+ server for any TACACS+ transaction.

A server which has been disabled will not appear in the output of the "show system tacplus status" operational mode command.

1 2 system login tacplus-server <tagnode> disable routing routing-instance <instance-name> system login tacplus-server <tagnode> disable

Global Server Parameters

Use this command to define the TCP port used for communications with all configured TACACS+ servers.

The value configured here can be overridden on a per-server basis using the existing "system login tacplus-server <address> port <port>" configuration.

1 system tacplus-options server port <value>

Use this command to define the secret key used to obfuscate communications with all configured TACACS+ servers.

The value configured here can be overridden on a per-server basis using the existing "system login tacplus-server <address> secret <key>" configuration.

1 system tacplus-options server secret <value>

Use this command to define the timeout to be used for communications with all configured TACACS+ servers.

The value configured here can be overridden on a per-server basis using the existing "system login tacplus-server <address> timeout <timeout>" configuration.

Long timeouts should generally not be used, to avoid sluggish system response for users.

If long timeouts are used, it is strongly recommended to use hold-down timers and/or the offline-timer.

1 system tacplus-options server timeout <value>

Obsolete features

VRRP translation scripts

Support of custom VRRP transition scripts has been removed from this release.  Transition scripts are a security issue and have been replaced with notify and DBus signals. 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value> interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value> interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value> interfaces bonding <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts interfaces bonding <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value> interfaces bonding <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value> interfaces bonding <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value> interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value> interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value> interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value> interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value> interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value> interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value> interfaces switch <name> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts interfaces switch <name> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value> interfaces switch <name> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value> interfaces switch <name> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value>

Operational command changes

Dataplane sessions

These commands complement the existing show session table commands, and in the future may replace them.

It is now possible to clear sessions based on the source address/port, destination address/port, translation address/port, direction, interface, protocol and feature (alg, application, dnat, firewall, nat46, nat64, other, snat).

The show commands allow sorting of the output using the "ascending" and "descending" options. Filtering of the output can be done by source address/port, destination address/port, translation address/port, direction, interface, protocol and feature (alg, application, dnat, firewall, nat46, nat64, other, snat).

Note that CGNAT does not use "dataplane" sessions. The separate clear cgnat session and show cgnat session commands should be used.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 clear dataplane session clear dataplane session destination address <value> clear dataplane session destination port <value> clear dataplane session direction in clear dataplane session direction out clear dataplane session feature [ alg | application | dnat | firewall | nat46 | nat64 | other | snat ] clear dataplane session id <value> clear dataplane session interface <value> clear dataplane session ip clear dataplane session ip6 clear dataplane session protocol <value> clear dataplane session source address <value> clear dataplane session source port <value> clear dataplane session translation address <value> clear dataplane session translation port <value> show dataplane session show dataplane session ascending destination-address show dataplane session ascending id show dataplane session ascending source-address show dataplane session ascending timeout show dataplane session ascending translation-address show dataplane session brief show dataplane session count <value> show dataplane session descending destination-address show dataplane session descending id show dataplane session descending source-address show dataplane session descending timeout show dataplane session descending translation-address show dataplane session destination address <value> show dataplane session destination port <value> show dataplane session detail show dataplane session direction in show dataplane session direction out show dataplane session feature [ alg | application | dnat | firewall | nat46 | nat64 | other | snat ] show dataplane session id <value> show dataplane session interface <value> show dataplane session ip show dataplane session ip6 show dataplane session protocol <value> show dataplane session source address <value> show dataplane session source port <value> show dataplane session starting-with address <value> show dataplane session starting-with id <value> show dataplane session starting-with timeout <value> show dataplane session summary show dataplane session translation address <value> show dataplane session translation port <value> show dataplane session unordered

L3 ingress and egress stateless ACLs

The following commands allow the viewing and clearing of the L3 ingress/egress stateless ACLs.

1 2 3 4 5 6 7 8 clear security ip-packet-filter statistics interface <if-name> clear security ip-packet-filter statistics interface <if-name> direction [ in | out ] clear security ip-packet-filter statistics interface <if-name> direction [ in | out ] group <group-name> show security ip-packet-filter statistics action [ accept | drop | punt | reject ] show security ip-packet-filter statistics direction [ in | out ] show security ip-packet-filter statistics group <group-name> show security ip-packet-filter statistics group <group-name> rule <rule-number> show security ip-packet-filter statistics interface <if-name>

VRRP

The "group" keyword has been removed from the "show vrrp sync-group" command.

1 2 show vrrp sync-group group <value> show vrrp sync-group <sync-group-name>

Resolved Security Vulnerabilities

The following security issues are resolved in this release:

  • CVE-2020-27670, CVE-2020-27671, CVE-2020-27672, CVE-2020-27674, CVE-2020-28368: Debian DSA 4804-1: xen security update

  • CVE-2020-28196: Debian DSA-4795-1 : krb5 security update

  • CVE-2020-25709, CVE-2020-25710: Debian DSA-4792-1 : openldap security update

  • CVE-2020-25692: Debian DSA-4782-1 : openldap security update

  • CVE-2020-15180: Debian DSA-4776-1: mariadb-10.3 security update

  • CVE-2020-25595, CVE-2020-25596, CVE-2020-25597, CVE-2020-25599, CVE-2020-25600, CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604: Debian DSA-4769-1: xen security update

  • CVE-2019-3874, CVE-2019-19448, CVE-2019-19813, CVE-2019-19816, CVE-2020-10781, CVE-2020-12888, CVE-2020-14314, CVE-2020-14331, CVE-2020-14356, CVE-2020-14385, CVE-2020-14386, CVE-2020-14390, CVE-2020-16166, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25641, CVE-2020-26088: Debian DLA-2385-1: linux-4.19 LTS security update

  • CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1 : linux-5.4 new package