TNSR 19.05 Release Notes¶
About This Release¶
General¶
Added support for QAT C62x crypto devices [1718]
Added service management RPCs to data model [1715]
ACL¶
Fixed creating an ACL using only a description [1558]
Fixed creating an empty ACL [1735]
Fixed creating an ACL rule with a destination port [1796]
BGP¶
IPv6 BGP neighbors get entered as
peer-groups
only inbgpd.conf
[1190]Removed deprecated
neighbor <peer> interface <if>
BGP command [2113]Restructured BGP address family configuration to accommodate IPv4 and IPv6 [2049]
Removed option to create a new neighbor inside address family mode [2194]
Removed
route-map
set metric
options for +/- rtt and +/- metric as they were not supported as users expected in FRR [2191]
CLI¶
[no] shutdown
style syntax has been removed. Useenable
anddisable
, orno enable
[1652]Fixed paging issues in output that could lead to incorrect or missing output after certain actions taken with multi-page output (e.g. pressing
q
orEnter
at aMore
prompt) [1774, 1773]The CLI now stores command history between sessions (Command History) [514, 1949]
Standardized commands to enabled coredumps for services, and added support for coredumps from ike, unbound, http, and ntp (Diagnosing Service Issues) [1831]
Fixed
ping
so it can work with IPv6 source addresses [2004]Improved CLI performance when working with large lists [2127]
Increased timeout for
package
commands to allow longer processes to finish completely, such as upgrades [1768]
Dataplane¶
Fixed writing default values to the dataplane configuration when no dataplane options are set in the configuration [1982]
Fixed dataplane crashes when using NAT with forwarding enabled with certain packet combinations when the protocol is not ICMP, TCP, or UDP [1998]
Mellanox support: Added option to disable multi-segment buffers in the dataplane [2022]
Fixed an error when configuring a dataplane crypto device without first configuring the UIO driver [1812]
Added worker thread and core affinity options [1675]
Added an option to set custom interface names for dataplane interfaces [2062]
Added commands to configure dataplane statistics segment options [2199]
DHCP¶
The DHCP server can now function when an interface is configured as a DHCP client [1801]
DHCP server no longer uses link-local interface IP addresses (169.254.0.x) as a source address for DHCP packets or as a DHCP Server Identifier [1222]
Removed incorrect references to the
netgate-interface
module from the DHCP server CLI specification API paths [1810]Removed redundant
ipv4
forms of DHCP-related commands [1557]
Host ACLs¶
Added support for Host ACLs to control traffic to host OS interfaces using nftables [1651]
HTTP Server / RESTCONF¶
nginx
now behaves as expected withauthentication type none
and TLS [1086]Warning
This mode is intended only for testing, not production use.
Fixed RESTCONF get of
/restconf/data/
so it properly returns state data [1534]
Installer¶
Improved consistency in post-install login procedures across all TNSR platforms [2013]
Fixed installation issues on hardware that has an eMMC device, such as the Netgate 5100 [2048]
Fixed the default NACM configuration when installing from ISO [2133]
Added Infiniband/rdma packages to the default installation [2201]
Interfaces¶
An interface can now be deleted if has had an ACL or MACIP applied [1177, 1178]
MACIP ACLs no longer remain in the interface configuration after being removed [1179]
Bond interfaces in LACP mode no longer send LACPDUs when configured for passive mode [1614]
VLAN tag rewrite settings have been relocated to interfaces, as they do not require a subinterface [1344]
VXLAN validation now properly reflects that a VXLAN entry requires a VNI [1821]
GRE and VXLAN now create interfaces on the host [1999]
Fixed display of link speeds for 40G and 100G interfaces [1867]
Removed unused “Admin status” field from state information for host interfaces [1864]
Fixed interface counters for Mellanox interfaces [2039]
Fixed interface counters for IPsec interfaces [2075]
VLAN tag-rewrite attributes are now included in
show interface
output [1654]Changed
show interfaces
to output interfaces in a consistent order [2046]Fixed a problem with neighbor location (ARP/NA) when VLAN tags are present [1326]
Fixed default handling of VMXNET3 interfaces [1703]
IPsec¶
Added support for the 3DES encryption algorithm in IPsec proposals [1444]
NACM¶
NACM now supports all access operations and module restrictions (Managing NACM Rules) [1809]
The method to manually disable NACM has changed. Regaining Access if Locked Out by NACM has been updated to reflect the new method [1750, 1752]
NAT¶
DS-Lite B4 endpoint is now shown in the output of
show dslite
[1625]NAT sessions may now be queried with
show nat sessions [verbose]
(View NAT Sessions) [975, 1456]Fixed issues with NAT and multiple worker threads [1844]
NAT mode deletion is now properly respected in VPP startup configuration after TNSR services restart [1017]
Fixed incorrect NAT static mappings being added when a new rule differed from an existing rule only by the
port-local
value [1100]
Known Limitations¶
Updates¶
The UIO drivers may not be present in the correct directory after a kernel upgrade. Since the UIO drivers are kernel-specific, they must be rebuilt after any change in the kernel [2216]
To work around this issue, force a reinstall of the DPDK package which will rebuild the UIO drivers and place them in the appropriate location for the updated kernel:
$ sudo yum -y reinstall dpdk
ACLs¶
ACLs used with
access-list output
do not work on traffic sent to directly connected hosts [2057]
BFD¶
Attempting to change a BFD local/peer address fails [1549]
BFD cannot be administratively disabled via CLI [1883]
The BFD
delayed
option does not work [1885]An unused BFD
conf-key
cannot be modified [1891]BFD does not integrate with BGP [2106]
BGP¶
TNSR does not send BGP updates without restarting service with
redistribute from connected
option [746]Route with
aggregate-address
via next-hop0.0.0.0
does not appear in TNSR route table [832]BGP sessions may fail to establish or rapidly reconnect when receiving more prefixes than defined by
maximum-prefix limit
[858]The
maximum-prefix restart
command does not work [859]TNSR installs multiple paths for received routes even though support for multiple paths is not enabled [885]
Workaround: Run
systemctl reset-failed frr
from the shell to clear the error which will allow the BGP service to start again.Changing
update-source
from an IP address toloop1
allows a session to establish but remote prefixes do not appear in the FIB until reboot [1104]BGP
import-check
feature does not work [781]Logs may include spurious BGP message
binary API client 'route_daemon' died
which do not affect BGP routing [1714]
CLI¶
show route table
causes the backend to die with large numbers of routes in the table [506]For example, this crash happens with a full BGP feed.
