1.4 Sagitta


  • T6263 (bug): Multicast: Could not commit multicast config with multicast join group using source-address

  • T5833 (bug): Not all AFIs compatible with VRF


  • T6255 (bug): Static table description should not contain white-space

  • T6226 (feature): add HAPROXY `tcp-request content accept` related block to load-balancing reverse proxy config

  • T6109 (bug): remote syslog do not get all the logs

  • T6217 (feature): VRRP contrack-sync script change name of the logger

  • T6244 (feature): Spacing of "Show System Uptime" hard to parse


  • T6260 (bug): image-tools: remove failed image directory if 'No space left on device' error

  • T6261 (default): Typo in op_mode connect_disconnect print statement for check_ppp_running

  • T6237 (feature): IPSec remote access VPN: ability to set EAP ID of clients


  • T5996 (bug): unescape backslashes for config save, compare commands

  • T6103 (bug): DHCP-server bootfile-name double slash syntax weird behaviour

  • T6080 (default): Default NTP server settings

  • T5986 (bug): Container: Error on commit when environment variable value contains \n line break


  • T6191 (bug): Policy Route TCP-MSS Behavior Different from 1.3.x

  • T5535 (feature): disable-directed-broadcast should be moved to firewall global-options


  • T6252 (bug): gre tunnel - doesn't allow configure jumbo frame more than 8024


  • T6221 (bug): Enabling VRF breaks connectivity

  • T6035 (bug): QoS policy shaper queue-type random-detect requires  limit avpkt

  • T6246 (feature): Enable basic haproxy http-check configuration options

  • T6242 (feature): Loadbalancer reverse-proxy: SSL backend skip CA certificate verification


  • T6168 (bug): add system image does not set default boot to current console type in compatibility mode

  • T6243 (bug): Update vyos-http-api-tools for package idna security advisory

  • T6154 (enhancment): Installer should ask for password twice

  • T5966 (default): Adjust dynamic dns configuration address subpath to be more intuitive and other op-mode adjustments

  • T5723 (default): mdns repeater: Always reload systemd daemon before applying changes

  • T5722 (bug): Failing to add route in failover if gateway not in the same interface network

  • T5612 (default): Miscellaneous improvements and fixes for dynamic DNS configuration

  • T5574 (default): Support per-service cache management for dynamic dns providers

  • T5360 (bug): ddclient generating abuse


  • T6100 (bug): NAT config migration error in 1.4.0-epa1 if invalid address/network defined in 1.3.6 version

  • T5734 (bug): OpenVPN server dh-params that are not in PKI error


  • T6210 (feature): Add container ability to configure capability sys-nice


  • T6173 (bug): Build Causes Errors When "--version" Contains Slashes ("/")

  • T2518 (feature): Support NAT for ipv6(NPT)

  • T6238 (default): vyos-build Check pull request title requires the python script

  • T6235 (default): Git check PR status: conflicts and resolution


  • T5872 (default): ipsec remote access VPN: support dhcp-interface

  • T6216 (bug): Upgrade error from 1.3 to 1.4 - Firewall using character '+'

  • T6214 (bug): Error when using some constraints

  • T6213 (bug): Firewall group constraints

  • T6148 (bug): Reset vpn ipsec command breaks tunnel and does not reset SAs that are down

  • T1487 (default): DNS (pdns_recursor) stats logs not saved to disk

  • T6222 (bug): VRRP rfc3768-compatibility not working correctly when resulting interface name is over 15 characters

  • T6218 (bug): Container network interface in VRF fails to generate IPv6 link-local address

  • T5959 (default): Streamline dns forwarding service

  • T5846 (default): Refactor and simplify DUID definition in conf-mode

  • T5631 (feature): Ability to export the current configuration in JSON format

  • T5615 (default): Narrow down spurious name conflict with mdns

  • T5530 (default): Add LFA to IS-IS

  • T5195 (default): Break up the vyos.util module

  • T5124 (bug): Python3 deprecation distutils.version import LooseVersion

  • T1871 (feature): add MTU option when configure limiter traffic-policy

  • T874 (feature): Support for Two Factor Authentication for CLI access via Google Authenticator/OTP

  • T6204 (default): Remove shebang lines from Python modules

  • T6166 (bug): Tech support generation error for custom output location

  • T6062 (feature): container: add support for image manipulation based on tag name

  • T5877 (default): Reduce unnecessary nesting in system domain-search path and improve smoketest

  • T5871 (default): ipsec remote access VPN: specify "cacerts" to disambiguate mulitple remote access configurations

  • T5870 (default): ipsec remote access VPN: add x509 ("pubkey") authentication

  • T5772 (default): Require HTTPS API server configurations to include at least one key if key-based auth is used

  • T5447 (feature): Allow static MACsec keys with peers

  • T4221 (default): Add a template filter for converting scalars to single-item lists

  • T3766 (feature): containers: Expanding options for networking and building containers


  • T4516 (feature): Rewrite system image manipulation tools in Python

  • T4548 (feature): GRUB loader configuration rework

  • T3774 (bug): atop logs are not limited in size

  • T3574 (default): Add constraintGroup for combining validators with logical AND

  • T3474 (default): Revisit storing syntax version of interface definitions in XML file

  • T160 (feature): Support NAT64

  • T6228 (bug): Cleanup of not existing units


  • T6207 (bug): image-tools: restore ability to copy config.boot.default on image install

  • T5750 (bug): Upgrade from 1.3.4 to 1.4 Rolling fails QoS

  • T5858 (bug): Show conntrack statistics formatting is all over the place

  • T4734 (feature): Feature Request: openvpn: add OTP 2FA support


  • T3409 (feature): Add back TCP-MSS Clamp to PMTU

  • T6121 (feature): Extend service config-sync for sections  vpn, policy, vrf


  • T6197 (bug): IPoE-server interface client-subnet looks broken or works with the wrong logic

  • T6196 (bug): Route-map and summary-only do not work in BGP aggregation at the same time

  • T6068 (feature): dhcp server: allow switching between load-balanced and hotspare mode


  • T6205 (bug): ipoe: error in migration script logic while renaming mac-address to mac node

  • T6039 (bug): cloud-init DNS search-domain causes configuration migration/validation error

  • T5862 (bug): Default MTU is not acceptable in some environments

  • T6208 (feature): container: rename "cap-add" CLI node to "capability"

  • T6188 (feature): Add Firewall Rule Description to "show firewall" commands

  • T1244 (default): Support for StartupResync in conntrackd


  • T6203 (enhancment): Remove obsoleted xml lib

  • T6202 (bug): Multi-Protocol BGP is broken by 6PE patch in upstream FRR 9.1


  • T6089 (bug): [1.3.6->1.4.0-epa1 Migration] "ospf passive-interface default" incorrectly added

  • T2590 (bug): DHCPv6 not updating nameservers and search domains since replacing isc-dhcp-client with WIDE dhcp6c

  • T6199 (feature): spring cleaning - drop unused Python imports


  • T6119 (default): Use a compliant TOML parser

  • T6171 (feature): dhcp server fail-over - Rename fail-over node

  • T6115 (bug): Build from Git tags fail

  • T5122 (feature): Move "archive-areas" to defaults.toml to support "non-free-firmware" repository

  • T5121 (bug): Incorrect "architecture" config loaded

  • T4951 (default): Add an op mode exception for cases when operations fail due to insufficient system resources

  • T4883 (default): Add a description field for routing tables

  • T4796 (bug): build-vyos-image ignores multiple options

  • T4795 (feature): Cleanup custom python validators

  • T4761 (default): Add a generic URL validator

  • T3843 (bug): l2tp configuration not cleared after delete

  • T3681 (default): The VMware Tools resume script did not run successfully in this virtual machine.

  • T1991 (feature): Rework time services

  • T5711 (default): Put the version data file inside the ISO image

  • T5672 (default): Remove the old-style command definition importer

  • T5639 (default): Group vyos-1x dependencies by their VyOS components and specify their purpose

  • T5638 (default): Add support for requiring numeric values to be ranges rather than single numbers

  • T5634 (default): Remove support for Blowfish and DES from OpenVPN

  • T5605 (default): Do not generate keysize option in OpenVPN configs

  • T5582 (default): Add a command to force NTP sync

  • T5449 (default): Add options for TCP MSS probing

  • T4440 (default): Add OCI compliant image labels to vyos-build and vyos containers

  • T671 (enhancment): Identify and remove dead code

  • T5109 (feature): Improve OCaml XML validator

  • T1449 (feature): Add opportunity to include custom default configs (few) at building


  • T6198 (feature): configverify: add common helper for PKI certificate validation

  • T6192 (feature): Multi VRF support for SSH


  • T6167 (bug): VNI not set on VRF after reboot

  • T6151 (default): BGP VRF - Route-leaking not work when the next-hop is a recursive route.

  • T6033 (bug): hsflowd fails to start when using a tunnel interface


  • T6195 (feature): dropbear: package upgrade 2022.83-1 -> 2022.83-1+deb12u1

  • T6193 (bug): dhcp-client: invalid warning "is not a DHCP interface but uses DHCP name-server option" for VLAN interfaces

  • T6178 (bug): Reverse-proxy should check that certificate exists during commit


  • T6186 (bug): Fix regression in 'set system image default-boot'

  • T5832 (feature): Keepalived: Allow using the 'dev' statement on excluded-addresses


  • T6147 (bug): Conntrack not working as expected with global state-policy

  • T6175 (bug): op-mode: "renew dhcp interface <name>" does not check if it's an actual DHCP interface


  • T6066 (bug): Setting same network in different ospf area will raise exception


  • T6145 (bug): Service config-sync does not rely on priorities but must


  • T6161 (feature): Output container images as JSON

  • T6165 (bug): grub: vyos-grub-update failed to start on "slow" systems

  • T6085 (bug): VTI interfaces are in UP state by default

  • T6152 (bug): Kernel panic for ZimaBoard 232


  • T6160 (bug): isis: NameError: name 'process' is not defined

  • T6131 (bug): Disabling openvpn interface(s) causes OSPF to fail to load on reboot

  • T4022 (feature): Add package nat-rtsp-dkms


  • T6136 (bug): Configuring a dynamic address group, config script did not check whether the group was created

  • T6130 (bug): [1.3.6->1.4.0-epa2 Migration] BGP "set community" missing

  • T6090 (bug): [1.3.6->1.4.0-epa1 Migration] policy route fails due tcp flag case sensitivity

  • T6155 (default): ixgbe: failed to initialize because an unsupported SFP+ module type was detected.

  • T6125 (feature): Support 802.1ad (0x88a8) vlan filtering for bridge

  • T5624 (default): Remove /etc/debian_version from the image


  • T6143 (feature): Increase configuration timeout range for service config-sync


  • T6133 (feature): Add domain-name to commit-archive

  • T6129 (feature): bgp: add route-map option "as-path exclude all"


  • T6127 (bug): Ability to view logs for rules with Offload not functional

  • T6138 (bug): Conntrack table op-mode fails with flowtable offload entries


  • T6118 (feature): radvd: RFC8781: add nat64prefix support


  • T6020 (bug): VRRP health-check script is not applied correctly in keepalived.conf

  • T5646 (bug): QoS policy limiter broken if class without match

  • T2433 (feature): Improve CLI value validator performance

  • T1436 (bug): Config entries with default values do not correctly show as changed


  • T6098 (bug): Description doesnt seem to allow for non international characters

  • T6070 (bug): bnx2x NIC causes a commit error due to incorrect implementation of EEE status reading

  • T2998 (bug): SNMP v3 oid "exclude" option doesn't work

  • T6107 (bug): Nginx does not allow big config queries for configure endpoint API

  • T6096 (bug): Config commits are not synced properly because 00vyos-sync is deleted by vyos-router

  • T6093 (bug): Incorrect dhcp-options vendor-class-id regex

  • T6083 (feature): ethtool: move string parsing to JSON parsing

  • T6069 (bug): HTTP API segfault during concurrent configuration requests

  • T6057 (feature): Add ability to disable syslog for conntrackd

  • T5504 (feature): Keepalived VRRP ability to set more than one peer-address

  • T5717 (feature): ospfv3 - add  allow to set metric-type to ospf redistribution while frr docs says its possible.

  • T6071 (bug): firewall: CLI description limit of 256 characters cause config upgrade issues


  • T6086 (bug): NAT does not work with network-groups

  • T6094 (bug): Destination Nat not Making Firewall Rules

  • T6061 (bug): connection-status nat destination firewall filter not working in 1.4.0-epa1

  • T6075 (bug): Applying firewall rules with a non-existent interface group


  • T6104 (bug): Regression in commit-archive for non-interactive configuration

  • T6084 (bug): OpenNHRP DMVPN configuration file clean after reboot if we have any IPSec configuration

  • T5348 (bug): Service config-sync can freeze the secondary router if it has commit-archive location

  • T6073 (bug): Conntrack/NAT not being disabled when VRFs are defined

  • T6095 (default): Tab completion for "set interfaces wireless wlan0 country-code" incorrect country "uk"


  • T6079 (bug): dhcp: migration fails for duplicate static-mapping


  • T5903 (bug): NHRP don´t start on reboot from version 1.5-rolling-202401010026

  • T2447 (feature): Additional Boot Argument Configuration to limit CPU C-States


  • T6054 (bug): load-balancing wan - doesn't configure a list of ports

  • T6087 (feature): ospfv3: add support to redistribute IS-IS routes


  • T6081 (bug): QoS policy shaper target and interval wrong calcuations


  • T6078 (feature): Update ethtool to 6.6

  • T6077 (feature): banner: implement ASCII contest winner default logo

  • T6074 (feature): container: do not allow deleting images which have a container running


  • T6055 (bug): PKI error: "failed to install x value" when executed the command from conf mode

  • T4270 (bug): dns forwarding - When "ignore-hosts-file" is unset, local hostname of router resolves to


  • T6065 (bug): Duplicate lines in build-vyos-image script cause sagitta build to fail

  • T5080 (bug): Conntrack enabled by default


  • T6064 (bug): Can not build VyOS if repository it not cloned to a branch

  • T5754 (default): Update to StrongSwan 5.9.11


  • T6060 (feature): op-mode: container: support removing all container images at once


  • T5909 (bug): Container registry with authentication prevents config load (section container) after reboot


  • T5376 (bug): Conntrack FTP helper does not work properly

  • T970 (feature): Hostname Support in NAT and Firewall Rules

  • T4940 (feature): Interface debugging


  • T6048 (bug): Exception in event handler script

  • T3902 (bug): Firewall does not load on boot, address-group not found, even though it exists


  • T6050 (bug): Wrong scripting commands descriptions in accel-ppp services


  • T5971 (default): Create the same view of ppp section  for all accel-ppp services

  • T6029 (default): Rewrite Accel-PPP services to an identical feature set

  • T3722 (bug): op-mode IPSec show vpn ike sa always shows L-TIME 0


  • T6043 (bug): VxLAN and bridge error bug

  • T6041 (bug): image-tools: install fails from PXE boot into live iso due to restrictive logic


  • T5972 (feature): login: add possibility to disable individual local user accounts


  • T6009 (bug): Firewall - Time not working properly when not using UTC

  • T6005 (bug): Error on adding a wireguard interface to OSPFv3

  • T2113 (bug): OpenVPN Options error: you cannot use --verify-x509-name with --compat-names or --no-name-remapping

  • T6019 (feature): Bump nftables and libnftnl version

  • T3471 (bug): DHCP hook is not able to detect all running DHCP instances

  • T6015 (default): "journalctl_charon" file does not contain data in the generated "ipsec debug-archive" file

  • T6001 (default): Add option to enable resolve-via-default

  • T5965 (bug): WWAN modems using raw-ip do not work with dhclient/dhcp6c

  • T5418 (bug): PPPoE-Server Client IP pool Subnet

  • T5245 (bug): Wireless interfaces do not get IPv6 link-local address assigned


  • T5977 (bug): nftables: Operation not supported when using match-ipsec in outbound firewall

  • T2612 (bug): HTTPS API, changing API key fails but goes through

  • T5989 (bug): IP subnets not usable in UPnP ACLs

  • T5890 (default): OTP key generation is broken

  • T5719 (default): mdns repeater: Add op-mode commands

  • T4839 (feature): Dynamic Firewall groups

  • T4801 (feature): Support for building AWS-ready ISO

  • T3993 (enhancment): Extend HTTP API GraphQL support

  • T3991 (bug): PKI operational command return traceback

  • T3780 (bug): VTI not being brought down when tunnel is down

  • T3001 (feature): Disable spectre mitigation patches from CLI

  • T562 (feature): PDNS: Add support for authoritative dns server

  • T71 (feature): Add virtual IP and route installation policy options for IPsec

  • T5496 (default): `show firewall` error

  • T4038 (default): Rewrite `vyatta-image-tools.pl` in Python

  • T4997 (default): Add DHCP client user hooks dir

  • T775 (feature): Config Sync between two VyOS routers

  • T381 (feature): config nodes for EasyRSA CAs

  • T118 (feature): Native Zabbix Support


  • T6034 (feature): rpki: move file based SSH keys for authentication to PKI subsystem

  • T5981 (bug): IPsec site-to-site migrated PKI ca certificates are created with an '@'

  • T5930 (bug): vrf - route-leak not work using route-target both command.

