Patch release notes 2012c
Vyatta NOS patch release notes 2012c.
Released May 7, 2021
Issues resolved
Issues resolved in 2012c.
Issue number | Priority | Summary |
---|---|---|
VRVDR-54952 | Critical | Dataplane crashes when ipsec with vti interface is configured for IPv4/IPv6 |
VRVDR-54916 | Critical | Dataplane crash on rte_cryptodev_sym_session_init |
VRVDR-54821 | Critical | Removing DSCP egress-map from sub-intf and then parent interface results in a crash in the dataplane |
VRVDR-54636 | Critical | Missing CLI to configure the Egress-map for dscp marking. |
VRVDR-54431 | Critical | Dataplane crashes when deleting appFW |
VRVDR-54417 | Critical | show vpn ipsec sa calls are spuriously empty |
VRVDR-54365 | Critical | PCP remarking does not work when configuring dscp ->designation value->pcp mark using mark-map cli |
VRVDR-53825 | Critical | QoS egress DSCP remark map on native router parent dataplane port does not apply to sub-ports with VIF |
VRVDR-54900 | Major | Constant attempts to revive old duplicate CHILD_SA are causing re-key flood and occasional traffic drop. |
VRVDR-54860 | Major | IPsec: VPN Tunnel is going down after rebooting the device |
VRVDR-54839 | Major | DUT doesn't establish BGP Connection until the DUT is rebooted |
VRVDR-54765 | Major | ALG session may cause dataplane crash when cleared |
VRVDR-54710 | Major | BMC Timed Out from VNOS |
VRVDR-54707 | Major | [L3 egress ACL][Q-AX] FAL failure when ACL rules contain complex tree of overlapping IPv6 prefixes |
VRVDR-54628 | Major | DSCP marking is not working when using the egress map CLI |
VRVDR-54586 | Major | Dataplane crash in connection sync on closing TCP session |
VRVDR-54517 | Major | IPsec RA VPN client: don't ignore failing ike-sa-daemon D-Bus calls |
VRVDR-54515 | Major | Incorrect failure handling of IPsec control-, data- and user-plane interaction / hardening failure resilience |
VRVDR-54090 | Major | Netconf Copy-Config allows the same source and target datastore to be set |
VRVDR-53833 | Major | Handle multiple errors in configd: session/load.go merge_tree() |
VRVDR-53403 | Major | LSR in "ordered" LDP distribution mode continues to advertise FEC with no valid downstream binding |
VRVDR-50667 | Major | IPv6 PIM RPF fails to resolve PIM neighbour LL address |
VRVDR-52831 | Minor | IPSec with dead-peer detection no longer shows tunnels on "Down" state |
Security vulnerabilities resolved
Security vulnerabilities resolved in 2012c.
Issue number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-54877 | 7.8 | CVE-2021-26933, CVE-2021-27379: Debian DSA-4888-1: xen security update | |
VRVDR-54720 | 7.8 | CVE-2020-35523, CVE-2020-35524: Debian DSA-4869-1 : tiff - security update | |
VRVDR-54832 | 7.5 | CVE-2020-8169, CVE-2020-8177, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286, CVE-2021-22876, CVE-2021-22890: Debian DSA-4881-1 : curl - security update | |
VRVDR-54840 | 6.5 | CVE-2020-10730, CVE-2020-27840, CVE-2021-20277: Debian DSA-4884-1 : ldb - security update | |
VRVDR-54807 | 6.1 | CVE-2021-28957: Debian DLA-2606-1 : lxml security update |
DSCP Remarking
Adds support for remarking of DSCP values in the transmitted routed traffic according to an egress mapping.
This mapping is based on the incoming DSCP value carried in a packet. The incoming DSCP is classified into one of the pre-configured DSCP groups, and the egress map allows an outgoing DSCP value to be set in the packet for each of the DSCP groups.
DSCP remarking enables the maintenance of QoS parameters in the network even if they are lost in the interim nodes of the network. In such cases, the QoS parameters can be reintroduced by applying appropriate policies and remarking the transmitted packets with the correct DSCP values.
This feature handles the egress mapping based on the incoming DSCP, and assumes a uniform view of the DSCP on all incoming interfaces.
Updated operational mode commands
show policy qos egress-maps
Shows all egress maps downloaded to the dataplane. No output will be shown when the egress map configuration is not attached to any interface.
show policy qos <interface-name> egress-map
Shows the egress map used in the dataplane.
show policy qos <interface-name> map platform egress
Shows the egress map used in the platform hardware.
Updated configuration mode commands
set policy egress-map <name> dscp-group <group-name> dscp <value>
Provides the supported range of DSCP values that can be associated with the incoming DSCP matching a DSCP group.
-
name
is an alpha-numeric string specifying the name of the egress map. -
dscp-group
specifies the existing DSCP group name using which the packets will be classified according to DSCP value. Packets containing DSCP matching this DSCP group are set with the specified outgoing DSCP value. -
dscp <value>
specifies the DSCP value to be remarked in the transmitted packet for the corresponding DSCP group (0..63).