Using
service dataplane restart
can cause clixon_backend to lose its configuration [1383]Large lists (e.g. 10,000+ ACLs) can cause significant delays in related CLI operations [2139]
DHCP¶
Adding a DHCP reservation without a MAC address causes Kea to fail and the entry cannot be removed [1530]
Workaround: A MAC address is required for DHCP reservations, so always enter a MAC address when creating an entry.
Configuring Kea to log all names with
*
does not work [1307]Workaround: Configure each name separately instead of using a wildcard.
DNS¶
Local zone FQDN handling for forward (A) and reverse (PTR) data is inconsistent, only allowing one or the other to work as expected for a given FQDN [1384]
Using the
allow_setrd
attribute foraccess-control
entries causes unbound to fail [1747]Unbound requires a default route in the host OS to resolve [1884]
Host ACLs¶
Host ACL entries are duplicated after a dataplane restart [2207]
HTTP Server / RESTCONF¶
HTTP server runs even though it’s not configured to run after TNSR services restart [1153]
Workaround: Manually stop the
nginx
service usingsystemctl
.RESTCONF query replies may contain CDATA tags in JSON [1463]
Adding an ACL rule entry via RESTCONF may appear to add a duplicate ACL [1238]
Interfaces¶
Loopback interface responds to ICMP echo from an outside host even when in a Down state [850]
Non-LACP bond interfaces may experience packet drops when a bond member interface is down [1603]
MAC address changes on dataplane interfaces are not reflected on the host tap interface until the dataplane is restarted [1502] Workaround: Restart the dataplane after changing an interface MAC address.
Bond interface MAC addresses do not match their host tap interface unless a MAC address is explicitly set at creation [1502]
Workaround: Set the MAC address when creating the bond interface.
Packets do not pass through a subinterface after the subinterface configuration has been modified [1612]
QinQ VLAN termination is not working [1550]
Chelsio interfaces crash the dataplane [1896]
VLAN subinterfaces may not work under KVM using virtio drivers [2189]
IPsec¶
An IPsec tunnel which was removed and then added back in may take longer than expected to establish [1313]
MAP¶
MAP-T BR cannot translate IPv4 ICMP echo reply to IPv6 [1749]
MAP security check configuration differs between the dataplane and CLI [1777]
MAP behavior cannot be changed from translate to encapsulate without restarting the dataplane [1779]
TCP MSS value is not applied to encapsulated packets when MAP-E mode is used [1816]
Fragmentation of IPv4 packets is performed regardless of configured MAP fragmentation behavior when MAT-T mode is used [1826]
MAP BR does not send ICMPv6 unreachable messages when a packet fails to match a MAP domain [1869]
Pre-resolve does not work when MAP-T mode is used [1871]
MAP BR encapsulates/translates only last fragment when receiving fragmented packets from IPv4 network [1887]
NACM¶
Permitted default read and write operations cannot be executed if default exec policy is set to
deny
[1158]
NAT¶
twice-nat
does not work [1023]NAT forwarding is not working for
in2out
direction [1039]NAT static mapping with defined ports leads to
clixon-backend
crash after restart [1103]DS-Lite is not functional; B4 router sends encapsulated IPv4-in-IPv6 packets, but AFTR replies with an error [1626]
NAT forwarding fails with more than one worker thread [2031]
Note: This also affects connectivity to services on TNSR, such as RESTCONF, when the client is not on a directly connected network.
Deterministic NAT crashes the dataplane [1856]
Connections to and from the TNSR host are included in NAT sessions when connecting through an interface with
ip nat outside
[1892] [1979]
Neighbors¶
IPv6 static neighbors entries do not work [2005]
NTP¶
NTP restrictions for prefixes do not work [1705]
RESTCONF¶
A malformed request may cause the API to return unexpected errors for a few seconds while it restarts [2079]
Routing¶
Deleting a non-empty route table fails with an error and the table remains in the configuration, but it cannot be changed afterward [1241]
Workaround: Remove all routes from the table before deleting. Alternately, copy the running configuration to startup and restart TNSR, which will make the route table appear again so the routes and then the table can be removed.
User Management¶
When deleting a user key from the running configuration it is not removed from the user’s
authorized_keys
file [1162]Workaround: Manually edit the
authorized_keys
file for the user and remove the key.
VXLAN¶
Changes to a VXLAN interface do not apply until the dataplane is restarted [1778]
Alternate VXLAN encapsulation routing tables cannot be configured [1872]
Reporting Issues¶
For issues, please contact the Netgate Support staff.
Send email to support@netgate.com
Phone: 512.646.4100 (Support is Option 2)