  • T5709 (bug): IPoE-server fails if next pool mentioned but not defined

  • T4119 (bug): Issue with l2tp remote-access ipv6 configuration

  • T2044 (bug): RPKI doesn't boot properly

  • T6032 (feature): bgp: add EVPN MAC-VRF Site-of-Origin support

  • T5960 (default): Rewriting authentication section in accel-ppp services


  • T5928 (bug): Configuration fails to load on boot if offloading has VLAN interfaces defined

  • T5482 (bug): Chrony NTP Server Fails To Sync Time

  • T5064 (bug): Value validation for domain-groups seems to be broken


  • T6010 (bug): Support setting multiple values in BGP path-attribute

  • T6004 (bug): RPKI is not configured

  • T5952 (default): DHCP allow same MAC Address on same subnet

  • T5849 (feature): Add SRv6 route commands


  • T6023 (bug): rpki: add support for CLI knobs expire-interval and retry-interval

  • T1090 (default): Webproxy overhaul


  • T6028 (bug): QoS policy shaper wrong class_id_max and default_minor_id

  • T6026 (bug): QoS hide attempts to delete qdisc from devices

  • T5788 (feature): frr: update to 9.1 release

  • T5703 (bug): QoS config on pppoe interface resets back to fq_codel after tunnel reboots

  • T5685 (feature): Keepalived VRRP prefix is not necessary for the virtual address


  • T6014 (feature): Bump keepalived version

  • T5910 (bug): Grub problem(?) Serial Console no longer working

  • T6021 (bug): QoS r2q wrong calculation


  • T6017 (bug): Update vyos-http-api-tools for security advisory

  • T6016 (bug): Resolve intermittent failures in cleanup function after failed image install

  • T6024 (feature): bgp: add additional missing FRR features

  • T6011 (feature): rpki: known-hosts-file is no longer supported by FRR CLI - remove VyOS CLI node

  • T5998 (feature): replay_window setting under vpn in config


  • T6018 (default): smoketest: updating http-api framework requires a pause before test

  • T5921 (bug): Trying to commit an OpenConnect configuration without any local users results in an exception

  • T5687 (feature): Implement ECS settings for PowerDNS recursor


  • T5974 (bug): QoS policy shaper is currently miscalculating bandwidth and ceil values for the default class

  • T5865 (feature): Rewrite ipv6 pool section to ipv6 named pools in Accel-ppp services


  • T5739 (bug): Password recovery does not work if public keys are configured

  • T5955 (feature): Rootless containers/set uid/gid for container

  • T5941 (bug): [1.3.5 -> 1.4.0-RC1 Migration] Orphaned Configuration Nodes Cause Issues

  • T6003 (feature): Add 'show rpki as-number' and 'show rpki prefix'

  • T5848 (feature): Add triple-isolate flow isolation option to CAKE QoS policy


  • T5995 (bug): Kernel NIC-drivers for Huawei NICs are not properly enabled

  • T5978 (bug): ethernet: hw-tc-offload does not actually get enabled on the NIC

  • T5979 (enhancment): Add configurable kernel boot parameters

  • T5973 (bug): vrf: RTNETLINK answers: File exists

  • T5967 (bug): Multi-hop BFD connections can't be established; please add minimum-ttl option.

  • T5619 (default): Update the Intel ixgbe driver due to issues with Intel X533


  • T6000 (bug): [1.3.x -> 1.5.x] migrating threw exception in /opt/vyatta/etc/config-migrate/migrate/https/5-to-6, performed workaround

  • T5999 (bug): load-balancing reverse-proxy can't configure root as a redirect


  • T5980 (feature): Add image-tools support for configurable kernel boot options


  • T5988 (bug): image-tools: a check of valid image name is missing from 'add image'

  • T5994 (bug): Fix typo in 'remote' module preventing 'add system image' via ftp


  • T5957 (bug): Firewall fails to delete inbound-interface name

  • T5779 (bug): custom conntrack timeout rule not applicable

  • T5984 (feature): Add user util numactl


  • T5983 (bug): image-tools: minor regression in pruning version files in compatibility mode

  • T5927 (bug): QoS policy shaper-hfsc class does not have a `bandwidth` node but requires one in the check

  • T5834 (bug): Rename 'enable-default-log' to 'default-log'


  • T5968 (feature): hsflowd: add VRF support

  • T5975 (bug): GraphQL expects script otp.py that does not exists in 1.4

  • T5961 (bug): QoS policy shaper vif with ceiling fails on commit

  • T5958 (bug): QoS policy shaper-hfsc is not implemented

  • T5160 (feature): Firewall refactor

  • T5969 (feature): op-mode: list multicast group membership


  • T5799 (bug): vyos unbootable after 1.4-rolling-202308240020 to 1.5-rolling-202312010026 upgrade

  • T5787 (bug): dhcp-server allows duplicate static-mapping for the same IP address

  • T5692 (enhancment): NTP leap smear

  • T5954 (feature): Enable nvme_hwmon and drivetemp in KERNEL


  • T5915 (bug): Firewall zone - Re add op-mode commands

  • T5805 (bug): Missed per-interface statistic in telegraf

  • T5724 (feature): About dhcp client hooks

  • T5577 (bug): Optimize PAM configs for RADIUS/TACACS+

  • T5550 (bug): Source validation on interface does not work properly

  • T5267 (bug): Another corruption on upgrade

  • T5239 (bug): frr 'hostname' missing or incorrect, and domain-name missing totally

  • T5219 (bug): ddclient: Cloudflare doesn't require login

  • T5217 (feature): Add firewall SYNPROXY

  • T5203 (feature): load-balancing wan add systemd unit instead of old vyatta-wanloadbalance.init

  • T5199 (bug): Salt-minion cannot connect to server in python 3.10 and up

  • T5138 (feature): Add patch to accel-ppp build  L2TP LNS use Calling-Number as RADIUS Calling-Station-ID

  • T5054 (bug): ipsec: "show vpn ipsec remote-access" does not list active connections

  • T5053 (bug): Vyatta-cfg Post-Removal Hook Tries to Disable Deleted Service

  • T5035 (feature): Add more actions to policy route rule

  • T4990 (bug): Commit results may not be properly saved if power is cut immediately after a successful commit

  • T4988 (default): Expose time and size conversion functions as Jinja2 filters

  • T4986 (feature): Ability to filter traffic originating from the router itself via firewall

  • T4963 (default): vyos.ethtool: improve/fix driver name detection

  • T4935 (bug): ospfv3: "not-advertise" and "advertise" conflict

  • T4897 (bug): Setting 'source-address' or `source-interface` on existing vxlan interface doesn't work

  • T4888 (default): Rewrite the conntrack sync script using vyos.opmode

  • T4863 (feature): need an option for route policy to apply to dynamic interfaces l2tp*/ipoe*/pppoe* (for TCP MSS setting)

  • T4817 (feature): Please add support for RFC 9234

  • T4765 (default): Normalize field names in op mode JSON outputs

  • T4751 (enhancment): Feature Request: system login: 2FA OTP key generator in VyOS CLI

  • T4726 (default): Add completion and validation for the accel-ppp RADIUS vendor option

  • T4722 (default): Improve abbreviation/acronym consistency

  • T4172 (feature): Patch ndppd to not read route table if there are no auto prefixes

  • T4085 (feature): Rewrite L2TP/PPTP/SSTP/PPPoE services to get_config_dict

  • T4031 (feature): Ability to configure DMVPN in vrf

  • T4030 (bug): SR-IOV and interface renaming bug

  • T4014 (feature): Add “command” and “arg” configuration options for containers

  • T3965 (default): arm: Extend configure scripts to allow for arm builds

  • T3813 (bug): Some custom sysctl parameters can't be applied bug

  • T3778 (bug): Abnormal network communication and settings

  • T3591 (bug): OpenVPN with/without VRF not working (NordVPN)

  • T3372 (feature): Support public HTTPS repos in live-build

  • T5963 (bug): QoS policy shaper rate calculations could be wrong for some ethernet devices

  • T5962 (feature): QoS policy set default speed to 100mbit or 1gbit instead of 10mbit

  • T5697 (bug): event-handler keep failing

  • T4779 (default): Make raw op mode command outputs use bytes for data amount values


  • T5897 (bug): VyOS with Cloud-init and VRF stucks at reboot/shutdown process

  • T5554 (bug): Disable sudo for PAM RADIUS

  • T4754 (default): Improvement: system login: show configured 2FA OTP key

  • T5857 (bug): show interfaces wireless info

  • T5841 (default): Remove old ssh-session-cleanup.service

  • T5543 (bug): Fix source address handling in static joins

  • T5884 (default): Minor description fix (op-mode: generate wireguard)

  • T5781 (default): Add ability to add additional minisign keys


  • T5863 (bug): Failure to Load Config on Recent 1.5 Versions

  • T4638 (bug): Deleting a parent interface does not delete its underlying VLAN interfaces

  • T5953 (default): Rename 'close_action' value from `hold` to `trap` in IPSEC IKE

  • T905 (bug): The command show remote-config does not work for remote-platform openvpn


  • T5923 (bug): Config mode system_console.py is not aware of revised GRUB file structure

  • T4658 (feature): Rename DPD action `hold` to `trap`

  • T5932 (bug): 1.4-rolling-202304120317 to 1.4.0-rc1: dynamic dns migration fail


  • T5951 (bug): [1.4.0-RC2] show hardware dmi Operational Mode Command Broken

  • T5937 (bug): [1.3.5 -> 1.4.0-RC1 Migration] IPv6 BGP Neighbor Peer Groups Missing / Not Migrated

  • T5889 (bug): Migration NAT 5-to-6 bug

  • T5859 (bug): Invalid format of pool range in accel-ppp services

  • T5842 (feature): Rewrite PPTP service to get_config_dict

  • T5801 (feature): Rewrite L2TP service to get_config_dict

  • T5688 (default): Create the same view of pool configuration for all accel-ppp services


  • T5944 (bug): "reboot in 1" not working

  • T5936 (bug): [1.3.5 -> 1.4.0-RC1 Migration] OSPF Passive Interface Configuration Not Working Correctly

  • T5247 (bug): the bug of the command "show interfaces system"

  • T5901 (bug): Cloud-init and DHCP exit hook errors

  • T4856 (bug): DHCP-client exit hook for IPsec is incorrect

  • T2556 (bug): "show interfaces vrrp" does not return any interface


  • T4428 (feature): Update ddclient to newer version


  • T5925 (feature): Containers change systemd KillMode

  • T5920 (bug): Quick Start documentation contains error

  • T5919 (bug): Firewall - opmode for ipv6

  • T5306 (default): bgp config migration failed with v6only option configured with peer-group

  • T3429 (bug): Hyper-V integration services not working on VyOS 1.4 (sagitta/current)


  • T5896 (bug): Config Error on Boot with Podman and Firewall

  • T5532 (bug): After add system image the boot stuck and works again after the second reboot

  • T5512 (bug): build linux-firmware script cannot expand asterisks if firmware name is a glob string

  • T5379 (bug): show system updates doesnt seem to be working

  • T5275 (default): Add op mode commands for exporting certificates to PEM files with correct headers

  • T5274 (default): Add a deprecation warning for OpenVPN site-to-site with pre-shared secret

  • T5262 (default): Warn the user about unsaved config on reboot/shutdown attempts

  • T5257 (feature): Cannont assign netflow source ip to ip in non default VRF

  • T5026 (feature): Python3 modules crypt and spwd are deprecated

  • T5814 (bug): VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration

  • T4610 (bug): Firewall with 20K entries cannot load after reboot

  • T3191 (bug): PAM RADIUS freezing when accounting does not configured on RADIUS server

  • T5917 (feature): Restore annotations of (running)/(default boot) in select image list

  • T5916 (default): Added segment routing check for index size and SRGB size

  • T5913 (feature): Allow for Peer-Groups in ipv4-labeled-unicast SAFI


  • T5918 (bug): Verification problem for `set vpn ipsec interface`

  • T5911 (bug): pki: service update ignored if certificate name contains a hyphen (-)

  • T5886 (feature): Add support for ACME protocol (LetsEncrypt)

  • T5766 (bug): http: rewrite conf-mode script to get_config_dict()

  • T5144 (default): Modernize dynamic dns operation

  • T4689 (feature): Support RFS(Receive Flow Steering)

  • T4659 (feature): Use vtysh to display bridge and some interface parameter information

  • T4646 (bug): USB serial output console does not work

  • T4577 (bug): WWAN commit failed which simple config

  • T4502 (feature): Consider implementing (NAT/other) flow table offload

  • T4446 (default): Unified CLI for displaying neithbors (ARP, IP, and NDP)

  • T4427 (default): Remove the vyos-utils package list from vyos-build

  • T4300 (feature): Extend list of supported interfaces for Cloud-init Network Configuration

  • T4250 (bug): Organize logrotate settings to avoid duplicates

  • T4236 (feature): Generate ovpn openvpn client configuration files

  • T4222 (feature): Support for TWAMP as round-trip metric

  • T3833 (bug): Cloud-init not finding data source in OpenStack

  • T5902 (bug): http: remove virtual-host configuration in webserver

  • T3499 (bug): Podman is not compatible with nat rules

  • T3430 (bug): Cloud-init failing with “Unable to render networking” on VyOS 1.3

  • T3011 (bug): router becomes unreachable for few minutes when vti interfaces goes down

  • T5791 (default): Update dynamic dns configuration path to be consistent with other areas of VyOS

  • T5708 (default): Additional dynamic dns improvements to align with ddclient 3.11.1 release

  • T5573 (bug): Fix ddclient cache entries

  • T5012 (feature): Control network configuration from Cloud-Init config

  • T3116 (feature): Support back-end L4 level load balancing

  • T5614 (default): Add conntrack helper matching on firewall

  • T4782 (enhancment): Allow multiple CA certificates (on e.g. EAPoL)

  • T2199 (default): Rewrite firewall in new XML/Python style


  • T5898 (bug): Replace partprobe with partx due to unable to install VyOS

  • T5838 (feature): Add Infiniband kernel modules

  • T5785 (bug): API output of show container image broken

  • T5410 (feature): Improve `utils.convert.convert_data()` to process all stdtypes

  • T5269 (default): OpenVPN non-TLS site-to-site mode deprecation

  • T5249 (feature): Add rollback-soft feature to rollback without a reboot

  • T4944 (default): Prevent op mode functions from returning bare literals in raw output

  • T4910 (default): Rewrite the remote access VPN op mode in the new style

  • T4470 (feature): Rewrite load-balancing wan to XML/Python

  • T3763 (bug): wireguard checks if port already binding

  • T3489 (bug): NUMA has been disabled for the past few years and no-one has noticed

  • T3476 (feature): Update availability check

  • T2845 (bug): BGP conf_mode unable to delete configuration with peer-group

  • T2844 (bug): BGP conf_mode errors disable-send-community

  • T2755 (default): Requirements for partial interface setup

  • T2721 (enhancment): Set FQ-CoDel as the default queueing mechanism for every class in Shaper

  • T2511 (feature): Migrate vyatta-op-quagga to new XML format

  • T2302 (default): Convert configuration scripts from executables to modules and use a script runner

  • T2281 (feature): DHCP and Static IPs on Same Interface

  • T2216 (default): Containerized third-party applications for VyOS

  • T2171 (feature): Unify creation and manipulation of interfaces

  • T1759 (feature): Replacing Vyatta::Interface perl

  • T2408 (enhancment): DHCP Relay upstream and downstream interfaces

  • T1297 (feature): Add GARP settings to VRRP/keepalived


  • T5888 (bug): Firewall upgrade fails because of icmpv6

  • T5844 (bug): HTTPS API doesn't start without configured keys even when GraphQL authentication type is set to token

  • T5664 (bug): 1.4 user has no permissions?

  • T5215 (default): Add a built-in ICMP health check for VRRP groups

  • T5045 (bug): BFD is not starting after upgrade to 1.4-rolling-202302150317

  • T4193 (default): Add support for transparent firewall

  • T3754 (default): Make config scripts more testable

  • T3663 (default): Use inotify file watching where applicable

  • T3480 (bug): Does not possible to change console baud-rate

  • T2897 (default): Remove cluster command

  • T5904 (feature): op-mode: add "show ipv6 route vrf <name> <prefix>" command


  • T5891 (bug): OpenVPN IPv6 config issue with 1.4-rc1

  • T5887 (feature): Upgrade Linux Kernel to 6.6.y (2023 LTS edition)


  • T3670 (feature): Option to disable HTTP port 80 redirect


  • T3642 (feature): PKI configuration

  • T5894 (feature): Extend get_config_dict() with additional parameter with_pki that defaults to False


  • T4072 (feature): Feature Request: Firewall on bridge interfaces

  • T3459 (default): Inform the user when unable to install outdated image


  • T5880 (bug): verify_source_interface should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces

  • T5879 (bug): tunnel: sourceing from dynamic pppoe0 interface will fail on reboots

  • T4500 (bug): Missing firewall logs


  • T5885 (default): image-tools: relax restriction on image-name length from 32 to 64


  • T5883 (bug): Preserve file ownership in /config subdirs on add system image

  • T5474 (feature): Establish common file name pattern for XML conf mode commands


  • T5875 (bug): login: removing and re-adding a user keeps the home directory but UID will change, thus SSH keys no longer work

  • T5653 (feature): Command to display fingerprint


  • T5829 (bug): Can't Add IPv6 Address to Containers

  • T5852 (bug): Reboots fail with eapol WAN interface

  • T5869 (bug): vyos.template.first_host_address() does not honor RFC4291 section 2.6.1


  • T4163 (feature): [BMP-BGP]  Routing monitoring  feature

  • T5867 (feature): Upgrade podman to Debian Trixie version 4.7.x

  • T5866 (feature): Add op-mode command to restart IPv6 RA daemon

  • T5861 (bug): Flavor build system fails with third-party packages

  • T5854 (feature): Extend override-default script to allow embedded defaultValue settings

  • T5792 (default): Upgrade ddclient 3.11.2 release


  • T5855 (feature): Migrate "set service lldp snmp enable" -> `set service lldp snmp"

  • T5837 (bug): vyos.configdict.node_changed does not return keys per adding

  • T5856 (bug): SNMP service removal fails


  • T5853 (default): Typo interfaces-virtual-ethernet.xml.in


  • T5804 (bug): SNAT "any" interface error

  • T4760 (bug): VyOS does not support running multiple instances of DHCPv6 clients


  • T5778 (bug): The show dhcp server leases operation mode command does not work as expected

  • T5775 (default): Migrated Firewall Global State Policy ineffective on latest firewall zone config

  • T5637 (bug): Firewall default-action log

  • T5796 (bug): Openconnect - HTTPS  security headers are missing

  • T3580 (feature): Refactoring firewall ipv6 rule icmpv6

  • T2898 (feature): Support NDP proxy

  • T2229 (feature): PPPOE Default Queue type selection


  • T5823 (feature): Protocol BGP add default values for config dictionary

  • T5798 (enhancment): reverse-proxy load-balancing service should support multiple certificates for frontend


  • T5828 (default): Fix GRUB installation on arm64


  • T5751 (feature): Adjust new image tools for non-interactive use

  • T5831 (feature): show system image should reverse order by addition date

  • T5825 (bug): image-tools: restore authentication on 'add system image'

  • T5821 (bug): image-tools: restore vrf-aware 'add system image'

  • T5819 (bug): Don't echo password on install image

  • T5806 (bug): Clear old raid data on new install image

  • T5789 (bug): image-tools should copy ssh host keys on image update

  • T5758 (default): Restore scanning configs when live installing


  • T5824 (bug): busybox cannot connect some websites from initramfs

  • T5803 (default): git/github: Adjust configuration for safe and baseline defaults


  • T5773 (bug): Unable to load config via HTTP

  • T5816 (bug): BGP Large Community List Validation Broken

  • T5812 (bug): rollback check max revision number does not work

  • T5749 (feature): Show MAC address VRF and MTU by default for "show interfaces"

  • T5774 (bug): commit-archive to FTP server broken after update (VyOS 1.5-rolling)

  • T5826 (default): Add dmicode as an explicit dependency

  • T5793 (default): mdns-repeater: Cleanup avahi-daemon configuration in /etc


  • T591 (feature): Support SRv6


  • T4704 (feature): Allow to set metric  (MED) to rtt with rtt,+rtt or -rtt

  • T5815 (enhancment): Add load_config module

  • T5413 (default): Deny the opportunity to use one public/private key pair on both wireguard peers.


