TNSR 19.05 Release Notes

About This Release

General

  • Added support for QAT C62x crypto devices [1718]

  • Added service management RPCs to data model [1715]

ACL

  • Fixed creating an ACL using only a description [1558]

  • Fixed creating an empty ACL [1735]

  • Fixed creating an ACL rule with a destination port [1796]

BGP

  • IPv6 BGP neighbors get entered as peer-groups only in bgpd.conf [1190]

  • Removed deprecated neighbor <peer> interface <if> BGP command [2113]

  • Restructured BGP address family configuration to accommodate IPv4 and IPv6 [2049]

  • Removed option to create a new neighbor inside address family mode [2194]

  • Removed route-map set metric options for +/- rtt and +/- metric as they were not supported as users expected in FRR [2191]

CLI

  • [no] shutdown style syntax has been removed. Use enable and disable, or no enable [1652]

  • Fixed paging issues in output that could lead to incorrect or missing output after certain actions taken with multi-page output (e.g. pressing q or Enter at a More prompt) [1774, 1773]

  • The CLI now stores command history between sessions (Command History) [514, 1949]

  • Standardized commands to enabled coredumps for services, and added support for coredumps from ike, unbound, http, and ntp (Diagnosing Service Issues) [1831]

  • Fixed ping so it can work with IPv6 source addresses [2004]

  • Improved CLI performance when working with large lists [2127]

  • Increased timeout for package commands to allow longer processes to finish completely, such as upgrades [1768]

Dataplane

  • Fixed writing default values to the dataplane configuration when no dataplane options are set in the configuration [1982]

  • Fixed dataplane crashes when using NAT with forwarding enabled with certain packet combinations when the protocol is not ICMP, TCP, or UDP [1998]

  • Mellanox support: Added option to disable multi-segment buffers in the dataplane [2022]

  • Fixed an error when configuring a dataplane crypto device without first configuring the UIO driver [1812]

  • Added worker thread and core affinity options [1675]

  • Added an option to set custom interface names for dataplane interfaces [2062]

  • Added commands to configure dataplane statistics segment options [2199]

DHCP

  • The DHCP server can now function when an interface is configured as a DHCP client [1801]

  • DHCP server no longer uses link-local interface IP addresses (169.254.0.x) as a source address for DHCP packets or as a DHCP Server Identifier [1222]

  • Removed incorrect references to the netgate-interface module from the DHCP server CLI specification API paths [1810]

  • Removed redundant ipv4 forms of DHCP-related commands [1557]

Host ACLs

  • Added support for Host ACLs to control traffic to host OS interfaces using nftables [1651]

HTTP Server / RESTCONF

  • nginx now behaves as expected with authentication type none and TLS [1086]

    Warning

    This mode is intended only for testing, not production use.

  • Fixed RESTCONF get of /restconf/data/ so it properly returns state data [1534]

Installer

  • Improved consistency in post-install login procedures across all TNSR platforms [2013]

  • Fixed installation issues on hardware that has an eMMC device, such as the Netgate 5100 [2048]

  • Fixed the default NACM configuration when installing from ISO [2133]

  • Added Infiniband/rdma packages to the default installation [2201]

Interfaces

  • An interface can now be deleted if has had an ACL or MACIP applied [1177, 1178]

  • MACIP ACLs no longer remain in the interface configuration after being removed [1179]

  • Bond interfaces in LACP mode no longer send LACPDUs when configured for passive mode [1614]

  • VLAN tag rewrite settings have been relocated to interfaces, as they do not require a subinterface [1344]

  • VXLAN validation now properly reflects that a VXLAN entry requires a VNI [1821]

  • GRE and VXLAN now create interfaces on the host [1999]

  • Fixed display of link speeds for 40G and 100G interfaces [1867]

  • Removed unused “Admin status” field from state information for host interfaces [1864]

  • Fixed interface counters for Mellanox interfaces [2039]

  • Fixed interface counters for IPsec interfaces [2075]

  • VLAN tag-rewrite attributes are now included in show interface output [1654]

  • Changed show interfaces to output interfaces in a consistent order [2046]

  • Fixed a problem with neighbor location (ARP/NA) when VLAN tags are present [1326]

  • Fixed default handling of VMXNET3 interfaces [1703]

IPsec

  • Added support for the 3DES encryption algorithm in IPsec proposals [1444]

NACM

NAT

  • DS-Lite B4 endpoint is now shown in the output of show dslite [1625]

  • NAT sessions may now be queried with show nat sessions [verbose] (View NAT Sessions) [975, 1456]

  • Fixed issues with NAT and multiple worker threads [1844]

  • NAT mode deletion is now properly respected in VPP startup configuration after TNSR services restart [1017]

  • Fixed incorrect NAT static mappings being added when a new rule differed from an existing rule only by the port-local value [1100]

Known Limitations

Updates

  • The UIO drivers may not be present in the correct directory after a kernel upgrade. Since the UIO drivers are kernel-specific, they must be rebuilt after any change in the kernel [2216]

    To work around this issue, force a reinstall of the DPDK package which will rebuild the UIO drivers and place them in the appropriate location for the updated kernel:

    $ sudo yum -y reinstall dpdk
    

ACLs

  • ACLs used with access-list output do not work on traffic sent to directly connected hosts [2057]

BFD

  • Attempting to change a BFD local/peer address fails [1549]

  • BFD cannot be administratively disabled via CLI [1883]

  • The BFD delayed option does not work [1885]

  • An unused BFD conf-key cannot be modified [1891]

  • BFD does not integrate with BGP [2106]

BGP

  • TNSR does not send BGP updates without restarting service with redistribute from connected option [746]

  • Route with aggregate-address via next-hop 0.0.0.0 does not appear in TNSR route table [832]

  • BGP sessions may fail to establish or rapidly reconnect when receiving more prefixes than defined by maximum-prefix limit [858]

  • The maximum-prefix restart command does not work [859]

  • TNSR installs multiple paths for received routes even though support for multiple paths is not enabled [885]

    Workaround: Run systemctl reset-failed frr from the shell to clear the error which will allow the BGP service to start again.

