Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show Page Sections

Patch release notes 2005a

Release notes for Vyatta NOS 2005a, released August 12, 2020.

Issues resolved

Issues resolved in release 2005a.

Issue numberPrioritySummary
VRVDR-52505 BlockerCoredump triggered by vyatta-dataplane restart in bfd_main_destroy
VRVDR-52459BlockerBFD IPv4 packet punting for hardware sessions does not work with cpp-rate-limiter
VRVDR-52453BlockerIPv4 BFD sessions not updating negotiated tx value after config change
VRVDR-52371 BlockerDHCP lease refused
VRVDR-52369 BlockerAdding authentication to a running BFD session does not take effect
VRVDR-52363 BlockerIPv6 BFD sessions stuck Down if neighbour brings session AdminDown then restarts BFD
VRVDR-52362 BlockerDataplane crash seen when unconfiguring BFD
VRVDR-52344 BlockerDSCP marking not done for IPv4 BFD packets generated in hardware
VRVDR-52284 BlockerS9500 - 'request hardware-diag version' command missing product name, reporting eeprom error
VRVDR-52278 BlockerS9500 - upgrade HW diags to v3.1.10
VRVDR-52223 BlockerApplying QoS policy to switchport interface breaks BFD
VRVDR-51981 BlockerHW BFD sends control frame with Poll and Final bits both set during session init
VRVDR-51957 BlockerModelled copy command incorrectly enforcing ssh-known-host check in 1912e
VRVDR-51952 BlockerGroup ownership for non ROOT files got changed to ssh @ 1912e
VRVDR-51937 Blockershow interface dataplane dp0xe<x> displays incorrect speed for copper ports when interface is down
VRVDR-51818 BlockerPTP: FAL_BCM: Failed to set TOD-In for PTP clock 0: Internal error after reboot/power_cycle
VRVDR-51489 BlockerPTP time/phase not locked over IPv6 transport mode
VRVDR-51481 BlockerAdd support for UfiSpace Apollo NCP1-1 PVT revisions
VRVDR-51465 BlockerRestore (opt-out) collection of shell history in tech-support
VRVDR-51311 BlockerDAS Switch with 1912b seeing low rate of drops vs 1903m
VRVDR-51303 BlockerHardware-switched traffic goes out untagged over bonding interface contrary to configuration
VRVDR-51185 BlockerLink doesn't come up after swapping 1000BASE-T SFP for 1000BASE-X SFP
VRVDR-51152 BlockerQoS policy applied via netconf causes commit fail
VRVDR-51066 Blocker1908g performance hit with vCSR VNF scenario in Small, Medium and Large platforms
VRVDR-50939 BlockerBFD session retained in admin down state when interface is disabled
VRVDR-50920 BlockerSIAD - modelled copy with scp target is operationally unusable
VRVDR-50825 BlockerDataplane crash seen during control-plane policing tests
VRVDR-50687 BlockerGarbage counter values shown in BFD output
VRVDR-50627 BlockerBFD Auth should be blocked at CLI on SIAD
VRVDR-50517 BlockerSIAD: IPv6 Hardware BFD over link-local addresses not coming up correctly
VRVDR-52467 CriticalBFD V6: Session created in HW with wrong local diag
VRVDR-52418 CriticalBFD IPv4 session creation fails if the peer sets the Control Plane Independent flag
VRVDR-52413 CriticalIPv6 BFD session stuck in poll loop when Admin Down after a config change
VRVDR-52409 CriticalIPv6 BFD Neg Rx/Neg Tx values only update once every 30s
VRVDR-52353 CriticalBFD session gets stuck in software when new preferred tx interface appears with no neighbor
VRVDR-52249 CriticalMulti-hop BFD sessions all go down when one nexthop interface is taken down
VRVDR-52243 CriticalIPv6 BFD sessions not reflecting correct timer values after negotiating a change
VRVDR-52240 CriticalPTP: With apts profile the following is seen in journalctl Error: /service/ptp/state: Failed to process returned data for (*schema.container)state: Error: /instance-list/0/apts-ds/asymmetry-history: Doesn't match schema
VRVDR-52182 CriticalOccasional divide-by-zero crash in BFD cleanup
VRVDR-52152 CriticalPTP: Use monotonic time for semaphores and mutexes
VRVDR-52151 CriticalDataplane crash on restart with a HW BFD session configured