  • T5741 (bug): WAN Load Balancing failover route tables aren't created


  • T5658 (default): Add VRF support for mtr


  • T5808 (bug): op-mode: ipv6 ospfv3 graceful-restart description contains incorrect info

  • T5802 (bug): ping (ip or hostname) interface <tab> produces error

  • T5747 (feature): op-mode add MAC VRF and MTU for show interfaces summary

  • T3983 (bug): show pki certificate Doesnt show x509 certificates


  • T5782 (enhancment): Use a single config mode script for https and http-api

  • T5768 (enhancment): Remove auxiliary http-api.conf for simplification of http-api config mode script

  • T5809 (default): Enable GRUB support for gzip compressed kernels


  • T5769 (bug): VTI tunnels lose their v6 Link Local addresses when set down/up


  • T5753 (feature): Add VXLAN vnifilter support

  • T5759 (feature): Change VXLAN default MTU to 1500 bytes


  • T4601 (bug): dhcp : relay agent IP address issue.


  • T4276 (bug): IPsec peers dh-group negotiation issue with pfs enabled and multiple proposals configured with IKEv1


  • T5763 (bug): Fix imprecise check for remote file name in vyos-load-config.py

  • T5783 (feature): frr: smoketests must notice any daemon crash


  • T5760 (feature): DHCP client custom dhcp-options

  • T2405 (feature): archive to GIT or other platform


  • T5655 (bug): commit-archive: Ctrl+C should not eror out with stack trace, signal should be cought

  • T4946 (default): Rewrite "add system image" in the new op-mode

  • T4454 (default): `install-image` should check free storage


  • T5776 (feature): Enable VFIO support

  • T5402 (bug): VRRP router with rfc3768-compatibility sends multiple ARP replies

  • T3895 (default): VYOS firewall rules do not adhere to time schedule unless placed in UTC mode.


  • T4891 (bug): BFD flapping loop

  • T4867 (bug): "show bgp neighbors ... advertised-routes" and some other commands fail for IPv4 neighbors


  • T5767 (feature): Add reboot and poweroff the system via API

  • T5729 (bug): Firewall, nat and policy route - Switch to valueless

  • T5681 (feature): Interface match - Simplified and unified cli

  • T4877 (bug): Need verification in using import vrf and import vpn, export vpn commands

  • T4021 (bug): Long commit time on bridge interface with 1-4094 allowed VLAN tags

  • T5338 (feature): Add 'mpls bgp forwarding' feature

  • T3818 (bug): BGP export route-map only works after bgpd restart

  • T5590 (default): Firewall "log enable" logs every packet

  • T5426 (default): Add exceptions in vici functions calls


  • T5762 (bug): http: api: smoketests fail as they can not establish IPv6 connection to uvicorn backend server


  • T2816 (default): Rewrite IPsec scripts with the new XML/Python approach


  • T1354 (feature): Add support for VLAN-Aware bridges


  • T5726 (bug): HTTPS API image cannot be updated

  • T5738 (feature): Extend XML building blocks

  • T5736 (feature): igmp: migrate "protocols igmp" to "protocols pim"

  • T5733 (feature): pim(6): rewrite FRR PIM daemon configuration to get_config_dict() and add missing IGMP features

  • T5689 (default): FRR 9.0.1 in VyOS current segfaults on show rpki prefix $prefix

  • T5595 (feature): Multicast - PIM  bfd feature enable

  • T3638 (bug): Passwords With Dollar Sign Set Incorrectly


  • T5695 (feature): Build FRR with LUA scripts --enable-scripting option

  • T5665 (bug): radius user not working

  • T5728 (bug): Improve compatibility between OpenVPN on VyOS 1.5 and OpenVPN Connect Client

  • T5732 (bug): generate firewall rule-resequence drops geoip country-code from output

  • T5661 (enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection

  • T1276 (bug): dhcp relay + VLAN fails


  • T5698 (feature): EVPN ESI Multihoming

  • T5563 (bug): container: Container environment variable cannot be set

  • T5706 (bug): Systemd-udevd high CPU utilization for multiple dynamic ppp/l2tp/ipoe interfaces


  • T5727 (bug): validator: Use native URL validator instead of regex-based validator


  • T5720 (bug): PPPoE-server adding new interface does not work

  • T5716 (bug): PPPoE-server shaper template bug down-limiter option does not rely on fwmark

  • T5702 (feature): Add ability to set include_ifmib_iface_prefix and ifmib_max_num_ifaces  for SNMP

  • T5648 (bug): ldpd neighbour template errors

  • T5564 (bug): Both show firewall group and show firewall summary fails

  • T5559 (feature): Selective proxy-arp/proxy-ndp when doing SNAT/DNAT

  • T5541 (bug): Zone-Based Firewalling in VyOS Sagitta 1.4

  • T5513 (bug): Anomalies in show firewall command after refactoring

  • T4864 (bug): `show firewall` command errors


  • T5586 (feature): Disable by default SNMP for Keepalived VRRP


  • T5705 (bug): rsyslog - Not working when using facility=all

  • T5704 (feature): PPPoE-server add max-starting option

  • T5707 (bug): Wireguard peer public key update leaves redundant peers and breaks connectivity

  • T4269 (feature): node.def generator should automatically add default values


  • T4020 (feature): Add ability to control FRR daemons options


  • T5700 (bug): Monitoring telegraf deprecated plugins inputs outputs

  • T5018 (bug): Redirect to IFB removed after change in qos policy


  • T5701 (feature): Update telegraf package


  • T5690 (bug): Change to definition of environment variable 'vyos_rootfs_dir' is incorrect


  • T5699 (feature): vxlan: migrate "external" CLI know to "parameters external"

  • T5668 (feature): Disable VXLAN bridge learning and enable neigh_suppress when using EVPN


  • T5652 (bug): Config migrate to image upgrade does not properly generate home directory

  • T4057 (bug): Commit time for deleting sflow configuration ~1.5 min


  • T5683 (bug): reverse-proxy pki filenames mismatch

  • T4903 (bug): conntrack ignore does not suppotr IPv6 addresses

  • T4309 (feature): Support network/address-groups and  ipv6-network/ipv6-address-groups in conntrack ignore

  • T5606 (feature): IPSec VPN: Allow multiple CAs certificates

  • T5650 (default): Progressbars suffer from staircasing effect

  • T5568 (default): Install image from live ISO always defaults boot to KVM entry

  • T3509 (default): No BCP38 for IPv6 on VyOS


  • T5299 (bug): QoS shaper ceiling does not work

  • T5667 (feature): BGP label-unicast - enable ecmp

  • T5337 (bug): MPLS/BGP: Route leak does not happen from the VPNv4 table to specific vrf


  • T5254 (bug): Modification of any interface setting sets MTU back to default when MTU has been inherited from a bond

  • T5671 (feature): vxlan: change port to IANA assigned default port


  • T5670 (bug): bridge: missing member interface validator

  • T5617 (feature): Add an option to exclude single values to the numeric validator

  • T5414 (bug): dhcp-server does not allow valid bootfile-names

  • T5261 (feature): Add AWS gateway load-balanceing tunnel handler (gwlbtun)

  • T5260 (bug): Python3 module crypt is deprecated

  • T5191 (default): Replace underscores with hyphens in command-line options generated by vyos.opmode

  • T5172 (default): Set Python3 version dependency for vyos-1x to 3.10

  • T4956 (default): 'show hardware cpu' issue on arm64

  • T4837 (default): Expose "show ip route summary" in the op mode API

  • T4770 (feature): Rewrite OpenVPN op-mode to vyos.opmode format

  • T4657 (bug): op-mode scripts with type hints in `return` do not work

  • T4604 (bug): bgpd eats huge amount of memory (about 500Megs a day)

  • T4432 (default): Display load average normalized according to the number of CPU cores

  • T4416 (default): Convert 'traceroute' operation to the new syntax and expand available options using python

  • T4402 (bug): OpenVPN client-ip-pool option is broken

  • T3433 (default): A review of the use of racist language in VyOS

  • T2719 (feature): Standardized op mode script structure


  • T5233 (bug): Op-mode flow-accounting netflow with disable-imt errors

  • T5232 (bug): Flow-accounting uacctd.service cannot restart correctly


  • T4913 (default): Rewrite the wireless op mode in the new style


  • T5642 (bug): op cmd: generate tech-support archive: does not work

  • T5521 (bug): Home owner directory changed to vyos for the user after reboot


  • T5662 (bug): Fix indexing error in configdep script organization

  • T5235 (bug): SSH keys with special characters cannot be applied via Cloud-init


  • T5165 (feature): Policy local-route ability set protocol and port


  • T5629 (bug): Policy local-route bug after migration to destination node address


  • T5227 (feature): mDNS reflector should allow additional domains to browse and allow filtering services

  • T5166 (feature): Remove local minisign package from build repo for 1.4

  • T5118 (bug): Cleanup vestigial ntp completion script

  • T5115 (default): Support custom port for name servers for forwarding zones

  • T5113 (default): PDNS: Support custom port for DNS forwarders

  • T5112 (feature): Enable support for Network Time Security (NTS) for chrony

  • T5143 (enhancment): Apply constraint on powerdns forward-zones configuration


  • T5649 (bug): vyos-1x should generate XML cache after building command templates for less cryptic error on typo


  • T5489 (feature): Change to BBR as TCP congestion control, or at least make it an config option

  • T5479 (bug): Helper leftovers found in nftables (firewall) even with all helpers disabled

  • T5436 (bug): vyos-preconfig-bootup.script is missing

  • T5014 (feature): Destination NAT - Add Load Balancing capabilities


  • T5630 (feature): pppoe: allow to specify MRU in addition to already configurable MTU


  • T5096 (feature): Change 'accept' firewall rule action from 'return' to 'accept'

  • T5576 (feature): Add bgp remove-private-as all option

  • T3506 (default): Migrate loadkey command to op-mode


  • T4320 (default): Remove legacy version files in vyatta-cfg-system/cfg-version


  • T5632 (feature): Add jq package to parse JSON files

  • T3655 (bug): NAT  Problem with VRF

  • T5585 (bug): Fix file access mode for dynamic dns configuration


  • T5618 (bug): Flow-accounting crushes when IMT is enabled

  • T5561 (feature): NAT - Inbound or outbound interface should not be mandatory

  • T5553 (feature): Firewall - Add action continue

  • T5250 (bug): Firewall - show firewall group

  • T4383 (bug): Flow Accounting returns permission error and fails to start

  • T5626 (feature): Only select required Kernel CGROUP controllers

  • T5628 (feature): op-mode: login: DeprecationWarning: 'spwd'


  • T936 (feature): Reimplementation of tech-support diagnostic file generation


  • T5048 (bug): QoS doesn't work correctly root task

  • T4989 (bug): QoS Policy Limiter - classes for marked traffic do not work


  • T5596 (feature): bgp: add new features from FRR 9

  • T5412 (feature): Add support for extending config-mode dependencies in supplemental package


  • T5480 (bug): Ability to disable SNMP for VRRP keepalived service


  • T5533 (bug): Keepalived VRRP IPv6 group enters in FAULT state


  • T5511 (feature): Cleanup of unused directories (and files) in order to shrink image-size


  • T5518 (default): Add MLD protocol support


  • T5602 (feature): For reverse-proxy type of load-balancing feature, support "backup" option in backends configuration

  • T5609 (enhancment): Add util to get drive device name from id

  • T5608 (enhancment): Rewrite add/delete raid member to Python and remove from vyatta-op

  • T5607 (bug): Adjust RAID smoketest for non-deterministic SCSI device probing


  • T5588 (bug): Add kernel conntrack_bridge module

  • T5271 (default): Add support for peer-fingerprint to OpenVPN

  • T5241 (feature): Support veth interfaces to working with netns

  • T5238 (default): interface virtual-etherne - error when it doesn't use a peer

  • T5592 (feature): salt: upgrade minion to 3005.2


  • T5597 (feature): isis: add new features from FRR 9.

  • T4284 (feature): QoS: rewrite to XML and Python


  • T5419 (feature): Software/Hardware fastpath with nftables flowtable


  • T5581 (feature): Add "show ip nht" op-mode command (IPv4 nexthop tracking table)


  • T5567 (bug): vyos-1x: webproxy: maximum-object-size allowed ranges not in sync with Equuleus

  • T5551 (bug): Missing check for boot_configuration_complete raises error in vyos-save-config.py

  • T5353 (bug): config-mgmt: normalize archive updates and commit log entries

  • T3424 (default): PPPoE IA-PD doesn't work in VRF

  • T2773 (feature): EIGRP support for VRF


  • T5565 (bug): Builds as vyos-999-timestamp instead of vyos-1.4-rolling-timestamp

  • T5555 (bug): Fix timezone migrator (system 13-to-14)

  • T5529 (bug): Missing symbolic link in linux-firmware package.


  • T5540 (bug): vyos-1x: Wrong VHT configuration for WiFi 802.11ac

  • T5423 (bug): ipsec: no output for op-cmd "show vpn ike secrets"

  • T3700 (feature): Support VLAN tunnel mapping of VLAN aware bridges


  • T5502 (bug): Firewall - wrong parser for inbound and/or outbound interface

  • T5460 (feature): Firewall - remove config-trap

  • T5450 (feature): Firewall interface group - Allow inverted matcher

  • T4426 (default): Add arpwatch to the image

  • T4356 (bug): DHCP v6 client only supports single interface configuration


  • T5510 (feature): Shrink imagesize and improve read performance by changing mksquashfs syntax


  • T5542 (bug): ipoe-server: external-dhcp(dhcp-relay) not woking / not implemented

  • T5548 (bug): HAProxy renders timeouts incorrectly

  • T5544 (feature): Allow CAP_SYS_MODULE to be set on containers


  • T5524 (feature): Add config directory to liveCD

  • T5519 (bug): Function `call` sometimes hangs

  • T5508 (bug): Configuration Migration Fails to New Netfilter Firewall Syntax

  • T5495 (feature): Enable snmp module also for frr/ldpd

  • T2958 (bug): DHCP server doesn't work from a live CD

  • T5428 (bug): dhcp: client renewal fails when running inside VRF


  • T5536 (bug): show dhcp client leases caues No module named 'vyos.validate'

  • T5506 (bug): Container bridge interfaces do not have a link-local address


  • T5538 (bug): Change order within variable lb_config_tmpl to fit order of manpage and fix some typos

  • T4612 (feature): Support arbitrary netmasks in firewall rules


  • T5190 (feature): Cloud-Init cannot fetch Meta-data on machines where the main Ethernet interface is not eth0

  • T4895 (bug): Tag nodes are overwritten when configured by Cloud-Init from User-Data

  • T4776 (bug): NVME storage is not detected properly during installation

  • T5531 (feature): Containers add label option

  • T5525 (default): Change dev.packages.vyos.net repo to rolling-packages.vyos.net vyos-build:current uses


  • T4933 (default): Malformed lines cause vyos.util.colon_separated_to_dict fail with a nondescript error

  • T4790 (bug): RADIUS login does not work if sum of timeouts more than 50s

  • T4113 (bug): Incorrect GRUB configuration parsing

  • T5520 (bug): Likely source of corruption on system update exposed by change in coreutils for Bookworm

  • T4151 (feature): IPV6 local PBR Support

  • T4485 (default): OpenVPN: Allow multiple CAs certificates


  • T3940 (bug): DHCP client does not remove IP address when stopped by the 02-vyos-stopdhclient hook

  • T3713 (default): Create a meta-package for user utilities

  • T3339 (bug): Cloud-Init domain search setting not applied

  • T3577 (bug): Generating vpn x509 key pair fails with command not found


  • T4745 (bug): CLI TAB issue with values with '-' at the beginning in conf mode

  • T5472 (bug): NAT redirect should not require port


  • T4759 (bug): domain-group on policy route not working

  • T1097 (feature): Make firewall groups work everywhere that's appropropriate


  • T5039 (bug): Can't add new local user

  • T5023 (bug): PKI commit fails to update dependents

  • T4512 (feature): enable-default-log on zone-policy

  • T5003 (default): Upgrade base system to Debian 12 "Bookworm"


  • T5468 (feature): Remove unused manpages to free up space

  • T5463 (feature): Containers allow publish  IPv6  address port

  • T4412 (bug): commit archive: reboot not working with sftp

  • T3702 (feature): Policy: Allow routing by fwmark

  • T3536 (default): Unable to list all available routes


  • T5448 (feature): Add service zabbix-agent

  • T5006 (bug): Http api segfault with concurrent requests

  • T5505 (feature): system: zebra route-map is not removed from FRR

  • T5305 (bug): REST API configure operation should not be defined as async

  • T4292 (feature): Rewrite vyatta-save-config.pl to Python


  • T5478 (bug): Cannot configure resolver-cache options for firewall

  • T5466 (feature): L3VPN - label allocation mode

  • T5453 (bug): Fix nat66 - broken after load-balance was introduced in nat

  • T5446 (bug): bgp: validity check for bestpath med option

  • T5500 (feature): Minor fixes to configtree render

  • T5469 (default): Incorrect dependency set in the openvpn-dco package when building VyOS for arm64

  • T5387 (feature): dhcp6c: add a no release option

  • T5491 (feature): Hostapd - AP-Mode - allow white-/blacklisting of Clients

  • T4889 (default): Add nftables NAT REDIRECT [to localhost] to CLI


  • T5407 (bug): Static routes pointed to container networks fail to persist after reboot


  • T5470 (bug): wlan: can not disable interface if SSID is not configured


  • T5488 (bug): System conntrack ignore does not take any effect


  • T4202 (bug): NFT: Zone policies fail to apply when "l2tp+" is in the interface list

  • T5409 (feature): Add 'set interfaces wireguard wgX threaded'

  • T5476 (feature): netplug: replace Perl helper scripts with a Python equivalent

  • T5223 (bug): tunnel key doesn't clear

  • T5490 (feature): login: add missing regex for home direcotry and radius server key


  • T5483 (bug): Residual dhcp-server test file causing zabbix-agent smoketest to fail


  • T5293 (feature): Support for Floating Rules (Global Firewall-Rules that are automatically applied before all other Zone Rules)

  • T5273 (default): Add op mode commands for displaying certificate details and fingerprints

