Vyatta is pleased to announce the release of Vyatta Community Edition 3 (code named Dublin). Updated packages have been released to the Vyatta Community main repository. An ISO CD-ROM image and a new VMware virtual appliance are available from the Vyatta web site. Both will be available at SourceForge shortly.
This code is release quality and is suitable for those wanting to run the latest set of features. We appreciate all bug reports that anybody can provide, either directly to Bugzilla (bugzilla.vyatta.com) or to the vyatta-users mailing list. DOCUMENTATION ============= New documentation for VC3, including release notes, can be found on the Vyatta web site at: http://www.vyatta.com/documentation/ We suggest that everybody review at least the release notes before upgrading. UPGRADING ========= The system may be upgraded from Release VC2.x to Release VC3 using an ordinary package upgrade. The URL for updating to Release VC3 code is http://archive.vyatta.com/vyatta/. The repository is “community”. The component is “main”, as in the following configuration example: package { repository community { component: "main" url: "http://archive.vyatta.com/vyatta"; } } To update the community edition, issue the following commands: apt-get update apt-get -y install vc-base full-upgrade FILING BUGS =========== If you find a bug in this release, please file a bug on Bugzilla and/or report it to the vyatta-users mailing list. More information about the mailing lists and Bugzilla can be found here: http://www.vyatta.com/community/mailing.php http://www.vyatta.com/twiki/bin/view/Community/BugDatabase NEW IN THIS RELEASE =================== * Multilink Point-to-Point Protocol support. This release introduces support for multilink Point-to-Point Protocol (MLPPP) bundling as described in RFC 1990. MLPPP allows you to group PPP interfaces, typically on T1 or E1 lines into a single virtual link, resulting in greater performance than a single low-speed link but lower cost than a high-speed link. * IPsec VPN clustering. IPsec VPN can now be configured in a cluster. Clustering can be used as a failover mechanism to provide high availability for mission-critical services. The cluster monitors the nodes providing the IPsec VPN tunnel at a designated address. If the system detects that the node has failed, or that the link to the node has failed, the system migrates both the VPN tunnel and the IP addresses to a backup node. Failover is currently supported between two nodes: a primary node and a secondary node. * Enhanced serial interface support. Serial interface support has been improved in a number of ways. Additions include: * Ability to add a description to a serial link. * Authentication for PPP-encapsulated interfaces. Connections can be authenticated by password, user ID, or system name, and the PAP, CHAP, MS-CHAP, MS-CHAP v.2 and EAP authentication protocols are supported. * LCP echo support for PPP-encapsulated interfaces. * Configurable Maximum Transmission Unit (MTU) and Maximum Receive Unit (MRU) for T1- and E1-encapsulated interfaces. * Ability to specify external or internal clock for T1- and E1-encapsulated interfaces * Support for the Frame Relay t392 (polling verification timer) LMI signaling option. * Inverse ARP support on Frame Relay permanent virtual circuits (PVCs). * Additional options for the “show interfaces serial” command, including an option to provide trace-level logging or raw frames for a serial interface. * Redesigned the output of the “show interface serial” command to increase clarity and consistency. * Improvements to Firewall. Many improvements and enhancements have been added to firewall support in Release VC3: * Negated values can now be specified for the following fields: "protocol," source/destination "address," and source/destination "network." This allows exclusion of addresses and networks. For example, the rule “set firewall name TEST rule 1 source network !192.168.0.0/24” will match packets whose source address is NOT in the 192.168.0.0/24 network. * The “show firewall” command now displays information for all user-defined firewall rule sets. Previous releases allowed viewing only one firewall rule set at a time. * A description can now be configured for each firewall rule, such as "Allow inbound SSH traffic." * The “show firewall,” “show firewall <name>,” and “show firewall <name> rule <num>” commands now display the source ports and destination ports, if they have been set. * Each firewall rule can now support multiple source and destination “port-number” and “port-name” values within a single firewall rule. In addition, the “port-name” option now allows any port names defined in the file /etc/services. This ability was previously only available for NAT rules. * The "protocol" field for firewall rules now allows any protocol number or name listed in the file /etc/protocols. This ability was previously only available for NAT rules. * A firewall rule can now filter traffic by source MAC address using the “mac-address” option. The “mac-address” option also allows the negation operator, so that specific MAC addresses can be filtered. For example “set firewall name FW1 rule 10 source mac-address !01:02:03:AA:BB:CC” will match any packets whose source MAC address is NOT 01:02:03:AA:BB:CC * NAT address and network exclusion. Negated values can now be specified for the following fields: "protocol," source/destination "address," and source/destination "network." This allows, for example, VPN traffic to be excluded from NATting. For example, the rule “set service nat name TEST rule 1 source network !192.168.0.0/24” will match packets whose source address is NOT in the 192.168.0.0/24 network. * New filtering options for “show bgp” commands. A number of filtering options have been added to the “show bgp neighbor-routes” and “show bgp peers” commands. In addition, the output of these commands has been slightly redesigned for more clarity. * Ability to save support information to file. A “save” option has been added to the “show tech-support” command to allow system information to be saved in a user-specified file. * Auto-synchronization to package repository. The “auto-sync” option has been added to the “system package” configuration node. This option allows you to direct the system to update the repository cache at a defined interval, specified in days. * Ability to prevent the reboot on kernel panic. A “reboot-on panic” option has been added to the “system” statement to direct the system not to reboot if a kernel panic occurs. This allows you to inspect system information to determine what caused the panic. * Bug fixes. Over 100 issues have been resolved with Release VC3. A summary list of fixed bugs is provided in the release notes, available from the documentation download page: http://www.vyatta.com/documentation/index.php BEHAVIOR CHANGES ================ Release VC3 includes the following behavior changes: * The “service http” configuration option has been changed to “service webgui” to better reflect its function, which is to provide access to the Vyatta web GUI. * The default random number device for generating RSA signatures has been changed. In previous releases, the default random number device was /dev/urandom. Starting with Release VC3, the default random number device is /dev/random. The /dev/random device generates random numbers using system entropy, which is more secure, but slower, than /dev/urandom, which is a software-based random number generator. Be aware that the system generates random numbers during install and upgrade. When the system is installing or upgrading, the system is generating little entropy; therefore, using /dev/random as the random number generator may causes the system to become unavailable during install or upgrade for as long as 30 to 60 minutes. For more information, please see the “IPsec VPN” chapter of the Vyatta OFR Configuration Guide, in the section about generating RSA keys for IPsec VPN. Enjoy! -- Dave _______________________________________________ Vyatta-users mailing list [email protected] http://mailman.vyatta.com/mailman/listinfo/vyatta-users