VRVDR-52134CriticalCrash in BCM libs when cycling BFD config in and out multiple times
VRVDR-52128 CriticalExceeding HW BFD platform memory during peer negotiation repeatedly logs errors
VRVDR-52126 CriticalBFD sessions sometimes failing to program in hardware with tx-gport error
VRVDR-52122 CriticalPoll bit not set on first control frame for transition from Down to Up
VRVDR-52115 CriticalMemory use after free when deleting storm control profile
VRVDR-52049 Criticalmonitor interfaces dataplane <int> traffic stops packet on that interface
VRVDR-51989 CriticalHW BFD allows users to configure more templates than the hardware is capable of using
VRVDR-51946 CriticalFor-us packets dropped when configuring CPP followed by breakout
VRVDR-51860 CriticalDataplane crashes with SEGV/FPE signal in BFD cleanup scenario with OSPF/BGP
VRVDR-51825 CriticalLog flooded with FAL_BCM ... for key bfd messages
VRVDR-51754 CriticalReadonly account failed to stay in after log on
VRVDR-51748 CriticalDHCP server assign ipv6 address to directly connected or non-directly interface (via relay) with /128 subnet even though subnet pool is defined in /64 network
VRVDR-51747 CriticalBFD not tracking trackers properly
VRVDR-51639 CriticalResponse for request hardware-diag version takes much longer with 1912b
VRVDR-51619 CriticalSIAD ACL: Ensure that rulesets which would exceed the TCAM are rejected
VRVDR-51616 CriticalStorm Control triggered snmpd warning messages in journal
VRVDR-51554 CriticalConfiguring ingress-map and show map platform ingress crashes dataplane
VRVDR-51522 CriticalBFD status misreported or even restarted when config is removed
VRVDR-51518 CriticalDataplane performance fails for forward pkts when scatter mode driver is used
VRVDR-51480 CriticalCrash in mdb_db_infos_fec_hierarchy_info_fec_id_range_start_get on failing to init on J2
VRVDR-51455 CriticalBad file descriptor (src/epoll.cpp:100) when applying config
VRVDR-51406 CriticalAll traffic dropped for traffic type after removing traffic type from storm control profile
VRVDR-51385 CriticalDataplane crash in next_hop_list_find_path_using_ifp
VRVDR-51377 CriticalStack overflow after removing a LAG member
VRVDR-51345 CriticalS9500-30XS: 100G Interface LED lit even when disabled
VRVDR-51344 CriticalS9500-30XS: 10G Interface LED sometimes lit when interface is disabled
VRVDR-51340 CriticalIPv6 route is not withdrawn from OSPFv3 database when adv router is rebooted
VRVDR-51330 CriticalWhen OAM is not configured, untrapped packets may treated as trapped
VRVDR-51305 CriticalVRF-leaking:RIBD crash when delete interface from routing-instance and leaked route to other VRF udpated as default type and after config back interface to routing-instance,leaked routes shows as inactive
VRVDR-51298 CriticalPTP: config parser will not accept expected range of values for log-announce-interval
VRVDR-51295 CriticalChanging speed on interface resets configured MTU to default
VRVDR-51240CriticalOSPFv3 session flap in NSSA area when advertise/withdraw the BGP/connected routes into OSPFv3 via redistribution
VRVDR-51179 Criticallive-cd installs should not install all unique state
VRVDR-51165 Criticalmonitor dataplane doesn't work
VRVDR-51148 CriticalS9500 interface flaps when MTU is modified
VRVDR-51135 CriticalNTP client remains sync'd with server even though source interface has no address
VRVDR-51108 CriticalQoS - NETCONF Error: /policy/qos/state: An unexpected element is present
VRVDR-51100 CriticalDataplane crash in get_switch_dev_info when running "show interfaces extensive"
VRVDR-51099 CriticalRestarting guest fails with timeout
VRVDR-51072 CriticalL3 SIAD router not fragmenting packet size above MTU
VRVDR-51067 CriticalDPDK VIRTIO driver does not support multiple MAC addresses
VRVDR-51042 CriticalPTP: Dataplane crash occurs during shutdown phase whilst rebooting