  • T5270 (default): Make OpenVPN `tls dh-params` optional


  • T5477 (bug): op-mode pki.py should use Config for defaults

  • T5461 (feature): Improve rootfs directory variable

  • T5457 (feature): Add environmental variable pointing to current rootfs directory

  • T5440 (bug): Restore pre/postconfig scripts if user deleted them


  • T5467 (bug): ospf(v3): removing an interface from the OSPF process does not clear FRR configuration


  • T5465 (feature): adjust-mss: config migration fails if applied to a VLAN or Q-in-Q interface

  • T2665 (bug): vyos.xml.defaults for tag nodes

  • T5434 (enhancment): Replace remaining calls of vyos.xml library

  • T5319 (enhancment): Remove remaining workarounds for incorrect defaults

  • T5464 (feature): ipv6: add support for per-interface dad (duplicate address detection) setting


  • T5416 (bug): Ignoring "ipsec match-none" for firewall

  • T5329 (bug): Wireguard interface as GRE tunnel source causes configuration error on boot


  • T5452 (bug): Uncaught error in generate_cache during vyos-1x build

  • T5443 (enhancment): Add merge_defaults as Config method

  • T5435 (enhancment): Expose utility function for default values at path


  • T5406 (bug): "update webproxy blacklists" fails when vrf is being configured

  • T5302 (bug): QoS class with multiple matches generates one filter rule but expects several rules

  • T5266 (bug): QoS- HTB error when match with  a dscp parameter for queue-type 'priority'

  • T5071 (bug): QOS-Rewrite: DSCP match missing


  • T5420 (feature): nftables - upgrade to latest 1.0.8

  • T5445 (feature): dyndns: add possibility to specify update interval (timeout)


  • T5291 (bug): vyatta-cfg-cmd-wrapper missing ${vyos_libexec_dir} variable

  • T5290 (bug): Failing commits for SR-IOV interfaces using ixgbevf driver due to change speed/duplex settings

  • T5439 (bug): Upgrade to FRR version 9.0 added new daemons which must be adjusted


  • T5427 (bug): Change migration script len arguments checking


  • T5301 (bug): NTP: chrony only allows one bind address

  • T5154 (bug): Chrony - multiple listen addresses


  • T5374 (feature): Ability to set 24-hour time format

  • T5350 (bug): Confusing warning message when committing VRRP config

  • T5430 (bug): bridge: vxlan interfaces are not listed as bridgable in completion helpers

  • T5429 (bug): vxlan: source-interface is not honored and throws config error

  • T5415 (feature): Upgrade FRR to version 9.0

  • T5422 (feature): Support LXD Agent


  • T5399 (bug): "show ntp" fails when vrf is being configured

  • T5346 (bug): MPLS sysctl not persistent for L2TP interfaces

  • T5343 (feature): BGP peer group VPNv4 & VPNv6 Address Family Support

  • T5339 (feature): Geneve interface - option to use IPv4 as inner protocol

  • T5335 (bug): ISIS: error when loading config from file


  • T5421 (feature): Add arg to completion helper 'list_interfaces' to filter out vlan subinterfaces


  • T5403 (feature): Add support for extending xml cache


  • T4602 (bug): DHCP `ping-check` enabled by default

  • T5411 (feature): Remove old background monitoring implementation

  • T5317 (enhancment): configtree: remove mutable references

  • T5316 (enhancment): configtree: use a single pass of the diff algorithm


  • T5368 (feature): FastNetmon service ids ddos-protection add support sflow mode


  • T5398 (bug): FRR mangles container network interface names

  • T5365 (bug): Container systemd units require authentication

  • T4974 (feature): OpenVPN- Data Channel Offload(DCO)


  • T5377 (feature): ospf: add graceful restart FRR feature (RFC 3623)


  • T5373 (bug): LLDP seems to be running even if its disabled on all interfaces

  • T5328 (default): bgp: Incorrect warning showed for address-family configured with neighbor as interface

  • T5363 (bug): Bash history file does not exists after reboot and ony other file in home directory

  • T5385 (bug): reference_tree: catch parse error on non-transcluded files

  • T5361 (bug): "monitor log" behaves like "show log"


  • T5362 (bug): `set high-availability vrrp global-parameters version 3` seems to have no effect

  • T5355 (bug): IPSec: OP cmd : "show vpn ike sa" does not show output

  • T5330 (enhancment): Keep track of source of config dict value when merging defaults

  • T4497 (feature): ping cannot force ipv4 or ipv6

  • T4288 (bug): IPsec tunnel will break when ESP timeout


  • T5340 (bug): SNMP and VRF

  • T5059 (feature): add 'disable' option to DHCP relay config


  • T2051 (bug): Throughput anomalies


  • T141 (feature): TACACS+ Support


  • T5341 (feature): Improve CLI for high-availability virtual-server to work with multiple ports


  • T5358 (bug): 99-ipsec-dhclient-hook prevents DHCP stateless routes from being installed in VRF table

  • T4376 (bug): DNAT with multiwan and policy routing, incoming connections only work on primary interface

  • T305 (default): loadbalancing does not work with one pppoe connection and another connection of either dhcp or static


  • T4713 (bug): vyos@vyos:~$ show nat destination rules | doesn't work

  • T2315 (feature): Ability to have right address-family for BGP peers.


  • T5347 (bug): Compare commit revision bug

  • T5161 (default): BFD Static Route Monitoring

  • T5105 (bug): DHCP Server - Wrong error message

  • T4927 (bug): Need to change restart to reload-or-restart in Webproxy module

  • T3835 (bug): vyos router 1.2.7 snmp Dos bug

  • T5352 (default): Fix missing dependency for netavark

  • T4959 (feature): Add container registry authentication config for containers


  • T5314 (bug): QOS Default classes are not configured with correct qdisc

  • T4862 (bug): webproxy domain-block does not work

  • T4844 (bug): Incorrect permissions of the safeguard DB directory

  • T4815 (bug): Fix various name server config issues

  • T4810 (bug): Op-mode show/monitor log pppoe interface does not show any logs

  • T4758 (feature): Rewrite show dhcp server to vyos.opmode format

  • T4262 (bug): install image doesn't respect chosen root partition size

  • T3810 (bug): webproxy squidguard rules don't work properly after rewriting to python.

  • T1928 (bug): Is the 'Welcome to VyOS' message when using SSH an information leak?

  • T1877 (default): Feature Request: Allow NAT to use network and address groups

  • T4813 (feature): L3VPN over GRE Tunnels

  • T4943 (bug): Radius SSH login displays "permission denied" on 1.4 rolling release

  • T4542 (default): route-map: "match prefix-len" incorrect behavior

  • T4392 (default): Multiline login banner text reports error on commit


  • T5345 (bug): Error incorrectly raised in revised multi_to_list when tag node value name == tag node name

  • T3578 (bug): Prefix-List(6) update cause empty prefix-list(6)

  • T762 (feature): Include rulseset in firewall


  • T5336 (feature): Add Swedish keyboard-layout


  • T5333 (bug): Policy base routing PBR generetes incorrect rules with name POSTROUTING

  • T5081 (feature): ISIS and OSPF syncronization with IGP-LDP sync


  • T5295 (bug): QoS shaper incorrect rate limit the traffic

  • T5334 (feature): ospf: add support for External Route Summarisation Type-5 and Type-7


  • T5332 (bug): Show policy route not working when no interface is configured


  • T5304 (feature): Containers add bind-propagation option rshared

  • T5296 (bug): QoS class cannot calculate correctly the default bandwidth auto

  • T5210 (bug): IPSec cosmetic bug for Warning vti inrerface

  • T5277 (bug): Dhcpv6-relay does not start on boot


  • T5315 (feature): vrrp: add support for version 3

  • T5283 (bug): IPoE server assigns network address

  • T5313 (bug): UDP broadcast relay - missing verify() that relay interfaces have an IP address assigned


  • T5320 (enhancment): Add warning when entering config mode after a boot configuration error


  • T1237 (feature): Static Route Path Monitoring, failover


  • T5159 (bug): DHCPv6-server leases op-command shows warning message even if configured


  • T5240 (bug): Service router-advert failed to start radvd with more then 3 name-servers

  • T5312 (bug): Nonescaped special character in help text


  • T5303 (bug): Rsyslog.service is not working

  • T5298 (bug): Add RFKILL support into kernel.

  • T5308 (enhancment): Remove workarounds for incorrect defaults in get_interface_dict

  • T5228 (enhancment): Simplify get_config_dict and add argument with_defaults

  • T5310 (bug): Need some help troubleshooting NIC detection.


  • T5297 (default): Utility function to check if config under node has been changed between revisions


  • T5300 (bug): verification of port availability can return false negative on boot

  • T5248 (feature): Ability to load config via API in JSON format


  • T5281 (feature): Add kernel options for vhost-net

  • T5072 (default): QOS-Rewrite: protocol name used literally

  • T4969 (bug): QoS Policy - Unable to set class match mark number


  • T5256 (bug): QoS expects protocol number but not protocol name


  • T5258 (bug): git Actions use ubuntu-22.04 instead of deprecated ubuntu-18.04 for PR conflicts checker

  • T5222 (feature): Add load-balancing reverse-proxy based on haproxy

  • T5213 (feature): Accel-ppp sending accounting interim updates acct-interim-interval option

  • T5171 (feature): Use XML for conf-mode "load-balancing wan" instead of legacy templates


  • T5282 (bug): Poweroff now does not work

  • T5264 (feature): Add Mellanox Technologies firmware flash module mlxfw to kernel

  • T5286 (feature): Remove XDP support


  • T5231 (feature): Add op-mode for load-balancing reverse-proxy


  • T5253 (bug): MPLS config removed at boot when wireguard interfaces present


  • T5259 (bug): Openconnect cannot pass migration 1-to-2


  • T5252 (bug): Route distinguisher and route targets changing upon adding interface to new VRF

  • T5251 (bug): Uncaught errors for functions delete/delete_value in Python module configtree.py


  • T5127 (bug): VPNv4/VPNv6 routes are not reinstalled following link flap


  • T5244 (feature): dropbear: update to 2022.83

  • T5242 (feature): interfaces: smoketest: automatically detect "capabilities"

  • T5234 (feature): Add bash identifier for given VRF instance


  • T5237 (feature): interfaces virtual-ethernet  - Extend capabilitys of Vlans/QinQ

  • T4686 (feature): Provides support for veth


  • T4605 (feature): Firewall change default table names

  • T4550 (feature): router-advert: Add deprecate-prefix & decrement-lifetimes options


  • T4916 (feature): Rewrite IPsec authentication


  • T5214 (bug): PPPoE-server incorrect warning if a named pool is defined

  • T4977 (feature): Babel routing protocol support


  • T4733 (default): Feature Request: dhcp server: add VRF support

  • T5218 (enhancment): Revise vyos xml lib for bug fixes and extensions


  • T5226 (default): Deduplicate and standardize validators and constraints for hostname and IP address

  • T5225 (bug): BGP allowas-in unusable

  • T5208 (bug): Failed to start nvmf-autoconnect.service during the boot


  • T5194 (default): Add reference tree to vyos1x-config


  • T3896 (feature): Extend ocserv support to allow for per-group configs


  • T2778 (feature): Migrate "system syslog" to get_config_dict() to support new features

  • T2769 (feature): Add VRF support for syslog


  • T5209 (bug): dhclient load-balancing exit hook 04-dhcp-wanlb returned non-zero exit status

  • T5065 (bug): Mixing `destination port xxx` and `destination group port-group yyy` in firewall rules doesn't work, but can be commited

  • T5060 (feature): add a VRRP 'maintenance mode'


  • T5202 (bug): After removal load-balancing a pid remained which used in dhclient-exit-hooks


  • T5206 (bug): ethtool.py:Ethtool.__init__ has always true conditional due to typo


  • T5082 (feature): container: switch to netavark network stack


  • T5193 (feature): Ability to specify NS records to specify NS servers for subdomains

  • T3891 (bug): X550-T2/Possibly other X550/X540 cards no link on VyOS

  • T5010 (bug): bgp: EVPN route-target not honored

  • T5196 (feature): wwan: op-mode should inform user if there is no WWAN interface


  • T5163 (feature): Policy route-map add match source-protocol


  • T5042 (bug): Command 'show vpn ipsec remote-access' does not work


  • T5185 (bug): Static IPv6 route with blackhole fails

  • T5175 (bug): http-api: error in MultiPart parser for FastAPI version >= 0.91.0

  • T5183 (bug): IPv6 route6 problem

  • T5181 (bug): Wrong dependencies or priorities for zebra vni vrf interfaces and bgpd

  • T5128 (feature): Policy route - Allow wildcard interfaces

  • T5055 (feature): Firewall - Add packet type matcher (pkttype)

  • T5050 (feature): Firewall - Add options for logging packets

  • T5037 (feature): Firewall - Add queue action

  • T5176 (bug): http-api: update vyos-http-api-tools for FastAPI security vulnerability

  • T5174 (bug): vrf: ensure no duplicate VNIs can be created

  • T5123 (default): Display route originator in show ospf table command


  • T5179 (bug): multi nodes defined in XML are not properly represented as list in get_config_dict()


  • T5052 (bug): Error displaying dhcpv6 prefix delegation leases

  • T5150 (feature): Rework CLI definitions to apply route-maps between routing daemons and zebra/kernel

  • T3734 (bug): Move EVPN VRF up in FRR config


  • T5152 (bug): Telegraf agent hostname isn't qualified

  • T4727 (feature): Add RADIUS rate limit support to PPTP server

  • T4939 (bug): VRRP command  no-preempt not work as expected

  • T4791 (default): Consistent normalization of 'raw' output of op-mode scripts for CLI and API

  • T3608 (default): Standardize warnings from configure scripts


  • T4924 (bug): Systemctl strongswan.service for some reason is not disabled

  • T4197 (bug): Vyos arm64-latest build issue with telegraf pkg

  • T4051 (bug): Connected routes strange / not working


  • T5151 (bug): EAP-TLS TLSv1.0/1.1 regression after T5003

  • T5148 (bug): OpenVPN cannot start due to could not load plugin shared object /openvpn-otp.so

  • T5110 (bug): Show frr op-mode vtysh_pam: Failed in account validation

  • T5078 (feature): VyOS BGP does not support 'show bgp neighbors $NB filtered-routes'

  • T5070 (feature): show bgp nexthop unavailable in VRF

  • T5061 (bug): All containers restart on config change


  • T5149 (bug): op-mode openvpn should not raise error in case interface is disabled


  • T5147 (bug): Can't Commit with Container Network

  • T5142 (feature): One of the requirements is to use a system auditing tool to monitor and log all security-relevant events.

  • T5125 (feature): Add op-mode commands for hsflowd based sflow


  • T5145 (feature): Add maxsyslogins  maximum number of all logins on system

  • T5135 (default): Rewrite opennhrp script using vyos.ipsec library

  • T4975 (bug): CLI does not work after cutting off the power or reset

  • T5136 (bug): Possible config corruption on upgrade


  • T5141 (feature): Add numbers for dhclient-exit-hooks.d to enforce script order execution

  • T5093 (bug): Command 'reset vpn ipsec-profile' doesn't work

  • T4362 (bug): Wan Load Balancing - Can't create routing tables


  • T5139 (feature): IKE life-time should start from 0 for disable rekey

  • T4173 (bug): Wan Load Balancing - Error on firewall NAT rules


  • T5134 (feature): Try if netavark networks can be moved to a VRF instance


  • T5047 (bug): Recreate only a specific container

  • T5132 (default): Operational command "show isis vrf  XXX route | neighbord" aren't working


  • T5129 (feature): Add AWS build flavour

  • T5126 (feature): http-api: add 'allow-client' to restrict IP address of client connections


  • T5130 (bug): op-mode: drop remaining reference to obsoleted 'show_interfaces.py'

  • T4866 (feature): Rewrite show_interfaces to standardized form

  • T366 (bug): SNMP Query for BGP Tunnels Returns IPv4 Tunnels Only


  • T5100 (feature): Update FRR to 8.5

  • T5094 (bug): FRR systemd logs unknow key LimitNOFILESoft

  • T5085 (bug): ospfv3 route-map not applied in FRR configuration

  • T5056 (bug): IPoE server vlan-mon is not working

  • T5033 (bug): generate-public-key command fails for address with multiple public keys like GitHub

  • T4876 (bug): mpls - LSP broken on FRR 8.4.1

  • T5097 (bug): the operational command "show interfaces ethernet ethx" doesn't reflect a call to 'clear counters'

  • T5089 (enhancment): Add unit test of config_diff

  • T5088 (enhancment): Add lexicographical-numeric compare function for vytree/configtree

  • T5087 (enhancment): Add support for lexical ordering of nodes in config_tree

  • T4885 (feature): Rewrite 'clear interfaces counters' from Perl to Python

  • T4846 (bug): L3VPN- network command doesn't install direct connected  prefix


  • T5043 (feature): Need to create reset command for IKEv2 remote-access vpn connections


  • T5099 (feature): IPoE server add option 'next-pool' for named ip pools

  • T5106 (feature): Extend generation of API client requests to configsession native functions and composite requests

  • T5104 (bug): DHCP default route issues with static routes in VRFs

  • T5079 (feature): xml: schema extension to support defaultValues on tagNodes

  • T5114 (feature): bgp: implement new CLI commands introduced in FRR 8.5


  • T5108 (feature): Get rate limit for L2TP/PPTP/SSTP/IPoE in raw format

  • T5086 (feature): Integrate hsflowd for sflow accounting

  • T5107 (bug): Raise error in op-mode dns.py instead of calling exit


  • T5068 (feature): Generate op-mode API client requests along with schema generation


  • T5098 (feature): PPPoE client holdoff configuration

  • T3694 (bug): Static routes not installed into kernel nor frr

  • T5102 (feature): ospf: "redistribute babel" is always set


  • T5057 (bug): IPoE server incorrect interface regex

  • T5095 (feature): Return list instead of dict for 'raw' output of op-mode openvpn


  • T4925 (feature): Need to add the possibility to configure Pseudo-Random Functions (PRF) in IKEv2


  • T5092 (bug): IPoE-server named pool must not rely on the authentication type

  • T5091 (bug): IPoE server with RADIUS authentication does not verify radius configuration


  • T5073 (bug): IPoE-server interface option failed to parse

  • T5063 (bug): IPoE-server ethX vlan must not be used with client-subnet

  • T5058 (feature): Extend template filter range_to_regex

  • T3083 (feature): Add feature event-handler

  • T2516 (bug): vyos-container: cannot configure ethernet interface


  • T5074 (bug): Show IPSEC SA failed if remote access IKEv2 vpn is used.

