TNSR 18.08 Release Notes

About This Release

Authentication & Access Control

  • Added support for NETCONF Access Control Model (NACM) management.

    NACM provides group-based controls to selectively allow command access for users. Users are authenticated by other means (e.g. RESTCONF certificates or users, CLI user) and then mapped to groups based on username.

  • Added default configurations for NACM for different platforms [891]

    These default rules allow members of group admin to have unlimited access and sets the default values to deny. It includes the users tnsr and root in the group admin.

    Warning

    TNSR Does not prevent a user from changing the rules in a way that would cut off all access.

  • Changed password management to allow changing passwords for users in the host OS as well as for TNSR users [1091]

BGP

  • Added explicit sequence numbering to BGP AS Path statements to support multiple patterns in a single AS Path [898]
  • Added show bgp network A.B.C.D command to display detailed information about BGP routes [922]

CLI

  • Added enable and disable commands to be used in favor of no shutdown/shutdown [938]
  • Fixed CLI issues with data encoding that could lead to XML Parsing errors [887]

DHCP

  • Improved support and control for DHCP server (Kea) management [490, 738, 1037, 1045]
  • Added explicit enable/disable for DHCP Server daemon [1053]
  • Added logging support to the DHCP Server [907]

DNS Resolver

  • Added support for management of a DNS Resolver (Unbound) [492, 1072, 1093, 1094]

Hardware & Installation

  • Added support for installation on Xeon D, C3000 SoCs [961]
  • Added configuration packages for Netgate hardware that can run TNSR [1056]
  • Fixed a Layer 2 connectivity issue with certain Intel 10G fiber configurations due to a timeout waiting for link [509]

IPsec

  • Added QAT cryptographic acceleration enabled for IPsec [912, 940]

    This acceleration works with QAT CPIC cards as well as C62X, C3XXX, and D15XX QAT devices.

  • Fixed an issue where an IPsec Child SA would disappear after an IKEv1 Security Association re-authenticates [628]

NAT

  • Fixed creating a NAT pool for custom route tables in the CLI [1055]

  • Fixed handling of the NAT reassembly timeout value [1000]

  • Added support for output feature NAT [867, 897]

  • Fixed an error when changing static NAT command boolean properties [703]

  • Addressed NAT issues which prevent the TNSR host OS network services from working on nat outside interfaces [616]

    This can only work in endpoint-dependent NAT mode, which can be enabled as follows:

    dataplane nat endpoint-dependent
    service dataplane restart
    

    This may become the default NAT mode in future TNSR releases [1079]

NTP

  • Added support for NTP server (ntp.org) management [847, 939, 948, 952]

PKI (Certificates)

  • Added support to the PKI CLI for managing certificate authority (CA) entries as well as certificate signing [930]

RESTCONF

  • Added commands for RESTCONF management and authentication (HTTP server, nginx) [933]

  • Added support to RESTCONF for certificate-based authentication [937]

    When using certificates to authenticate, the common name (CN) part of the subject is used as the username.

  • Added PAM support for HTTP authentication to the HTTP server [934]

Known Limitations

Authentication & Access Control

  • Unable to delete a user from the CLI after TNSR services restart [1067]

BGP

  • TNSR does not send BGP updates without restarting service with redistribute from connected option [746]

  • Route with aggregate-address via next-hop 0.0.0.0 does not appear in TNSR route table [832]

  • BGP sessions may fail to establish or rapidly reconnect when receiving more prefixes than defined by maximum-prefix limit [858]

  • The maximum-prefix restart command does not work [859]

  • TNSR installs multiple paths for received routes even though support for multiple paths is not enabled [885]

  • Unable to restart BGP service more that three times in a row [902]

    Workaround: Run systemctl reset-failed frr from the shell to clear the error which will allow the BGP service to start again.

  • Changing update-source from an IP address to loop1 allows a session to establish but remote prefixes do not appear in the FIB until reboot [1104]

Bridge

  • TNSR CLI allows multiple bridge interfaces to have bvi set [984]

    Only the first interface set with bvi will work properly.

    Workaround: Only set bvi on a single interface.

CLI

  • Applied dataplane commands are not immediately present in the running configuration database until another change is made [1099]

  • The candidate configuration database cannot be emptied with the clear command [1066]

  • show route table causes the backend to die with large numbers of routes in the table [506]

    For example, this crash happens with a full BGP feed.

RESTCONF

  • nginx does not behave as expected with authentication type none [1086]

    This mode is primarily for testing and not production use.

    Workaround: Use password or certificate-based authentication for RESTCONF.

Interfaces

  • Interface link speed displayed incorrectly in CLI and RESTCONF [672]
  • Loopback interface responds to ICMP echo from an outside host even when in a Down state [850]

NAT

  • Unable to create a twice-nat pool [972] or twice-nat not working [1023]

    twice-nat can only work in endpoint-dependent NAT mode, which can be enabled as follows:

    dataplane nat endpoint-dependent
    service dataplane restart
    
  • Unable to create out-to-in-only static mapping [976]

    out-to-in-only can only work in endpoint-dependent NAT mode, which can be enabled as follows:

    dataplane nat endpoint-dependent
    service dataplane restart
    
  • NAT Reassembly is not working for ICMP packets [990]

  • Fragment limitation for NAT reassembly is not working [1065]

  • NAT mode is not deleted from VPP startup configuration after TNSR services restart [1017]

  • NAT forwarding is not working for in2out direction [1039]

  • NAT static mappings are not added as expected when only the port-local value differs [1100]

  • NAT static mapping with defined ports leads to clixon-backend crash after restart [1103]

VLAN/Subinterfaces

  • Daemons such as Kea and ntpd do not correctly form configuration file references to subinterface names [1150]
  • A VPP issue is preventing clients on subinterface networks from receiving return traffic that passes through TNSR [1152]
    • These clients can communicate to TNSR, but not to hosts on other interfaces or subinterfaces.
    • Other interface types work properly

Reporting Issues

For issues, please contact the Netgate Support staff.