VRVDR-50960 CriticalVhost tracking does not work after a guest reboot
VRVDR-50956 CriticalVRRP goes into fault state after reboot
VRVDR-50952 CriticalVRF DHCPv4: vyatta-service-dhcp-client@dp0X.service failed after config/delete/config
VRVDR-50927 Criticalshow interface data <port> phy not working correctly for Operator class users
VRVDR-50915 CriticalError generating /interfaces/backplane-state on SIAD
VRVDR-50874 CriticalStorm control errors in 1912b
VRVDR-50712 CriticalMissing monitor dataplane bfd
VRVDR-50688 CriticalBFD sessions stuck in hardware after unconfigure
VRVDR-50654 CriticalDisplay issues in show bfd session detail
VRVDR-50559 CriticalError: /vyatta-cpu-history-client: GetState failure: Traceback
VRVDR-50401 CriticalSIAD: Kernel messages printed to log and serial console when configuring BFD
VRVDR-50399 CriticalSIAD: BFD session parameters not updated for existing sessions on config change
VRVDR-50359 Criticalshow int dataplane foo phy issues with vendor-rev
VRVDR-50234 CriticalL2TPv3: Fails to be ping across tunnel using L2TPv3
VRVDR-49231 CriticalPPPoE Client - Not re-establishing dropped connection automatically
VRVDR-48315 CriticalMalformed interface names in show ipv6 multicast interface with IPv6 GRE tunnels
VRVDR-52396 MajorBFD session fails to program in hardware trying to use flood-group as tx-port
VRVDR-52281 MajorBFD: stats are not thread safe on HW platforms
VRVDR-52279 MajorBFD stop tx timer only after v4 session in HW
VRVDR-52251 MajorRemove the BFD router tracker hash table
VRVDR-52232 MajorRename FAL_BFD_HW_MODE_CP_INDEPENDENT
VRVDR-52216 MajorBFD: No update sent to OAMd for remote ADMIN DOWN
VRVDR-52212 MajorPTP: From power on reset GPS takes a few minutes to become ready
VRVDR-52206 MajorBFD sessions can update FAL with no changes
VRVDR-52183 MajorBFD sessions for Static IPv6 clients do not come back after dataplane restart
VRVDR-52165 MajorBFD not programming h/w multihop correctly
VRVDR-51828 MajorSIAD ACL: BCM SDK error when deleting ACL configuration
VRVDR-51608 MajorL2 traffic priority value is getting modified at the egress interface
VRVDR-51519 MajorPTP slave-only config throws error and doesn't display any clock status
VRVDR-51483 MajorRemoving guest configuration fails with scripting error
VRVDR-51443 Majoripv6 router-advert CLI missing on switch VLAN interfaces
VRVDR-51428 MajorHardware BFD allows configuring unsupported timer values
VRVDR-51247 MajorS9500 - missing hw_rev.cfg file
VRVDR-51238 MajorAfter broadcast storm, TACACS doesn't recover
VRVDR-51156 MajorDHCPv4 client accepts duplicate DHCP IP of its static interface
VRVDR-51008 MajorWhen the /var/log partition exists journal files from previous installs are retained but not rotated
VRVDR-50787 MajorWrong TX port used when multiple routes exist for BFD peer
VRVDR-50655 Majorvyatta-vrrp syntax error near unexpected token logger
VRVDR-50619 MajorLACP with VIF - still seeing Slaves not selected in 'balanced' mode
VRVDR-50552 MajorTACACS daemon is not running even with all TACACS config
VRVDR-50271 MajorPTP: No display of the current and historic calculated asymmetry value
VRVDR-50188 MajorPTP: sync and delay_resp pkt rates remain at 0 (from bootup) in "show ptp servo 0"
VRVDR-49836 MajorIPsec: Fails to be able to to ping from tunnel endpoint to tunnel endpoint with ping size 1419 using default mtu with site-2-site.Tunnel MTU discovery not working
VRVDR-49447 Majorshow tech-support still logs /var/log/messages
VRVDR-48438 MajorLACP causing interface to remain down
VRVDR-46464 MajorVRRPv3: matching vip mask behaviour change in Dartmouth
VRVDR-52196 MinorOAMd BFD dataplane offload debugs not enabled by "log all" configuration
VRVDR-51114 MinorChange command not found error for users running in a sandbox
VRVDR-50826 MinorKeepalived: No VRRP instance found for packet
VRVDR-50925 TrivialPath Monitor logs may include "vrf" prefix in logs