  • T4973 (bug): show dhcp server leases error for lease time 4294967295


  • T5076 (feature): CI/CD: Docker container is bloated by legacy and conflicting dependencies


  • T5066 (bug): Different GRE tunnel but same tunnel keys error

  • T4952 (feature): Improve interface completion helper CLI experience


  • T4381 (default): OpenVPN: Add "Tunnel IP" column in "show openvpn server" operational command

  • T4872 (bug): Op-mode show openvpn misses a case when parsing for tunnel IP


  • T2838 (bug): Ethernet device names changing, multiple hw-id being added

  • T5051 (feature): Use Literal types to provide op-mode CLI choices and API enums

  • T4900 (default): Cache intermediary results of get_config_diff in Config instance


  • T5040 (default): Generate API GraphQL schema on installation, rather than dynamically


  • T4625 (enhancment): Update ocserv to current revision (1.1.6)


  • T4967 (feature): Ability to set hostname for the container


  • T5015 (bug): Invalid format character error at hfsc class settings help text


  • T5029 (feature): Nginx change default root directory and fix regex

  • T5025 (bug): Time-zone validation failed

  • T4955 (bug): Openconnect radiusclient.conf generating with extra authserver

  • T4843 (feature): Command-line arguments in container config

  • T4219 (feature): support incoming-interface (iif) in local PBR

  • T3903 (bug): Containers: after command "reboot" the host system will reboot after 1.5 minutes


  • T5028 (feature): Add package exfatprogs to VyOS

  • T4985 (bug): reset vpn ipsec-peer command with peer name does not work


  • T4979 (feature): Add API request 'show_user_info' for UI


  • T5008 (bug): MACsec CKN of 32 chars is not allowed in CLI, but works fine

  • T5007 (bug): Interface multicast setting is invalid

  • T5027 (bug): OpenVPN options and site-to-site cannot pass smoketest

  • T4978 (bug): KeyError: 'memory' container_config['memory'] on upgrading to 1.4-rolling-202302041536

  • T5034 (bug): Migrate multicast CLI node to valueLess

  • T4948 (feature): pppoe: add CLI option to allow definition of host-uniq flag


  • T5030 (bug): HTTPS-API delete key without id error


  • T5013 (feature): Extend accelppp.py op-mode to get subnet start stop info from config

  • T5002 (feature): Add uk (United Kingdom) keymap


  • T5024 (bug): check-qemu-install VM is not shutdown the first time

  • T5011 (bug): Some interface drivers don't support min_mtu and max_mtu and verify_mtu check should be skipped


  • T5021 (bug): IPsec SA is closed before negotiating a new one or it is negotiated on every second if big life-time is set in swanctl.conf

  • T5020 (feature): Extend openvpn.py op-mode to get a list of configured clients


  • T5005 (feature): Skip user authentication for PPPoE Server with noauth option


  • T4971 (feature): Radius attribute "Framed-Pool" for PPPoE


  • T4991 (bug): Restore path level information to compare output


  • T4968 (bug): VPN IPsec check dpd and close action for empty values

  • T1993 (feature): Extended pppoe rate-limiter


  • T4905 (feature): Convert show nhrp tunnel to tabulate format

  • T4153 (bug): Monitor bandwidth-test initiate not working


  • T4998 (bug): pppoe username validation too restrictive (regression)


  • T2603 (feature): pppoe-server: reduce min MTU


  • T4857 (feature): SNMP - Implement FRR SNMP recommendations

  • T4995 (feature): pppoe, wwan and sstp-client - rename user -> username on authentication


  • T4980 (bug): chrony not listening as a server

  • T4868 (bug): L2TP  ppp-options ipv6 does not work without ipv6 pool but should

  • T4117 (bug): Does not possible to configure PoD/CoA for L2TP vpn


  • T4970 (default): pin OCaml pcre package to avoid JIT support


  • T4964 (bug): FRR bgp address-family l2vpn-evpn route-target export/import not working

  • T4780 (feature): Firewall - Add interface group

  • T4157 (default): Add jinja2 to pip test requirements


  • T4958 (feature): Add OpenConnect RADIUS Accounting support

  • T4954 (bug): DNS cannot be configured via Network-Config v1 received from ConfigDrive / Cloud-Init

  • T4118 (default): IPsec syntax overhaul


  • T4965 (default): empty description in firewall group causes configuration error on migration


  • T4961 (bug): Uncaught configtree error allows ntp migration 1-to-2 to fail silentlly on config.boot.default


  • T4960 (bug): Bugs in `cc_vyos.py` code (Cloud-Init)


  • T4886 (feature): Firewall and Policy - Add connection mark

  • T4957 (bug): config-mgmt should not attempt to archive config at boot

  • T4962 (bug): Fix typo in regex in vyos.config_mgmt compare function

  • T4912 (default): Rewrite the IGMP op mode in the new style


  • T4941 (bug): Accel-ppp IPoE incompatibility with kernel 6.1


  • T4947 (feature): Support mounting container volumes as ro or rw


  • T4798 (default): Migrate the file-exists validator away from Python

  • T4683 (enhancment): Add kitty-terminfo package to build

  • T4953 (bug): Remove convert_kwargs_to_snake_case decorator in dynamic generation of GraphQL resolvers

  • T4875 (default): Replace Python validator 'interface-name' to avoid Python startup cost

  • T4664 (bug): Add validation to reject whitespace in tag node value names


  • T4906 (bug): ipsec connections shows only one connection as up


  • T4799 (bug): PowerDNS >= 4.7 does not get reloaded by vyos-hostsd

  • T4878 (bug): Any interface bonding changes cause interface flapping

  • T4387 (default): Create additional smoketests for multiwan PBR & load-balanced configurations


  • T4551 (bug): IPsec rekeying collisions bug

  • T4942 (feature): Rewrite vyatta-config-mgmt to Python/XML


  • T4938 (bug): Interface input ifb does not work

  • T4902 (bug): snmpd: exclude container storage from monitoring

  • T4140 (bug): Lack of SNMP IANA mibs


  • T4832 (feature): dhcp: Add IPv6-only dhcp option support (RFC 8925)

  • T4937 (feature): ocserv: upgrade package to version 1.1.6

  • T4918 (bug): Odd show interface behavior

  • T3008 (feature): Migrate from ntpd to chronyd


  • T4911 (default): Rewrite the LLDP op mode in the new format

  • T4928 (feature): Upgrade Linux Kernel to 6.1.y (2022 LTS edition)


  • T4934 (bug): ospf: Fix inter-area route summarization

  • T4929 (feature): Update Intel QAT drivers to 4.20.0-00001


  • T4880 (feature): Expose 'add/delete container image' in HTTP-API


  • T4922 (feature): Add ssh-client source-interface CLI option

  • T4524 (bug): Squid webproxy not working properly


  • T4920 (bug): ospf: Fix `passive-interface default` option


  • T4884 (bug): Missing a community6 in snmpd config


  • T4904 (feature): Allow multiple ports for high-availability virtual-server

  • T4789 (feature): Ability to get L2TP/PPTP/SSTP sessions info in a machine readable format

  • T3937 (default): Rewrite "show system memory" in Python to make it usable as a library function


  • T4848 (bug): Minor bug in OpenConnect server with default route

  • T4656 (feature): Support the listen-host config field of openconnect server


  • T4907 (bug): nat source translations couldn't show metrics


  • T4893 (feature): l2tp add ppp-options IPv6 interface identifier

  • T4717 (feature): Connect to console server by name

  • T725 (feature): Cake and FQ-PIE


  • T4898 (feature): Add mtu config option for dummy interfaces


  • T4834 (bug): Limit container network name to 15 characters

  • T4901 (bug): Update Podman to v4.3.1

  • T4899 (bug): Podman systemd services not being installed correctly


  • T4593 (feature): Upgrade strongswan to 5.9.8


  • T4511 (bug): IPv6 DNS lookup

  • T4809 (feature): radvd: Allow use of AdvRASrcAddress


  • T3579 (feature): Rewrite vyatta-conntrack in new XML and Python flavour


  • T4890 (bug): show conntrack table ipv4 fail

  • T4879 (bug): IPSec migration failed with missing remote-id

  • T4870 (feature): Containers switch to using overlay driver for podman storage


  • T4792 (feature): Add SSTP VPN client


  • T4887 (bug): Schema generation from op-mode functions should set default 'false' on boolean arguments


  • T4882 (bug): Missing ICMPv6 type names in firewall configuration


  • T4671 (bug): linux-firmware package is missing symlinks defined in WHENCE file


  • T4881 (bug): Return opmode.Error on openconnect.py show_sessions


  • T4861 (feature): Openconnect restart on adding users - Aborts all active connections


  • T4865 (bug): container impossible to generate local image from a file if it requires install some pkgs


  • T4860 (bug): Openconnect server incorrect unconfigured check

  • T4804 (bug): PPPoE server incorrect unconfigured check

  • T4854 (feature): BGP-route reflector allows to apply route-maps


  • T4825 (feature): interfaces veth/veth-pairs -standalone used

  • T4805 (bug): PPPoE server does not restart service if pool was changed


  • T4830 (bug): nat66 - Error in port translation rules

  • T4859 (bug): Correct calling of config mode script dependencies from http-api.py

  • T4820 (enhancment): Support for inter-config-mode script dependencies

  • T4858 (bug): L3VPN- Route Distinguisher notations

  • T1024 (feature): Policy Based Routing by DSCP


  • T4841 (feature): add fan control

  • T4847 (bug): Correct calling of config mode script dependencies from pki.py


  • T4842 (bug): Routing config broken if mpls config exists

  • T4845 (default): Add smoketest to detect cycles in config-mode script dependency calls


  • T4739 (feature): ISIS and OSPF segment routing being refactored


  • T4794 (bug): show firewall name <name> - Can't use .items() on a list

  • T4714 (feature): Delete unused ipset from the filecaps

  • T3541 (bug): Route Map large community set additive is missing


  • T4836 (feature): Kernel: enable new features like switchdev, ESP in TCP and HSR

  • T4835 (bug): SNMPD configuration incorrect for IPv6

  • T4819 (feature): Allow printing Warning messages in multiple lines with \n

  • T4807 (feature): Need to fix traceroute help completion

  • T4660 (feature): Reorganize route map set community CLI

  • T4526 (bug): keepalived-fifo.py unable to load config

  • T4793 (feature): Create warning message about disable-route-autoinstall when ipsec vti is used

  • T4492 (bug): Incorrect list of neighbors in help for "show bgp vrf VRF neighbors"

  • T4496 (feature): ping vrf help does not list VRFs


  • T4823 (bug): swanctl.conf is broken when ipsec site-to-site peer set.

  • T4706 (bug): NAT and NAT66 issues

  • T4670 (feature): policy route - Update matching criteria


  • T4812 (feature): IPsec ability to show all configured connections

  • T4829 (default): Tunnel argument to 'reset_peer' in ipsec.py should have type hint Optional


  • T4827 (bug): route-map issues , not load configuration FRR


  • T4826 (bug): Wrong key type is used for SSH SK public keys

  • T4720 (feature): Ability to configure SSH HostKeyAlgorithms

  • T4828 (default): Raise appropriate op-mode errors in ipsec.py 'reset_peer'


  • T4821 (bug): Correct calling of config mode script dependencies from firewall.py


  • T4750 (feature): Support of higher level SSH keys (sk-ssh-ed25519)


  • T4808 (feature): Add details of configtree operations to migration log


  • T4814 (bug): Regression in bundled powerdns version


  • T4800 (bug): undefined var includes_chroot_dir in build-vyos-image


  • T4771 (feature): Rewrite protocol BGP op-mode to vyos.opmode format

  • T4806 (default): Update FRR to 8.4 in 1.4 version


  • T4803 (bug): The header 'Authorization' needs to be explictly allowed in http-api CORS middleware


  • T4802 (feature): Ability to define per container shared-memory size


  • T4764 (bug): NAT tables vyos_nat  and vyos_static_nat not deleting after deleting nat

  • T4177 (bug): Strip-private doesn't work for service monitoring


  • T4786 (feature): Add package python3-pyhumps

  • T1875 (feature): Add the ability to use network address as BGP neighbor (bgp listen range)

  • T4785 (feature): snmp: Allow !, @, * and # in community name

  • T4787 (feature): ipsec: add support for road-warrior/remote-access RADIUS timeout


  • T4783 (default): Add support for stunnel

  • T4784 (feature): Add description node for static route/route6 tagNodes


  • T4291 (default): Consolidate component version read/write functions


  • T4763 (feature): Change XML for Show nat destination statistics

  • T4762 (bug): Show nat rules with empty rules incorrect error

  • T4778 (bug): Raise error UnconfiguredSubsystem if op-mode ipsec.py fails initialization


  • T4773 (default): Add camel_case to snake_case conversion utility


  • T4574 (default): Add token based authentication to GraphQL API


  • T4772 (default): Return list of dicts in 'raw' output of route.py instead of dict with redundant information


  • T3723 (bug): op-mode IPSec show vpn ipsec sa output with underscores


  • T4768 (default): Change name of api child node from 'gql' to 'graphql'


  • T4684 (feature): Rewrite show ip route by protocol to vyos.opmode format

  • T4533 (bug): Radius clients don’t  have simple permissions

  • T4753 (enhancment): Extend automatic generation of schema to query SystemStatus


  • T4725 (bug): Unable to reset vpn IPsec peer


  • T4672 (bug): RADIUS server disable does not work

  • T4749 (enhancment): Use config_dict for conf_mode http-api.py


  • T4746 (bug): Monitoring nft. table vyos_filter by default does not exist but telegraf checks this table

  • T4744 (bug): BGP directly connected neighbors don't compatible with ebgp-multihop

  • T4716 (feature): SSH ability to configure RekeyLimit

  • T4343 (default): Expose powerdns network-timeout for service dns forwarding

  • T4312 (bug): Telegraf configuration doesn't accept IPs for URL

  • T4274 (default): Extend OpenConnect RADIUS Timeout to Permit 2FA Entry


  • T4747 (bug): Monitoring influxdb template input exec plugin does not work

  • T4740 (bug): Show conntrack table ipv6 fail

  • T4730 (bug): Conntrack-sync error - listen-address is not the correct type in config as it should be


  • T4742 (bug): Autocomplete in policy route rule x set table / does not show the tables created in the static protocols

  • T4741 (bug): set firewall zone Local local-zone failed

  • T4680 (bug): Telegraf prometheus-client listen-address invalid format


  • T538 (feature): Support for network mapping in NAT


  • T4738 (enhancment): Extend automatic generation of schema definition files to native configsession functions; use single resolver/directive


  • T4707 (feature): Enable OSPF segment routing


  • T4736 (bug): Error on JSON output of API query ShowConfig


  • T4708 (bug): 'show nat destination rules' throwing an error

  • T4700 (feature): Firewall - Add interface match criteria

  • T4699 (feature): Firewall - Add jump action - Add return action

  • T4651 (feature): Firewall - Add options to match packet size

  • T4702 (bug): Wireguard peers configuration is not synchronized with CLI

  • T4685 (bug): Interface does not exist on boot when used as inbound-interface for local policy route

  • T4652 (feature): Upgrade PowerDNS recursor to 4.7 series

  • T4582 (default): Router-advert: Preferred lifetime cannot equal valid lifetime in PIOs


  • T4715 (feature): Auto logout user after a period of inactivity

  • T4697 (bug): policy route: Generating ConfigError failes when tcp flag is missing on set tcp-mss rule commit


  • T4711 (feature): Ability to terminate user TTY and PTS sessions

  • T4557 (feature): fastnetmon: allow configure limits per protocol (tcp, udp, icmp)


  • T4678 (feature): Rewrite service ipoe-server to get_config_dict

  • T4703 (feature): accel-ppp: combine vlan-id and vlan-range into single CLI node


  • T4693 (bug): ISIS segment routing was broken...


  • T4666 (bug): EAP-TLS no longer allows TLSv1.0 after T4537, T4584

  • T4665 (bug): Keepalived cannot use same VRID for VRRPv2 and VRRPv3


  • T4698 (enhancment): Drop validator name="range" and replace it with numeric

  • T4695 (feature): Add 'es' and 'jp106' keymap option keyboard-layout

  • T4669 (enhancment): Extend numeric.ml for inversion of values and range values


  • T4679 (bug): OpenVPN site-to-site incorrect check for IPv6 local and remote address

  • T4691 (feature): Upgrade Linux Kernel to latest 5.15.y train

  • T4630 (bug): Prevent attempts to use the same interface as a source interface for pseudo-ethernet and MACsec at the same time

  • T4696 (default): Extend bgp parameters for bgp bestpath peer-type multipath-relax


  • T4617 (feature): VRF specification is needed for telegraf prometheus-client listen-address <address>

  • T4690 (bug): Update GraphQL resolver for 'SystemStatus' following changes to 'show_uptime' op-mode script

  • T4647 (feature): Add Google Virtual NIC (gVNIC) support

  • T4170 (feature): Rename "policy ipv6-route" -> "policy route6"


  • T4682 (feature): Rewrite 'show system storage' in standardized format

  • T4681 (feature): Complete standardization of show_uptime.py


  • T4640 (enhancment): Integrate op-mode exception hierarchy into API

  • T4597 (bug): Check bind port before assign service HTTPS API and openconnect

  • T4674 (bug): API should show op-mode error message, if present

  • T4673 (bug): op-mode bridge.py should raise error on show_fdb for nonexistent bridge interface


  • T4668 (bug): Adding/removing members from bond doesn't work/results in incorrect interface state

  • T4663 (bug): Interface pseudo-ethernet does not change mode

  • T4655 (bug): Firewall in 1.4 sets the default action 'accept' instead of 'drop'

  • T4628 (bug): ConfigTree() throws ValueError() if tagNode contains whitespaces


  • T4606 (bug): monitor nat destination translation shows missing script

  • T4435 (bug): Policy route and firewall - error when using undefined group

  • T4147 (bug): New Firewall Implementation - proposed changes on group implementation


  • T4650 (feature): Rewire show nat translation to vyos.opmode format

  • T4644 (bug): Check bind port before assign vpn sstp

  • T4643 (bug): Smoketest exclude either sstp or openconnect from pki-misc default listen port

  • T4569 (feature): Rewrite show bridge to new format

  • T4547 (bug): Show vpn ipsec sa show unexpected prefix 'B' in packets

  • T4367 (bug): NAT - Config tmp file not available


  • T4645 (bug): show nat source statistics lack argument --family

  • T4634 (bug): Bgp neighbor disable-connected-check does not work

  • T4631 (feature): Add port and protocol to nat66

  • T4623 (feature): Add show conntrack statistics

  • T4595 (bug): DPD interval and timeout do not work in DMVPN

  • T4594 (feature): Rewrite op-mode IPsec to vyos.opmode format

  • T4508 (bug): Problem with values of the same environment in different event handlers

  • T4653 (bug): Interface offload options are not applied correctly

  • T4546 (bug): Does not connect Cisco spoke to VyOS hub.