  • Changing update-source from an IP address to loop1 allows a session to establish but remote prefixes do not appear in the FIB until reboot [1104]

  • BGP import-check feature does not work [781]

  • Logs may include spurious BGP message binary API client 'route_daemon' died which do not affect BGP routing [1714]

CLI

  • show route table causes the backend to die with large numbers of routes in the table [506]

    For example, this crash happens with a full BGP feed.

  • Using service dataplane restart can cause clixon_backend to lose its configuration [1383]

  • Large lists (e.g. 10,000+ ACLs) can cause significant delays in related CLI operations [2139]

DHCP

  • Adding a DHCP reservation without a MAC address causes Kea to fail and the entry cannot be removed [1530]

    Workaround: A MAC address is required for DHCP reservations, so always enter a MAC address when creating an entry.

  • Configuring Kea to log all names with * does not work [1307]

    Workaround: Configure each name separately instead of using a wildcard.

DNS

  • Local zone FQDN handling for forward (A) and reverse (PTR) data is inconsistent, only allowing one or the other to work as expected for a given FQDN [1384]

  • Using the allow_setrd attribute for access-control entries causes unbound to fail [1747]

  • Unbound requires a default route in the host OS to resolve [1884]

Host ACLs

  • Host ACL entries are duplicated after a dataplane restart [2207]

HTTP Server / RESTCONF

  • HTTP server runs even though it’s not configured to run after TNSR services restart [1153]

    Workaround: Manually stop the nginx service using systemctl.

  • RESTCONF query replies may contain CDATA tags in JSON [1463]

  • Adding an ACL rule entry via RESTCONF may appear to add a duplicate ACL [1238]

Interfaces

  • Loopback interface responds to ICMP echo from an outside host even when in a Down state [850]

  • Non-LACP bond interfaces may experience packet drops when a bond member interface is down [1603]

  • MAC address changes on dataplane interfaces are not reflected on the host tap interface until the dataplane is restarted [1502] Workaround: Restart the dataplane after changing an interface MAC address.

  • Bond interface MAC addresses do not match their host tap interface unless a MAC address is explicitly set at creation [1502]

    Workaround: Set the MAC address when creating the bond interface.

  • Packets do not pass through a subinterface after the subinterface configuration has been modified [1612]

  • QinQ VLAN termination is not working [1550]

  • Chelsio interfaces crash the dataplane [1896]

  • VLAN subinterfaces may not work under KVM using virtio drivers [2189]

IPsec

  • An IPsec tunnel which was removed and then added back in may take longer than expected to establish [1313]

MAP

  • MAP-T BR cannot translate IPv4 ICMP echo reply to IPv6 [1749]

  • MAP security check configuration differs between the dataplane and CLI [1777]

  • MAP behavior cannot be changed from translate to encapsulate without restarting the dataplane [1779]

  • TCP MSS value is not applied to encapsulated packets when MAP-E mode is used [1816]

  • Fragmentation of IPv4 packets is performed regardless of configured MAP fragmentation behavior when MAT-T mode is used [1826]

  • MAP BR does not send ICMPv6 unreachable messages when a packet fails to match a MAP domain [1869]

  • Pre-resolve does not work when MAP-T mode is used [1871]

  • MAP BR encapsulates/translates only last fragment when receiving fragmented packets from IPv4 network [1887]

NACM

  • Permitted default read and write operations cannot be executed if default exec policy is set to deny [1158]

NAT

  • twice-nat does not work [1023]

  • NAT forwarding is not working for in2out direction [1039]

  • NAT static mapping with defined ports leads to clixon-backend crash after restart [1103]

  • DS-Lite is not functional; B4 router sends encapsulated IPv4-in-IPv6 packets, but AFTR replies with an error [1626]

  • NAT forwarding fails with more than one worker thread [2031]

    Note: This also affects connectivity to services on TNSR, such as RESTCONF, when the client is not on a directly connected network.

  • Deterministic NAT crashes the dataplane [1856]

  • Connections to and from the TNSR host are included in NAT sessions when connecting through an interface with ip nat outside [1892] [1979]

Neighbors

  • IPv6 static neighbors entries do not work [2005]

NTP

  • NTP restrictions for prefixes do not work [1705]

RESTCONF

  • A malformed request may cause the API to return unexpected errors for a few seconds while it restarts [2079]

Routing

  • Deleting a non-empty route table fails with an error and the table remains in the configuration, but it cannot be changed afterward [1241]

    Workaround: Remove all routes from the table before deleting. Alternately, copy the running configuration to startup and restart TNSR, which will make the route table appear again so the routes and then the table can be removed.

User Management

  • When deleting a user key from the running configuration it is not removed from the user’s authorized_keys file [1162]

    Workaround: Manually edit the authorized_keys file for the user and remove the key.

VXLAN

  • Changes to a VXLAN interface do not apply until the dataplane is restarted [1778]

  • Alternate VXLAN encapsulation routing tables cannot be configured [1872]

Reporting Issues

For issues, please contact the Netgate Support staff.