Security vulnerabilities resolved

Security vulnerabilities resolved in release 2005a.

Issue numberCVSSAdvisorySummary
VRVDR-51236 8.6DSA-4689-1 CVE-2019-6477, CVE-2020-8616, CVE-2020-8617: Debian DSA-4689-1 : bind9 - security update
VRVDR-52198 7.8DSA-4723-1 CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567: Debian DSA 4723-1: xen security update
VRVDR-51526 7.8DSA-4699-1 CVE-2019-19462, CVE-2019-3016, CVE-2020-0543, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-12114, CVE-2020-12464, CVE-2020-12768, CVE-2020-12770, CVE-2020-13143: Debian DSA-4699-1 : linux - security update
VRVDR-51525 7.8DSA-4698-1 CVE-2019-2182, CVE-2019-5108, CVE-2019-19319, CVE-2019-19462, CVE-2019-19768, CVE-2019-20806, CVE-2019-20811, CVE-2020-0543, CVE-2020-2732, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-9383, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-10942, CVE-2020-11494, CVE-2020-11565, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-12114, CVE-2020-12464, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12770, CVE-2020-13143: Debian DSA-4698-1: linux – security update
VRVDR-52150 7.5DSA-4721-1 CVE-2020-10663, CVE-2020-10933: Debian DSA-4721-1 : ruby2.5 - security update
VRVDR-51849 7.5N/ACVE-2018-19044, CVE-2018-19045, CVE-2018-19046: Insecure temporary file usage in keepalived
VRVDR-51494 7.4DSA-4697-1 CVE-2020-13777: Debian DSA-4697-1 : gnutls28 - security update
VRVDR-50530 7.1DSA-4647-1 CVE-2020-0556: Debian DSA-4647-1 : bluez - security update
VRVDR-52273 6.7DSA-4728-1 CVE-2020-10756, CVE-2020-13361, CVE-2020-13362, CVE-2020-13754, CVE-2020-13659: Debian DSA 4728-1: qemu security update
VRVDR-51054 6.7DSA-4688-1 CVE-2020-10722, CVE-2020-10723, CVE-2020-10724: Debian DSA-4688-1 : dpdk - security update
VRVDR-52261 6.5DSA-4726-1 CVE-2019-17006, CVE-2019-17023, CVE-2020-12399, CVE-2020-12402: Debian DSA 4726-1: nss security update
VRVDR-51142 5.5DSA-4685-1 CVE-2020-3810: Debian DSA-4685-1 : apt - security update
VRVDR-52197N/AN/APrivilege escalation in reset ipv6 neighbors / reset ip arp commands
VRVDR-46681N/AN/Assh-known-hosts exposes hostname or IP addresses of remote-peers in plaintext, should be hashed
VRVDR-44891N/AN/Aopd does not escape input properly when completing commands

New L3 ACL commands

Release 2005a adds some additional matches for the security ip-packet-filter command.

Source or destination port number, for TCP, UDP, UDP-Lite, DCCP, or SCTP

security ip-packet-filter group <group-name> rule <number> match destination port number <value>
security ip-packet-filter group <group-name> rule <number> match source port number <value>

DSCP, by name or by value

security ip-packet-filter group <group-name> rule <number> match dscp name (af11|af12|af13|af21|af22|af23|af31|af32|af33|af41|af42|af43|cs1|cs2|cs3|cs4|cs5|cs6|cs7|default|af|va)
security ip-packet-filter group <group-name> rule <number> match dscp value <value>

TTL, a value of 1 or 255

security ip-packet-filter group <group-name> rule <number> match ttl equals <value>

IPv6 base and final fragment

security ip-packet-filter group <group-name> rule <number> match protocol base name ipv6-frag
security ip-packet-filter group <group-name> rule <number> match protocol final name ipv6-frag

ICMP type

  • ICMP type, and optionally code, for IPv4 and ICMPv6.
  • Matching by named combination of type and possibly code, matching by numeric type alone, or matching by numeric type and code.
  • For ICMPv6, matching on a class being error or info, that is non-error.
security ip-packet-filter group <group-name> rule <number> match icmp name required-option-missing
security ip-packet-filter group <group-name> rule <number> match icmp name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmp name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmp name source-quench
security ip-packet-filter group <group-name> rule <number> match icmp name source-route-failed
security ip-packet-filter group <group-name> rule <number> match icmp name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-reply
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-request
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number> code <value>
security ip-packet-filter group <group-name> rule <number> match icmpv6 class error
security ip-packet-filter group <group-name> rule <number> match icmpv6 class info
security ip-packet-filter group <group-name> rule <number> match icmpv6 name address-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name bad-header
security ip-packet-filter group <group-name> rule <number> match icmpv6 name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmpv6 name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-request
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-done
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-query
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-report
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name no-route
security ip-packet-filter group <group-name> rule <number> match icmpv6 name packet-too-big
security ip-packet-filter group <group-name> rule <number> match icmpv6 name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmpv6 name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name redirect
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-header-type
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-option
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number> code <value>
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-reply
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-request
security ip-packet-filter group <group-name> rule <number> match icmp name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmp name echo-request
security ip-packet-filter group <group-name> rule <number> match icmp name fragmentation-needed
security ip-packet-filter group <group-name> rule <number> match icmp name host-precedence-violation
security ip-packet-filter group <group-name> rule <number> match icmp name host-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name host-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name ip-header-bad
security ip-packet-filter group <group-name> rule <number> match icmp name network-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name network-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmp name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name precedence-cutoff
security ip-packet-filter group <group-name> rule <number> match icmp name protocol-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name redirect