  • T4061 (default): Add util function to check for completion of boot config

  • T4654 (bug): RPKI cache incorrect description

  • T4572 (bug): Add an option to force interface MTU to the value received from DHCP


  • T4642 (bug): proxy: hyphen not allowed in proxy URL


  • T4626 (bug): Error showing nat66 source and destination

  • T4622 (feature): Firewall allow drop packets by TCP MSS size


  • T4641 (bug): prefix-list allows ipv6 prefix as input

  • T4633 (feature): Change keepalived to v2.2.7


  • T4618 (bug): Traffic policy not set on virtual interfaces

  • T4538 (bug): Macsec does not work correctly when the interface status changes.


  • T4089 (bug): Show nat destination rules shows ip address instead of interface 'any'

  • T4632 (bug): VLAN-aware bridge not working

  • T4637 (feature): Upgrade to podman 4.2.0


  • T4596 (bug): "show openconnect-server sessions" command does not work in the openconnect module


  • T4620 (bug): UPnP does not work due to  incorrect template

  • T4619 (bug): Static arp is not set if another entry is present

  • T4611 (bug): UPnP rule IP should be a prefix instead of an address

  • T4614 (feature): OpenConnect split-dns directive


  • T4613 (bug): UPnP configuration without listen option fail

  • T4570 (bug): Exception when trying to set up VXLAN over Wireguard


  • T4598 (feature): nat66  - Add exclude options

  • T4480 (default): add an ability to configure squid acl safe ports and acl ssl safe ports


  • T4592 (bug): macsec: can not create two interfaces using the same source-interface

  • T4584 (bug): hostap: create custom package build

  • T4413 (default): Add an API endpoint with basic system stats

  • T4537 (bug): MACsec not working with cipher gcm-aes-256


  • T4609 (bug): Unable to Restart Container VyOS 1.4

  • T4565 (bug): vlan aware bridge not working with - Kernel: T3318: update Linux Kernel to v5.4.205 #249

  • T3988 (default): Feature Request: IPsec Multiple local/remote prefix for the tunnel

  • T2763 (feature): New SNMP resource request - SNMP over TCP


  • T4579 (bug): bridge: can not delete member interface CLI option when VLAN is enabled

  • T4421 (default): Add support for floating point numbers in the numeric validator

  • T3507 (bug): Bond with mode LACP show u/u in show interfaces even if peer is not configured


  • T4603 (feature): Need a config option to specify NAS-IP-Address for vpn l2tp


  • T4408 (feature): Add sshguard to protect against brut-forces


  • T4586 (feature): Add to NAT66: SNAT destination address and DNAT source address.


  • T4257 (feature): Discussion on changing BGP autonomous system number syntax


  • T4585 (feature): Rewrite op-mode containers to vyos.opmode

  • T4515 (default): Reduce telegraf binary size


  • T4581 (bug): 'show system cpu' not working

  • T4578 (feature): Rewrite show dns forwarding statistics to new format


  • T4580 (bug): Handle the case of op-mode file names with hyphens in GraphQL schema/resolver generation


  • T4575 (feature): vyos.utill add new wrapper "rc_cmd" to get the return code and output

  • T4562 (feature): Rewrite show vrf to new format

  • T4545 (feature): Rewrite show nat source rules

  • T4543 (bug): Show source nat statistics shows incorrect interface

  • T4503 (default): Prevent op mode scripts from restarting services if there's a commit in progress

  • T4411 (feature): Add migration for service monitoring telegraf influxdb


  • T4554 (enhancment): Implement GraphQL resolvers for standardized op-mode scripts

  • T4518 (feature): Add XML for CLI conf mode load-balancing wan

  • T4544 (enhancment): Generate schema definitions from standardized op-mode scripts


  • T4531 (bug): NAT op-mode errors with exclude rules

  • T3435 (bug): NAT rules show corruption


  • T4571 (bug): Sflow with vrf configured does not use vrf to validate agent-address IP from vrf-configured interfaces

  • T4552 (bug): Unable to reset IPsec IPv6 peer


  • T4568 (bug): show vpn debug peer doesn't work

  • T4556 (feature): fastnetmon: Allow configure white_list_path and populate with hosts/networks that should be ignored.

  • T4495 (feature): Combine BGP reset op commands


  • T4567 (default): Merge experimental branch of GraphQL development

  • T4560 (bug): VRF and BGP neighbor local-as error

  • T4493 (bug): Incorrect help for "show bgp neighbors"

  • T1233 (bug): ipsec vpn sa showing down


  • T4145 (bug): Conntrack table not showing after firewall rewriting


  • T4555 (feature): fastnetmon: add IPv6 support

  • T4553 (default): Allow to set ban time on ddos-protection configuration


  • T4056 (bug): Traffic policy not set in live configuration


  • T4523 (feature): OP-mode Extend conntrack output to get marks, zones and directions

  • T4228 (bug): bond: OS error thrown when two bonds use the same member

  • T4539 (feature): qat: update Intel QuickAssist release version 1.7.L.4.16.0-00017

  • T4534 (bug): bond: bridge: error out if member interface is assigned to a VRF instance

  • T4525 (bug): Delete interface from VRF and add it to bonding error

  • T4522 (feature): bond: add ability to specify mii monitor interval via CLI

  • T4535 (feature): FRR: upgrade to stable/8.3 version

  • T4521 (bug): bond: ARP monitor interval is not configured despite set via CLI

  • T4540 (feature): firmware: update to Linux release 20220708


  • T4028 (bug): FRR 8.1 routes not being applied to routing table after reboot if an interface has 2 ip addresses


  • T4494 (bug): Cannot reset BGP peer within VRF

  • T4536 (feature): FRR: move to systemd for daemon control


  • T4491 (bug): Use empty string for internal name of root node of config_tree


  • T1375 (feature): Add clear  dhcp server  lease function


  • T4527 (bug): Prevent to create VRF name default

  • T4084 (default): Dehardcode the default login banner

  • T3948 (feature): IPSec VPN:  Add a new option "none" for the connection-type

  • T235 (feature): Ability to configure manual IP Rules


  • T3836 (bug): Setting a default IPv6 route while getting IPv4 gateway via DHCP removes the IPv4 gateway


  • T4507 (feature): IPoE-server add multiplier option for shaper

  • T4499 (bug): NAT source translation not showing a single output

  • T4468 (bug): web-proxy source group cannot start with a number bug

  • T4373 (feature): PPPoE-server add multiplier option for shaper

  • T3353 (bug): PPPoE server wrong vlan-range generating config

  • T3648 (bug): op-mode: nat rules broken

  • T4517 (feature): ip: Add options to enable directed broadcast forwarding


  • T4456 (bug): NTP client in VRF tries to bind to interfaces outside VRF, logs many messages

  • T4509 (feature): Feature Request: DNS64


  • T4513 (bug): Webproxy monitor commands do not work

  • T4299 (feature): Firewall - GeoIP filtering


  • T4378 (bug): Unable to submit wildcard ("*.example.com") A or AAAA records in dns forwarder

  • T2683 (default): no dual stack in system static-host-mapping host-name

  • T478 (feature): Firewall address group (multi and nesting)


  • T4501 (bug): Syslog-identifier does not work in event handler

  • T3600 (bug): DHCP Interface static route breaks PBR

  • T4498 (feature): bridge: Add option to enable/disable IGMP/MLD snooping


  • T2455 (bug): No support for the IPv6 VTI

  • T4490 (feature): BGP- warning message that AFI/SAFI is needed to establish the neighborship

  • T4489 (bug): MPLS sysctl not persistent for tunnel interfaces


  • T4477 (feature): router-advert: support RDNSS lifetime option


  • T4486 (bug): Container can't be deleted

  • T4473 (bug): Use container network without network declaration error

  • T4458 (feature): Firewall - add support for matching ip ttl in firewall rules

  • T3907 (feature): Firewall - Set log levels


  • T4484 (default): Firewall op-mode summary doesn't correctly handle address group containing ranges


  • T4482 (bug): dhcp: toggle of "dhcp-options no-default-route" has no effect

  • T4483 (feature): Upgrade fastnetmon to v1.2.2 community edition


  • T1748 (feature): vbash: beautify tab completion output/line breaks


  • T1856 (feature): Support configuring IPSec SA bytes


  • T4467 (bug): Validator Does Not Accept Signed Numbers


  • T4209 (bug): Firewall incorrect handler for recent count and time


  • T4352 (bug): wan-load balance - priority traffic rule doesn't work


  • T4450 (feature): Route-map - Extend options for ip|ipv6 address match

  • T4449 (feature): Route-map - Extend options for ip next-hop match

  • T990 (feature): Make DNAT/SNAT a valid state in firewall rules.


  • T4420 (feature): Feature Request: ocserv: show configured 2FA OTP key

  • T4380 (default): Feature Request: ocserv: 2FA OTP key generator in VyOS CLI


  • T4365 (bug): NAT - Error on setting up tables

  • T4465 (feature): node.def generation misses whitespace on multiple use of <path>


  • T4444 (default): sstp: Feature request. Port number changing support

  • T2580 (feature): Support for ip pools for ippoe


  • T4447 (bug): DHCPv6 prefix delegation `sla-id` limited to 128


  • T4212 (default): PermissionError when generating/installing server Certificate (generate pki certificate sign ...)

  • T4199 (bug): Commit failed when setting icmpv6 type any

  • T4148 (bug): Firewall - Error messages not that clear as it were in old firewall

  • T3659 (bug): Configuration won't accept IPv6 addresses for site-to-site VPN tunnel prefixes/traffic selectors


  • T4315 (feature): Telegraf - Output to prometheus


  • T2473 (feature): Xml for EIGRP [conf_mode]


  • T4448 (feature): rip: add support for explicit version selection


  • T4442 (feature): HTTP API add action "reset"


  • T4410 (feature): Telegraf - Output to Splunk

  • T4382 (bug): Replacing legacy loadFile exposes missing steps in migration scripts and other errors


  • T4437 (bug): flow-accounting: support IPv6 flow collectors


  • T4418 (feature): Telegraf - output Plugin azure-data-explorer


  • T4434 (bug): DMVPN: cisco-authentication password length is 8 characters

  • T3938 (default): Rewrite the uptime script in Python to allow using it as a library

  • T4334 (default): Make the config lexer reentrant


  • T4424 (bug): policy local-route6 shows ipv4 format


  • T4377 (default): generate tech-support archive includes previous archives


  • T4417 (bug): VRRP doesn't start with conntrack-sync

  • T4100 (feature): Firewall increase maximum number of rules


  • T4405 (bug): DHCP client sometimes ignores `no-default-route` option of an interface


  • T4156 (default): Adding DHCP Option 13 (bootfile-size)

  • T1972 (feature): Allow setting interface name for virtual_ipaddress in VRRP VRID


  • T4361 (bug): `vyos.config.exists()` does not work for nodes with multiple values

  • T4354 (bug): Slave interfaces fall out from bonding during configuration change

  • T4419 (feature): vrf: support to disable IP forwarding within a given VRF


  • T4385 (bug): bgp: peer-group member cannot override remote-as of peer-group


  • T4414 (feature): Add route-map "as-path prepend last-as x" option


  • T4395 (feature): Extend show vpn debug


  • T4369 (bug): OpenVPN: daemon not restarted on changes to "openvpn-option" CLI node

  • T4363 (bug): salt-minion: default mine_interval option is not set

  • T4353 (feature): Add Jinja2 linter to vyos-1x build process


  • T4388 (bug): dhcp-server: missing constraint on tftp-server-name option

  • T4366 (bug): geneve: interface is removed on changes to e.g. description


  • T4400 (bug): Container OP mode has delete where show and update should be


  • T4398 (bug): IPSec site-to-site generates unexpected passthrough option

  • T4397 (feature): arp: migrate static ARP entry configuration to get_config_dict() and make it VRF aware

  • T4357 (feature): Allow free-form setting of DHCPv6 server options


  • T4210 (bug): NAT source/destination negated ports throws an error

  • T4235 (default): Add config tree diff algorithm


  • T4390 (feature): op-mode: extend "show log" and "monitor log" with additional daemons/subsystems to read journalctl logs

  • T4391 (bug): PPPoE: IPv6 not working after system boot


  • T4342 (bug): "show ip ospf neighbor address x.x.x.x"  gives "unknown command" error


  • T4386 (default): Applying limiter on traffic-policy "in" fails, incorrectly reports mirror or redirect policy in use


  • T4389 (feature): dhcp: add vendor option support for Ubiquity Unifi controller


  • T4384 (feature): pppoe: replace default-route CLI option with common CLI nodes already present for DHCP


  • T4345 (bug): New firewall code does not accept "rate/time interval" syntax used in old config

  • T4231 (feature): Feature Request: ocserv: 2FA (password+OTP) support in Openconnect


  • T4379 (bug): PPPoE: default-route lost after applying additional static routes

  • T4344 (bug): DHCP statistics not matching, conf-mode generates incorrect pool name with dash

  • T4268 (bug): Elevated LA while using VyOS monitoring feature


  • T4351 (bug): Openvpn conf-mode "openvpn-option" is not respected

  • T4278 (default): vyos-vm-images: fix vagrant libvirt box

  • T4368 (bug): bgp: AS specified for local as is the same as the remote as and this is not allowed.

  • T4370 (feature): vxlan: geneve: support configuration of df bit option


  • T4327 (default): Ethernet interface configuration fails on Hyper-V due to speed/duplex/autoneg ethtool command error

  • T4364 (feature): salt-minion: Upgrade to 3004 and migrate to get_config_dict()


  • T4333 (feature): Jinja2: add plugin to test if a variable is defined and not none to reduce template complexity


  • T4331 (bug): IPv6 link local addresses are not configured when an interface is in a VRF

  • T4347 (default): Return complete and consistent error codes from HTTP API

  • T4339 (bug): wwan: tab-completion results in "No such file or directory" if there is no WWAN interface

  • T4338 (bug): wwan: changing interface description should not trigger reconnect

  • T4324 (bug): wwan: check alive script should only be run via cron if a wwan interface is configured at all


  • T4330 (bug): MTU settings cannot be applied when IPv6 is disabled

  • T4346 (feature): Deprecate "system ipv6 disable" option to disable address family within OS kernel

  • T4319 (bug): The command "set system ipv6 disable" doesn't work as expected.

  • T4341 (feature): login: disable user-account prior to deletion and wait until deletion is complete

  • T4336 (feature): isis: add support for MD5 authentication password on a circuit


  • T4308 (feature): Op-comm "Show log frr"  to view specific protocol logs


  • T4329 (bug): Bgp policy route-map bug with set several extcommunity rt


  • T4335 (bug): open-vmdk fails to build under gcc-10.+


  • T4332 (bug): bgp: deterministic-med cannot be disabled while addpath-tx-bestpath-per-AS is in use


  • T4326 (feature): Add bgp option no-suppress-duplicates

  • T4323 (default): ospf6d crashes on latest vyos nightly


  • T3686 (bug): Bridging OpenVPN tap with no local-address breaks

  • T3635 (default): Add ability to use mDNS repeater with VRRP


  • T4321 (default): Allow BGP neighbors between different VIFs on the same VyOS


  • T4301 (bug): The "arp-monitor" option in bonding interface settings does not work

  • T4294 (bug): Adding a new openvpn-option does not restart the OpenVPN process

  • T4290 (bug): BGP source-interface fails to commit

  • T4230 (bug): OpenVPN server configuration deleted after reboot when using a VRRP virtual-address


  • T4314 (bug): Latest 1.4 Rolling release config migration error


  • T4304 (feature): [OSPF]import/export filter inter-area prefix


  • T4298 (default): vyos-vm-images: fix ansible group name and remove obsolete empty command


  • T4286 (bug): Fix for firewall ipv6 name address validator


  • T4302 (feature): FRRouting upgrade to release 8.2.2

  • T4293 (default): Add "set ip-next-hop unchanged" in route-map


  • T4275 (default): Incorrect val_help for local/remote prefix in ipsec vpn


  • T4296 (bug): Interface config injected by Cloud-Init may interfere with VyOS native

  • T4265 (feature): Add op-mode for bgp flowspec state and routes


  • T4297 (bug): Interface configuration saving fails for ice/iavf based interfaces because they can't change speed/duplex settings


  • T3981 (feature): VRF support for flow-accounting


  • T4259 (bug): The conntrackd daemon can be started wrongly


  • T4283 (feature): Add support to "reject" routes - emit an ICMP unreachable when matched


  • T4277 (feature): flow-accounting: support sending flow-data via VRF interface


  • T4273 (bug): ssh: Upgrade from 1.2.X to 1.3.0 breaks config

  • T4115 (bug): reboot in <x> not working as expected

  • T3656 (bug): IPSec 1.4 : "show vpn ike sa" does not show the correct default ike version


  • T4272 (feature): lldp: migrate Python script to use get_config_dict()


  • T4267 (bug): Error - Missing required "ip key" parameter


  • T4194 (bug): prefix-list no check for duplicate entries

  • T4264 (bug): vxlan: interface is destroyed and rebuild on description change

  • T4263 (bug): vyos.util.leaf_node_changed() dos not honor valueLess nodes


  • T4120 (feature): [VXLAN] add ability to set multiple unicast-remotes


  • T4254 (feature): VPN IPSec charon add options cisco_flexvpn and install_virtual_ip_on

  • T4249 (feature): Add support for device mapping in containers

  • T3617 (bug): IPSec 1.4 generate invalid configuration

  • T4261 (feature): MACsec: add DHCP client support

  • T4203 (bug): Reconfigure DHCP client interface causes brief outages


  • T4258 (bug): [DHCP-SERVER]  error parameter on Failover


  • T4255 (bug): Unexpected print of dict bridge on delete

  • T4240 (bug): Cannot add wlan0 to bridge via configure

  • T4154 (bug): Error add second gre tunnel with the same source interface


  • T4237 (bug): Conntrack-sync error - error adding listen-address command


  • T4160 (bug): Firewall - Error in rules that matches everything except something

  • T3006 (bug): Accel-PPP & vlan-mon config get invalid VLAN

  • T3494 (bug): DHCPv6 leases traceback when PD using

  • T1292 (bug): Issues while deleting all rules from a firewall


  • T4242 (bug): ethernet speed/duplex can never be switched back to auto/auto

  • T4191 (bug): Lost access to host after VRF re-creating


  • T3872 (feature): Add configurable telegraf monitoring service


  • T4227 (bug): Typo in help completion of hello-time option of bridge interface


  • T4233 (bug): ssh: sync regex for allow/deny usernames to "system login"


