SD-WAN 6.6 release notes

We are pleased to announce the release of SD-WAN 6.6. This release replaces the firewall system from iptables to nftables which leads to a faster method of starting and applying changes while also improving the achievable throughput in many scenarios.

Major Features

The classification and policy engine has been rewritten to use nftables:

  • nftables is a packet classification framework for Linux that replaces the old iptables.

  • The primary benefit of nftables is that it has more advanced rule matching, allowing for rulesets to be much smaller compared to iptables, particularly on aggregators.

  • Single-bond performance gains of 12% with QoS enabled and 17% without were measured in our lab.

  • This new engine has also improved start up times and and reliability on aggregators and bonders.

Errata

Warning

Any nodes which had hooks using iptables will need to have nftables compatible versions of those functions to avoid losing functionality on an upgrade.

Note

All nodes must be rebooted as part of the 6.6 upgrade in order to ensure the correct kernel and modules are in use.

Note

A legacy method of private WAN, which has not been supported for several releases, has had the remaining functionality removed from the bonding installation. This method was implemented as a series of connected IP and route hooks on an aggregator, not using any of the private WAN configuration on the management server. If you are still using this sort of configuration you must migrate to a supported version of private WAN or else you will run into an outage during an aggregator upgrade to 6.6.

Note

32-bit Debian 8 is no longer supported and will not be upgradable to 6.6.

Deprecations

Note

We have updated our deprecation policy for debian releases. Wheezy is only supported up to 6.4 and we now have ongoing support for Stretch and Buster. See Debian release support for the full details.

  • Traffic originating on the bonder will no longer be directed through the TCP proxy.

  • SALSA20 is no longer an encryption option.

  • TLSv1 and TLSv1.1 are no longer considered secure and cannot be used in nginx configuration.

  • 32-bit nodes are not supported on stretch and buster.

  • Some ICMP types to filter against in a QoS profile have been deprecated as they are not supported by our new classification and policy engine.

Bondingadmin

Additions:

  • The following fields have been added to the aggregator endpoint in the Bondingadmin API. These fields have defaults and are not required so old API calls will function as normal:

    • mesh_encryption_tso_enabled

    • failover_check_interval

    • failover_check_recv_timeout

    • failover_check_fail_threshold

    • failover_check_recovery_checks

    • failover_check_max_flap_checks

  • The DNS servers for each individual bonder can now be set. These are used for name resolution when connecting to the management server and when performing updates. By allowing them to be modified on a per-bonder basis, private and ISP-specific DNS servers may be used when public DNS is blocked by providers.

  • Passwords of user accounts can be changed through API

  • Added option to include aggregator space interfaces to babel when private wan uses managed mesh for optimal routing

  • Security: Salt-master service is protected by allowing access to know Aggregator IPs and PWAN Route IPs

  • Security: SaltStack has been upgraded to version 2018.3.5 with the latest security patches

Fixes:

  • Bonders are now updated correctly when the Replify enterprise manager setting is updated.

  • The routing group mesh for a space is now correctly enabled for a routing group with no bonds in the space, but does contain an aggregator with an interface and/or routing protocol in that space.

  • Changing a space key properly regenerates ISOs for that space.

  • Creating a DNS caching service that uses multiple connected IPs is properly handled.

  • Deleting a space no longer removes the ISO folders from the space and prevents ISO creation for the space

  • Routing loop prevention filters are created in managed mesh confuguration

  • Route validation logic is hardened to handle conflicts correctly

  • Internal mesh and external mesh interfaces are properly created when managed mesh is enabled

  • Improved check for kernel version mismatch on aggregator and bonders

Bonding Node

Warning

With the implementation of the nftables-based classification and policy engine, iptables is now disabled during the installation of Bonding 6.6 so as to not conflict with nftables. This does not remove the iptables package from the node. However, if you attempt to run any iptables command you will encounter a warning.

Warning

Starting with 6.6, bonders require a reboot after kernel updates. The upgrade process will notify when this is the case

Note

The salt-minion service no longer writes errors to /var/log/salt/minion to prevent unnecessary disk usage.

Additions:

  • Since nodes will require a reboot after kernel upgrades, the upgrade process now offers to reboot when the kernel is updated.

  • Improved source address selection for leg routes.

Fixes:

  • Aggregators now route to tunnel IP addresses without requiring a bind to the aggregator-side tunnel address. This restores the ability to easily ssh to a bonder directly from the aggregator.

  • When the salt-minion key is recreated the salt-minion restarts automatically.

  • Tunnel bypass properly functions on PPPoE legs.

  • Mobile broadband legs will properly set addressing after the interface starts.

  • External requests to the bonder’s web server can no longer bypass the firewall when TCP proxy is enabled.

  • Private WAN router nodes will use the local gateway in its routing group, even when there are multiple gateways in separate routing groups.

  • The CPU usage remaining the same between two periods during a speedtest no longer crashes the node.