  • T4223 (bug): policy route cannot have several entries with the same table

  • T4216 (bug): Firewall: can't use negated groups in firewall rules

  • T4178 (bug): policy based routing tcp flags issue

  • T4164 (bug): PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`

  • T3970 (feature): Add support for op-mode PKI direct install into an active config session

  • T3828 (bug): ipsec: Subtle change in "pfs enable" behavior from equuleus -> sagitta


  • T4226 (bug): VRRP transition-script does not work for groups name which contains -(minus) sign


  • T4196 (bug): DHCP server client-prefix-length parameter results in non-functional leases


  • T4218 (bug): firewall: rule name is not allowed to start with a number

  • T3643 (bug): show vpn ipsec sa doesn't show tunnels in "down" state


  • T4224 (bug): Ethernet interfaces configured for DHCP not working on latest rolling snapshot (vyos-1.4-rolling-202201291849-amd64.iso)

  • T4225 (bug): Performance degration with latest rolling release

  • T4220 (bug): Commit broke dhclient 78b247b724f74bdabab0706aaa7f5b00e5809bc1

  • T4138 (bug): NAT configuration allows to set incorrect port range and invalid port


  • T4184 (bug): NTP allow-clients address doesn't work it allows to use ntp server for all addresses

  • T4217 (bug): firewall: port-group requires protocol to be set - but not in VyOS 1.3


  • T4213 (default): ipv6 policy routing not working anymore

  • T4188 (bug): Firewall does not correctly handle conntracking

  • T3762 (feature): Support network and address groups for policy ipv6-route

  • T3560 (feature): Ability to create groups of MAC addresses

  • T3495 (feature): Modernising port/protocol definitions


  • T4205 (feature): Disable Debian Version in SSH (DebianBanner->no)

  • T4131 (bug): Show firewall group incorrect format members


  • T4204 (feature): Update Accel-PPP to a newer revision

  • T1795 (default): Commit rollback by timeout


  • T4186 (bug): Firewall icmp type - Offered options not supported

  • T4181 (bug): Firewall ipv6-network-group - incorrect description on helper


  • T4200 (bug): Assigning ipv6-name to interface is not generating nftables rules

  • T4144 (bug): Firewall address-group - Improve error messages

  • T4137 (bug): Firewall group configuration allows to set incorrect port range and invalid port

  • T4133 (bug): Firewall network group error with zone-based firewall rules


  • T4171 (bug): Interface config migration error on 1.2.8 -> 1.4 upgrade


  • T4195 (feature): [OSPF-ECMP]enable set maximun-path


  • T4159 (bug): Empty firewall group (address, network & port) generates invalid nftables config, commit fails

  • T4155 (bug): PBR: `set table main` fails in `firewall.py` with newer rolling releases

  • T3873 (feature): Zone based Firewall - Filter traffic in same zone

  • T3286 (feature): Switch the firewall from iptables to nftables

  • T292 (feature): [ZBF] Allow filtering intra zone traffic


  • T3164 (bug): console-server ssh does not work with RADIUS PAM auth


  • T4183 (feature): IPv6 link-local address not accepted as wireguard peer

  • T4150 (bug): VRRP with conntrack-sync does not work

  • T4110 (feature): [IPV6-SSH/DNS}  enable IPv6 link local adresses as listen-address %eth0


  • T4182 (bug): Show vrrp if vrrp not configured bug

  • T4179 (feature): Add op-mode CLI for show high-availability virtual-server


  • T4175 (bug): BGP configuration failed

  • T4109 (feature): Extend high-availability/keepalived for support virtual-server lb


  • T4174 (bug): Validation fails when entering port range with upper port 65535

  • T4162 (bug): VPN ipsec ike-group - Incorrect value help for ikev2-reauth

  • T4161 (bug): Policy route-map - Incorrect value help for local preference

  • T4152 (bug): NHRP shortcut-target holding-time does not work


  • T4149 (bug): [Firewall-IPV6] Error delete Fw rules on VIF/INT

  • T3950 (bug): CLI backtrace on update if DNS not defined

  • T4166 (bug): Debug output missing when frr.py called under vyos-configd


  • T3299 (bug): Allow the web proxy service to listen on all IP addresses

  • T3115 (feature): Add support for firewall on L3 VIF bridge interface


  • T4142 (bug): Input ifbX interfaces not displayed in op-mode

  • T3914 (bug): VRRP rfc3768-compatibility doesn't work with unicast peers


  • T4116 (bug): Webproxy/Squid not working with IPv6 listen-address


  • T3924 (bug): VRRP stops working with VRF


  • T4135 (bug): Declare zone policy firewall without local zone errors

  • T4130 (bug): Firewall state policy errors chain

  • T4141 (bug): Set high-availability vrrp sync-group without members error


  • T4134 (bug): Incorrect firewall protocol completion help uppercase and duplicates

  • T4132 (bug): Impossible to show a specific firewall group


  • T4126 (feature): Ability to set priority to site to site IPSec vpn tunnels

  • T4052 (bug): Validator return traceback on VRRP configuration with the script path not in config dir

  • T4128 (bug): keepalived: Upgrade package to add VRF support


  • T4081 (bug): VRRP health-check script stops working when setting up a sync group


  • T4124 (feature): snmp: migrate to get_config_dict()


  • T4111 (bug): IPSec generates wrong configuration colons for IPv6 peers

  • T4023 (feature): Add grepcidr or similar functionality

  • T4086 (default): system login banner is not removed on deletion.


  • T3380 (bug): "show vpn ike sa" does not display IPv6 peers


  • T3979 (bug): vyos-hostd unable to hostfile-update

  • T2566 (bug): sstp not able to run tunnels ipv6 only

  • T4093 (bug): SNMPv3 snmpd.conf generation bug

  • T2764 (enhancment): Increase maximum number of NAT rules


  • T4104 (bug): RAID1: "add raid md0 member sda1" does not restore boot sector

  • T4108 (default): OSPFv3: add support for auto-cost parameter

  • T4107 (default): OSPFv3: add support for "default-information originate"


  • T4101 (bug): commit-archive: Use of uninitialized value $source_address in concatenation

  • T4099 (feature): flow-accounting: sync "source-ip" and "source-address" between netflow and sflow ion CLI

  • T4097 (feature): flow-accounting: migrate implementation to get_config_dict()

  • T4105 (feature): flow-accounting: drop "sflow agent-address auto"

  • T4106 (feature): flow-accounting: support specification of capture packet lenght

  • T4102 (feature): OSPFv3: add support for NSSA area-type

  • T4055 (feature): Add VRF support for HTTP(S) API service


  • T3854 (bug): Missing op-mode commands for conntrack-sync


  • T3354 (default): Convert strip-private script from Perl to Python


  • T3678 (bug): VyOS 1.4: Invalid error message while deleting ipsec vpn configuration

  • T3356 (feature): Script for remote file transfers


  • T4083 (bug): Cluster heartbeat doesn't start b.c lack of directory /run/heartbeat/

  • T4070 (bug): NATv4 : inbound-interface type "any" is missing.

  • T4053 (bug): VRRP impossible to set scripts out of the /config directory

  • T3931 (bug): SSTP doesn't work after rewriting to PKI


  • T4088 (default): Fix typo in login banner


  • T3912 (default): Use a more informative default post-login banner


  • T4059 (bug): VRRP sync-group transition script does not persist after reboot


  • T4046 (feature): Sflow - Add Source address parameter

  • T3556 (bug): Commit-archive via scp causes 100% CPU on boot

  • T4076 (enhancment): Allow setting CORS options in HTTP API

  • T4037 (default): HTTP transfers do not follow redirects

  • T4029 (default): Broken SFTP uploads


  • T4077 (bug): op-mode: bfd: drop "show protocols bfd" in favour of "show bfd"

  • T4073 (bug): "show protocols bfd peer <>" shows incorrect peer information.


  • T4071 (feature): Allow HTTP API to bind to unix domain socket


  • T4069 (feature): BGP: add additional available parameters to VyOS CLI

  • T4036 (bug): VXLAN incorrect raiseError if set multicast network instead of singe address


  • T4068 (feature): Python: ConfigError should insert line breaks into the error message


  • T4033 (bug): VRRP - Error security when setting scripts

  • T4064 (bug): IP address for vif is not removed from the system when deleted in configuration

  • T4060 (enhancment): Extend configquery for use before boot configuration is complete

  • T4058 (bug): BFD: add BGP and OSPF "bfd profile" support

  • T4054 (bug): BFD profiles configuration incorrect behavior.


  • T4041 (servicerequest): "transition-script" doesn't work on "sync-group"


  • T4012 (feature): Add VRF support for TFTP


  • T4049 (feature): support command-style output with compare command

  • T4047 (bug): Wrong regex validation in XML definitions

  • T4042 (bug): BGP L2VPN / EVPN and RD type 0 set

  • T4048 (bug): BGP: L2VPN/EVPN and individual RD and RT settings for each VNI

  • T4045 (bug): Unable to "format disk <new> like <old>"

  • T4044 (feature): BFD: add vrf support

  • T4043 (feature): BFD: add support for passive mode


  • T4035 (bug): Geneve interfaces aren't displayed by operational mode commands


  • T3695 (bug): OpenConnect reports commit success when ocserv fails to start due to SSL cert/key file issues


  • T4010 (bug): DMVPN generates incorrect configuration life_time for swanctl.conf

  • T3725 (feature): show configuration in json format


  • T3946 (enhancment): Automatically resize the root partition if the drive has extra space


  • T3999 (bug): show lldp neighbor Traceback error

  • T3928 (feature): Add OSPFv3 VRF support


  • T3755 (feature): ospf: adjust to new FRR 8 syntax where "no passive-interface " moved to interface section

  • T3753 (feature): frr: upgrade to stable/8.1 release train


  • T3978 (bug): containers add network without declaring prefix raise ConfigError


  • T4006 (default): Add additional Linux capabilities to container configuration

  • T3986 (bug): Incorrect description for vpn ipsec site-to-site authentication and connection


  • T4015 (feature): Update Accel-PPP to a newer revision

  • T3865 (bug): loadkey command help text missing escape sequence

  • T1083 (feature): Implement persistent/random address and port mapping options for NAT rules


  • T3990 (bug): WATCHFRR: crashlog and per-thread log buffering unavailable (due to files left behind in /var/tmp/frr/ after reboot)


  • T3998 (bug): route-target completion incorrect description


  • T4003 (bug): API for "show interfaces ethernet" does not include the interface description

  • T4011 (bug): ethernet: deleting interface should place interface in admin down state


  • T3612 (bug): IPoE Server address pool issues.

  • T3995 (feature): OpenVPN: do not stop/start service on configuration change

  • T4008 (feature): dhcp: change client retry interval form 300 -> 60 seconds

  • T3795 (bug): WWAN: issues with non connected interface / no signal

  • T3510 (bug): RADIUS usersname is not shown on CLI


  • T3350 (bug): OpenVPN config file generation broken

  • T3996 (bug): SNMP service error in log


  • T3994 (bug): VRF: unable to delete vrf when name contains numbers, hyphen or underscore

  • T3960 (bug): FRR Misconfig when using multiple VRF VNI

  • T3724 (feature): Allow setting host-name in l2tp section of accel-ppp

  • T645 (feature): Allow multiple prefixes in ipsec tunnel


  • T3966 (default): OpenVPN fix the smoketests

  • T3834 (default): [OPENVPN] Support for Two Factor Authentication totp.

  • T3982 (bug): DHCP server commit fails if static-mapping contains + or .


  • T3962 (bug): Image cannot be built without open-vm-tools


  • T3626 (bug): Configuring and disabling DHCP Server


  • T3514 (bug): NIC flap at any interface change


  • T3972 (bug): Removing vif-c interface raises KeyError


  • T3969 (bug): Container incorrect raiseError format if network doesn't exist

  • T3662 (bug): Container configuration upgrade destroys system

  • T3964 (bug): SSTP: local-user static-ip CLI node accepts invalid IPv4 addresses


  • T3952 (default): Add sh bgp ipv4/ipv6 vpn command

  • T3610 (bug): DHCP-Server creation for not primary IP address fails


  • T3958 (default): OpenVPN breaks the smoketests

  • T3956 (bug): GRE tunnel - unable to move from source-interface to source-address, commit error


  • T3945 (feature): Add route-map for bgp aggregate-address

  • T3954 (bug): FTDI cable makes VyOS sagitta latest hang, /dev/serial unpopulated, config system error

  • T3943 (bug): "netflow source-ip" prevents image upgrades if IP address does not exist locally


  • T3942 (feature): Generate IPSec debug archive from op-mode


  • T3951 (bug): After resetting vti ipsec tunnel old child SA still active

  • T3941 (bug): "show vpn ipsec sa" shows established time of parent SA not child SA's

  • T3916 (feature): Add additional Linux capabilities to container configuration


  • T3944 (bug): VRRP fails over when adding new group to master


  • T3897 (feature): Dynamic DNS doesn't work with IPv6 addresses

  • T3832 (feature): Allow to set DHCP client-id in hexadecimal format

  • T3188 (bug): Tunnel local-ip to dhcp-interface Change Fails to Update

  • T3917 (default): Use Avahi as mDNS repeater for IPv6 support


  • T3926 (bug): strip-private does not sanitize "cisco-authentication" from NHRP configuration

  • T3925 (feature): Tunnel: dhcp-interface not implemented - use source-interface instead

  • T3923 (feature): Kernel: Enable TLS/IPSec offload support for Mellanox ConnectX NICs

  • T3927 (feature): Kernel: Enable kernel support for HW offload of the TLS protocol


  • T3918 (bug): DHCPv6 prefix delegation incorrect verify error

  • T3921 (bug): tunnel: KeyError when using dhcp-interface


  • T3396 (bug): syslog can't be configured with an ipv6 literal destination in 1.2.x


  • T3002 (default): VRRP change on IPSec interface causes packet routing issues


  • T3786 (bug): GRE tunnel source address error

  • T3217 (default): Save FRR configuration on each commit

  • T3381 (bug): Change GRE tunnel failed

  • T3254 (bug): Dynamic DNS status shows incorrect last update time

  • T1243 (bug): BGP local-as accept wrong values

  • T697 (bug): Clean up and sanitize package dependencies

  • T578 (feature): Support Linux Container


  • T3879 (bug): GPG key verification fails when upgrading from a 1.3 beta version


  • T3748 (bug): Container deletion bug

  • T3693 (feature): ISIS Route redistribution ipv6 support missing

  • T3676 (feature): Container option to add Linux capabilities

  • T3613 (feature): Selectors for route-based IPsec tunnel (vti)

  • T3692 (bug): VyOS build failing due to  repo.saltstack.com

  • T3673 (feature): BGP large-community del operation missing


  • T3811 (bug): NAT (op_mode): NAT op_mode command fails.

  • T3801 (feature): containers: do not use podman CLI to create container networks


  • T3904 (bug): NTP pool associations silently fail

  • T3277 (feature): DNS Forwarding - reverse zones


  • T3216 (bug): Removal of restricted-shell broke configure mode for RADIUS users

  • T3881 (bug): Wrong description for container section restart

  • T3868 (bug): Regex and/or wildcard not accepted with large-community-list

  • T3701 (bug): ipoe server fails to start when configuring radius dynamic-author on ipoe


  • T3750 (bug): pdns-recursor 4.4 issue with dont-query and private DNS servers

  • T3885 (default): dhcpv6-pd: randomly generated DUID is not persisted

  • T3899 (enhancment): Add support for hd44780 LCD displays


  • T3894 (bug): Tunnel Commit Failed if system does not have `eth0`


  • T3893 (bug): MGRE Tunnel commit crash If sit tunnel available


  • T3741 (feature): [BGP] default no-ipv4-unicast - by default


  • T3888 (bug): Incorrect warning when poweroff command executed from configure mode.

  • T3890 (feature): dhcp(v6): provide op-mode commands to retrieve both server and client logfiles

  • T3889 (feature): Migrate to journalctl when reading daemon logs


  • T3880 (bug): EFI boot shows error on display


  • T3882 (feature): Upgrade PowerDNs recursor to 4.5 series

  • T3883 (bug): VRF - Delette vrf config on interface


  • T3874 (bug): D-Link Ethernet Interface not working.

  • T3869 (default): Rewrite vyatta_net_name/vyatta_interface_rescan in Python


  • T3853 (default): nat66 rules gets deleted on reboot in 1.4-rolling-202109240217


  • T3863 (default): nat66: commit fails/hangs on non existing interface


  • T3860 (bug): Error on pppoe, tunnel and wireguard interfaces for IPv6 EUI64 addresses

  • T3857 (feature): reboot: send wall message to all users for information

  • T3867 (bug): vxlan: multicast group address is not validated

  • T3859 (bug): Add "log-adjacency-changes" to ospfv3 process

  • T3826 (bug): PKI: op-mode - do input validation when listing certificates


  • T3657 (default): BGP neighbors ipv6 not able to establish with IPv6 link-local addresses


  • T3850 (bug): Dots are no longer allowed in SSH public key names


  • T3847 (feature): keepalived/vrrp: migrate to get_config_dict() - cleanup


  • T3823 (bug): strip-private does not filter public IPv6 addresses


  • T3841 (feature): dhcp-server: add ping-check option to CLI

  • T2738 (bug): Modifying configuration in the "interfaces" section from VRRP transition scripts causes configuration lockup and high CPU utilization

  • T3840 (feature): dns forwarding: Cache size should allow values > 10k

  • T3672 (bug): DHCP-FO with multiple subnets results in invalid/non-functioning dhcpd.conf configuration file output


  • T3831 (bug): External traffic stops routing when IPSEC tunnel comes up with interface vti0

  • T1968 (default): Allow multiple static routes in dhcp-server

  • T3838 (feature): dhcp-server - sync cli for name-servers to other subsystems

  • T3839 (feature): dhcp-server: Allow configuration of a DNS server and domain name on the shared-network level


  • T3830 (bug): ipsec: remote-id no longer included in IKE AUTH if not explicitly specified


  • T3402 (feature): Add VyOS programming library for operational level commands


  • T3802 (bug): Commit fails if ethernet interface doesn't support flow control

  • T3819 (bug): Upgrade Salt Stack 3002.3 -> 3003 release train

  • T915 (feature): MPLS Support


  • T3812 (bug): Vyos and frr route-map config out of sync

  • T3814 (bug): wireguard: commit error showing incorrect peer name from the configured name

  • T3805 (bug): OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface

  • T3815 (bug): pki : the file command 'generate pki wireguard key-pair file' is not working


  • T1894 (bug): FRR config not loaded after daemons segfault or restart

  • T3807 (bug): Op Command "show interfaces wireguard"  does not show the output


  • T3806 (bug): Don't set link local ipv6 address if MTU less then 1280

  • T3803 (default): Add source-address option to the ping CLI

  • T3431 (bug): Show version all bug

  • T2920 (bug): Commit crash when adding the second mGRE tunnel with the same key


  • T3804 (feature): cli: Migrate and merge "system name-servers-dhcp" into "system name-server"


  • T3619 (bug): Performance Degradation 1.2 --> 1.3 | High ksoftirqd CPU usage


  • T3788 (bug): Keys are not allowed with ipip and sit tunnels

  • T3634 (feature): Add op command option for ping for do not fragment bit to be set

  • T3798 (feature): bgp: add support for "neighbor <X> local-as replace-as" option


  • T3792 (bug): login: A hypen present in a username from "system login user" is replaced by an underscore

  • T3790 (bug): Does not possible to configure PPTP static ip-address to users

  • T2947 (bug): Nat translation many-many with prefix does not map 1-1.


  • T3789 (feature): Add custom validator for base64 encoded CLI data

  • T3782 (default): Ingress Shaping with IFB No Longer Functional with 1.3


  • T3768 (default): Remove early syntaxVersion implementation

  • T2941 (default): Using a non-ASCII character in the description field causes UnicodeDecodeError in configsource.py

  • T3787 (bug): Remove deprecated UDP fragmentation offloading option


  • T3708 (bug): isisd and gre-bridge commit error

  • T3783 (bug): "set protocols isis spf-delay-ietf" is not working

  • T2750 (default): Use m4 as a template processor


  • T3743 (bug): l2tp doesn't work after reboot if outside-address not


  • T3182 (bug): Main blocker Task for FRR 7.4/7.5 series update

  • T3568 (feature): Add XML for firewall conf-mode

  • T2108 (default): Use minisign/signify instead of GPG for release signing


  • T3776 (default): Rename FRR daemon restart op-mode commands

  • T3739 (feature): policy: route-map: add EVPN match support


  • T3773 (bug): Delete the "show system integrity" command (to prepare for a re-implementation)

  • T3775 (bug): Typo in generated Strongswan VPN-config


  • T3772 (bug): VRRP virtual interfaces are not shown in show interfaces


  • T3769 (feature): Containers: Network Bridging


  • T3090 (feature): Move 'adjust-mss' firewall options to the interface section.

  • T3765 (default): container: additional op-mode commands


  • T1950 (default): Store VyOS configuration syntax version data in JSON file


  • T3751 (bug): pki generate ca add new line after passphrase

  • T3764 (bug): Unconfigurable IKE and ESP lifetime

  • T3234 (bug): multi_to_list fails in certain cases, with root cause an element redundancy in XML interface-definitions

  • T3732 (feature): override-default helper should support adding defaultValues to default less nodes

  • T3759 (default): [L3VPN] VPNv4/VPNv6 add commands


  • T3752 (bug): generate pki certificate file xxx doesn't touch file


  • T3738 (default): openvpn fails if server and authentication are configured

  • T1594 (bug): l2tpv3 error on IPv6 local-ip


  • T3756 (default): VyOS generates invalid QR code for wireguard clients

  • T3757 (default): OSPF: add support to configure the area at an interface level


  • T3745 (feature): op-mode IPSec show vpn ipse sa sorting


  • T3749 (bug): V4/V6 Counters in network container validation aren't being reset

  • T3728 (bug): FRR not respect configured RD and RT for L3VNI

  • T3727 (bug): VPN IPsec ESP proposal and ESP presented in config missmatch

  • T3740 (bug): HTTPs API breaks when the address is IPv6


  • T3731 (bug): verify_accel_ppp_base_service return wrong config error for SSP

  • T3405 (feature): PPPoE server unit-cache

  • T2432 (default): dhcpd: Can't create new lease file: Permission denied

  • T3746 (feature): Inform users logging into the system about a pending reboot

  • T3744 (default): Dns forwarding statistics formatting missing a new line


  • T3709 (feature): Snmp: Allow enable MIDs/OIDs ipCidrRouteTable


  • T3720 (bug): IPSec set vti secondary address cause interface disable


  • T3705 (bug): IPSec: VTI interface does not honor default-esp-group

  • T2027 (bug): get_config_dict is failing when the configuration section is empty/missing


  • T3719 (bug): Restart vpn shows some missed files


  • T3704 (feature): Add ability to interact with Areca RAID adapers

  • T3718 (bug): VPN IPsec IKE group by default not use DH-group 2


  • T3601 (default): Error in ssh keys for vmware cloud-init if ssh keys is left empty.


  • T3707 (bug): Ping incorrect ip host checks


  • T3716 (feature): Linux kernel parameters ignore_routes_with_link_down- ignore disconnected routing connections


  • T1176 (default): FRR - BGP replicating routes

  • T1210 (feature): About IKEv2 IPSec VPN remote access


  • T3699 (bug): login: verify selected "system login user" name is not already used by the base system.

  • T3698 (default): Support bridge monitoring


  • T3679 (default): Point the unexpected exception message link to the new rolling release location


  • T3665 (bug): Missing VRF support for VxLAN but already documented


  • T3636 (feature): SSTP / L2TP ipv6 support broken


  • T3667 (bug): brctl is damaged


  • T3660 (feature): Conntrack-Sync configuration command to specify destination udp port for peer


  • T57 (enhancment): Make it possible to disable the entire IPsec peer


  • T3658 (feature): Add support for dhcpdv6 fixed-prefix6

  • T2035 (bug): Executing vyos-smoketest multiple times makes ssh test fail on execution


  • T3593 (bug): PPPoE server called-sid format does not work

  • T1441 (feature): Add support for IPSec XFRM interfaces


  • T3641 (feature): Upgrade base system from Debian Buster -> Debian Bullseye

  • T3649 (feature): Add bonding additional hash-policy


  • T3647 (feature): Bullseye: gcc defaults to passing --as-needed to linker


  • T3629 (bug): IPoE server shifting address in the range

  • T3645 (feature): Bullseye: ethtool changed output for ring-buffer information


  • T3563 (default): commit-archive breaks with IPv6 source addresses


  • T3637 (bug): vrf: bind-to-all didn't work properly

  • T3639 (default): GCC preprocessor clobbers C comments


  • T3633 (feature): Add LRO offload for interface ethernet


  • T3599 (default): Migrate NHRP to XML/Python


  • T3624 (feature): BGP: add support for extended community bandwidth definition


  • T3623 (default): Fix for dummy interface option in the operational command "clear interfaces dummy"

  • T3630 (feature): op-mode: add "show version kernel" command


  • T3620 (feature): Rename WWAN interface from wirelessmodem to wwan to use QMI interface

  • T2173 (feature): Add the ability to use VRF on VTI interfaces

  • T3622 (feature): WWAN: add support for APN authentication

  • T3606 (bug): SNMP unknown notification OID

  • T3621 (bug): PPPoE interface does not validate if password is supplied when username is set


  • T3611 (bug): WWAN interface (MC7710) no longer works on Kernel 5.10

  • T1534 (bug): IPSec w/ IKEv2 Invalid local-address "any"

  • T3616 (bug): Update to FastAPI causes regression in vyos-http-api-server


  • T3614 (bug): Container network name with hyphen fail


  • T3250 (bug): PPPoE server:  wrong local usernames

  • T3138 (bug): ddclient improperly updated when apply rfc2136 config

  • T2645 (default): Editing route-map action requires adding a new rule


  • T3605 (default): Allow to set prefer-global for ipv6-next-hop

  • T3607 (feature): [route-map] set ipv6 next-hop prefer-global

  • T3289 (bug): No description for node "service" conf-mode


  • T3461 (bug): OpenConnect Server redundancy check

  • T3455 (bug): system users can not be added in "edit"

  • T3588 (default): IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan


  • T842 (feature): Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords


  • T3595 (default): Cannot create new VTI interface

  • T3592 (feature): Set default TTL 64 for tunnels


  • T3384 (feature): Support UDP bandwidth testing


  • T3233 (bug): Interface redirect to dum0


  • T3585 (default): Fix NHRP module for updated interfaces tunnel syntax

  • T3594 (bug): Disable by default service strongswan-starter


  • T3518 (bug): Warning messages when using SCP commit-archive

  • T3093 (default): Add xml for vpn ipsec

  • T1866 (bug): Commit archive over SFTP doesn't work with non-standard ports

  • T3590 (feature): bgp: add option for limiting maximum number of prefixes to be sent to a peer

  • T3589 (feature): op-mode: support clearing out logfiles from CLI

  • T2641 (feature): Rewrite vpn ipsec OP commands in new style XML syntax

  • T3351 (feature): Installer checking MD5 checksums on the ISO image


  • T1944 (bug): FRR: Invalid route in BGP causes update storm, memory leak, and failure of Zebra

  • T1888 (feature): Update to StrongSwan 5.9.1


  • T3561 (feature): router-advert: support advertising specific routes

  • T2669 (bug): DHCP-server overlapping ranges.


  • T3540 (bug): Keepalived memory utilisation issue when constantly getting its state in JSON format


  • T3575 (bug): pseudo-ethernet: must check source-interface MTU

  • T3571 (bug): Broken Show Tab Complete

  • T3555 (bug): GRE TAP tunnel does not silent fragment packets / kernel fix available

  • T3576 (bug): ISIS does not support IPV6


  • T3570 (default): Prevent setting of a larger MTU on child interfaces

  • T3573 (bug): as-path-prepend Description Invalid

  • T3572 (feature): Basic Drive Diagnostic Tools


  • T3564 (default): Multiple BGP Confederation Peers Not Allowed


  • T3551 (bug): QoS control failure of VLAN sub interface


  • T3554 (feature): Add area-type stub for ospfv3

  • T3565 (feature): sysctl: rewrite in XML and Python and drop from vyatta-cfg-system


  • T3562 (feature): Update Accel-PPP to a newer revision

  • T3559 (feature): Add restart op-command for OpenConnect Server


  • T3525 (default): VMWare resume script syntax errors


  • T3549 (bug): DHCPv6 "service dhcpv6-server global-parameters name-server" is not correctly exported to dhcpdv6.conf when multiple name-server entries are present

  • T3532 (bug): Not possible to change ethertype after interface creation

  • T3550 (bug): Router-advert completion typo

  • T3547 (feature): conntrackd: remove deprecated config options

  • T3535 (feature): Rewrite vyatta-conntrack-sync in new XML and Python flavor


  • T3346 (bug): nat 4-to-5 migration script fails when a 'source' or 'destination' node exists but there are no rules

  • T3248 (default): Deal with VRRP mode-force command that exists in 1.2 but not in 1.3

  • T3426 (default): add support for script arguments to vyos-configd


  • T3539 (bug): Typo in RPKI interface definition

  • T439 (feature): local PBR support

  • T3544 (feature): DHCP server should validate configuration before applying it

  • T3543 (feature): Support for setting lacp_rate on LACP bonded interfaces


  • T3302 (default): Make vyos-configd relay stdout from scripts to the user's console

  • T3542 (bug): udev net.rules not installed in image since may 2nd


  • T3374 (bug): IPv6 GRE Tunnel issues


  • T3530 (bug): BGP peer-group can't contain a hyphen


  • T3523 (bug): VRF BGP daemon route-map command missing

  • T3519 (bug): Cannot add / assign L2TPv3 to vrf


  • T3520 (bug): Cannot add tunnel interface to isis within vrf

  • T3335 (bug): Some OSPFv3 show commands do not work


  • T3504 (feature): BGP Per Peer Graceful Restart


  • T3511 (bug): Update libnss-mapuser and libpam-radius packages from CUMULUS Linux


  • T3379 (feature): Add global-parameters name-server  for dhcpv6-server

  • T3491 (default): Change Kernel HZ to 1000


  • T3503 (bug): "route-reflector-client" fails when "remote-as" is "internal"

  • T3502 (bug): "system ip multipath layer4-hashing" doesn't work


  • T3473 (bug): IPSec op-mode show sa error


  • T2946 (bug): Calling 'stty_size' causes show interfaces API to fail


  • T3490 (bug): priority inversion on PBR "policy route" create, breaks default route from dhcp (live iso)

  • T3468 (bug): Tunnel interfaces aren't suggested as being available for bridging (regression)

  • T3497 (bug): Prefix list with rule containing only action is not detected as error during parse

  • T3492 (bug): BGP Configuration Migration failed (badly!) from rolling 202102240218 to rolling 202104221210

  • T1802 (feature): Wireguard QR code in cli for mobile devices


  • T3472 (bug): commit-confirm script not found

  • T3439 (bug): Commit-archive location not working for scp


  • T3395 (bug): WAN load-balancing fails with nexthop dhcp

  • T3290 (bug): Disabling GRE conntrack module fails


  • T3488 (bug): Specifying an invalid "interface address" like dhcph leads to commit error


  • T3481 (default): Exclude tag node values from key mangling

  • T3475 (bug): XML dictionary cache unable to process syntaxVersion elements


  • T3470 (bug): as-override isn't applied to frr


  • T3386 (bug): PPPoE-server don't start with local authentication

  • T3190 (feature): Unable to subtract value from local-preference in route-map


  • T3398 (bug): Can't commit

  • T3055 (bug): op-mode incorrect naming for ipsec policy-based tunnels


  • T3436 (feature): Refactoring ospf op-mode for support vrf

  • T3434 (feature): Refactoring bgp op-mode for support vrf


  • T3454 (enhancment): dhclient reject option

  • T3328 (bug): Bgp not possible to delete bgp route-map


  • T3460 (bug): bgp, Configuration FRR failed while commiting code


  • T3464 (bug): OSPF: route-map names containing a hypen are not "found"


  • T3462 (default): show ipv6 bgp -- missing

  • T3463 (bug): Prevent IPv4 Route exchange with IPv6 neighbors


  • T3438 (bug): VRF: removing vif which belongs to a vrf, will delete the entire vrf from the operating system

  • T3418 (bug): BGP: system wide known interface can not be used as neighbor


  • T3457 (feature): Output the "monitor log" command in a colorful way


  • T3445 (bug): vyos-1x build include not all nodes


  • T3448 (bug): Loading vyos on a system without xdp installed fails


  • T3415 (feature): bridge: add support for isolated interfaces (private-vlan)

  • T1711 (feature): BGP - migrate from tagNode to node (remove ASN from tagNode)


  • T3440 (bug): HTTP API: give uvicorn time to initialize before restarting Nginx proxy


  • T3423 (bug): Cannot create ipv4 static route for default gateway in vrf


  • T3412 (default): HTTP API: move to FastAPI as web framework

  • T2397 (feature): HTTP API: export OpenAPI definition


  • T3419 (bug): show interfaces | strip-private fails


  • T3284 (bug): merge/load fail silently if unable to resolve host


  • T3417 (default): ISIS: provide per VRF instance support

  • T3416 (bug): NTP: when running inside a VRF op-mode commands do not work


  • T3392 (bug): vrrp over dhcp default route bug (unexpected vrf)

  • T3373 (feature): Upgrade to SaltStack version 3002.5

  • T3329 (default): "system conntrack ignore" rules can no longer be created due to an iptables syntax change

  • T3300 (feature): Add DHCP default route distance

  • T3306 (feature): Extend set route-map aggregator as to 4 Bytes


  • T3411 (default): Extend the redirect_stdout context manager in vyos-configd to redirect stdout from subprocesses

  • T3271 (bug): qemu-kvm grub issue


  • T3413 (bug): Configuring invalid IPv6 EUI64 address results in "OSError: illegal IP address string passed to inet_pton"


  • T3345 (default): BGP: add per VRF instance support

  • T3344 (default): Per VRF dynamic routing support

  • T3325 (bug): Bgp listen-range wrong commit message

  • T1513 (default): Move OSPF and RIP interface configuration under protocols


  • T3406 (bug): tunnel: interface no longer supports specifying encaplimit none - or migrator is missing

  • T3407 (bug): console-server: do not allow to spawn a console-server session on serial port used by "system console"


  • T3305 (bug): Ingress qdisc does not work anymore in 1.3-rolling-202101 snapshot

  • T2927 (bug): isc-dhcpd release and expiry events never execute


  • T3382 (bug): Error creating Console Server


  • T3387 (bug): Command "Monitor vpn ipsec"  is not working


  • T3388 (bug): show interfaces doesn't display pppoeX

  • T3211 (feature): ability to redistribute ISIS into other routing protocols


  • T3377 (bug): show interfaces throws error


  • T3375 (bug): Interface becomes up at boot even when disabled


  • T3370 (bug): dhcp: Invalid domain name "private"

  • T3369 (feature): VXLAN: add IPv6 underlay support

  • T3363 (bug): VyOS-Build interactive prompt when using Podman

  • T3320 (bug): Bgp neighbor peer-group without peer-group fail


  • T3365 (bug): Bgp neighbor interface ordering for remote-as

  • T3225 (bug): Adding a BGP neighbor with an address on a local interface throws a vyos.frr.CommitError: Configuration FRR failed while committing code: ''

  • T3368 (feature): macsec: add support for gcm-aes-256 cipher

  • T3173 (feature): Need 'nopmtudisc' option for tunnel interface


  • T3324 (bug): Bgp space in the password

  • T3357 (default): HTTP-API redirect from http correct https port

  • T3323 (bug): Bgp ttl-security and ebgp-multihop fail


  • T3303 (feature): Change welcome message on boot


  • T3322 (bug): Bgp neighbor timers not applyed to FRR config

  • T3327 (bug): OSPFv3: Cannot add dummy interface


  • T3331 (bug): Bgp unsuppress-map should be as "value leafNode"

  • T3330 (bug): Bgp capability orf prefix-list fail

  • T3163 (feature): ethernet ring-buffer can be set with an invalid value


  • T3326 (bug): OSPFv3: Cannot add L2TPv3 interface

  • T3332 (bug): BGP unnumbered - UnboundLocalError: local variable 'peer_group' referenced before assignment


  • T3259 (default): many dnat rules makes the vyos http api crash, even showConfig op timeouts


  • T3312 (feature): SolarFlare NICs support


  • T3313 (bug): ospfv3 interface missing options

  • T3318 (feature): Update Linux Kernel to v5.4.208 / 5.10.142


  • T3311 (bug): BGP Error: Remote AS must be set for neighbor or peer-group


  • T2848 (feature): bgp-add-path configuration options


  • T3301 (bug): Wrong format and valueHelp for policy as-path-list regex


  • T3281 (default): Rewrite protocol RIPng