==================================
SD-WAN 6.6 release notes
==================================

We are pleased to announce the release of SD-WAN 6.6. This release
replaces the firewall system from iptables to nftables which leads to a faster
method of starting and applying changes while also improving the achievable
throughput in many scenarios.

Major Features
--------------

The classification and policy engine has been rewritten to use *nftables*:

- *nftables* is a packet classification framework for Linux that replaces the
  old *iptables*.
- The primary benefit of *nftables* is that it has more advanced rule matching,
  allowing for rulesets to be much smaller compared to *iptables*, particularly
  on aggregators.
- Single-bond performance gains of **12%** with QoS enabled and **17%** without
  were measured in our lab.
- This new engine has also improved start up times and and reliability on
  aggregators and bonders.

Errata
------

.. warning::

    Any nodes which had hooks using iptables will need to have nftables
    compatible versions of those functions to avoid losing functionality on an
    upgrade.

.. note::

    All nodes must be rebooted as part of the 6.6 upgrade in order to ensure the
    correct kernel and modules are in use.

.. note::

    A legacy method of private WAN, which has not been supported for several
    releases, has had the remaining functionality removed from the bonding
    installation. This method was implemented as a series of connected IP and
    route hooks on an aggregator, not using any of the private WAN configuration
    on the management server. If you are still using this sort of configuration
    you **must** migrate to a supported version of private WAN or else you will
    run into an outage during an aggregator upgrade to 6.6.

.. note::

    32-bit Debian 8 is no longer supported and will not be upgradable to 6.6.

Deprecations
------------

.. note::

   We have updated our deprecation policy for debian releases. Wheezy is only
   supported up to 6.4 and we now have ongoing support for Stretch and Buster.
   See `Debian release support <../software-releases-and-upgrades/deprecation-policy.html#debian-release-support>`__
   for the full details.

- Traffic originating on the bonder will no longer be directed through the TCP proxy.

- SALSA20 is no longer an encryption option.

- TLSv1 and TLSv1.1 are no longer considered secure and cannot be used in nginx configuration.

- 32-bit nodes are not supported on stretch and buster.

- Some ICMP types to filter against in a QoS profile have been deprecated as they are not
  supported by our new classification and policy engine.

Bondingadmin
------------

Additions:

- The following fields have been added to the aggregator endpoint in the Bondingadmin API.
  These fields have defaults and are not required so old API calls will function as normal:

  - `mesh_encryption_tso_enabled`
  - `failover_check_interval`
  - `failover_check_recv_timeout`
  - `failover_check_fail_threshold`
  - `failover_check_recovery_checks`
  - `failover_check_max_flap_checks`

- The DNS servers for each individual bonder can now be set. These are used for name resolution
  when connecting to the management server and when performing updates. By allowing them to be
  modified on a per-bonder basis, private and ISP-specific DNS servers may be used when public
  DNS is blocked by providers.

- Passwords of user accounts can be changed through API

- Added option to include aggregator space interfaces to babel when private wan uses managed mesh for optimal routing

- Security: Salt-master service is protected by allowing access to know Aggregator IPs and PWAN Route IPs

- Security: SaltStack has been upgraded to version 2018.3.5 with the latest security patches

Fixes:

- Bonders are now updated correctly when the Replify enterprise manager setting is updated.

- The routing group mesh for a space is now correctly enabled for a routing group with no
  bonds in the space, but does contain an aggregator with an interface and/or routing
  protocol in that space.

- Changing a space key properly regenerates ISOs for that space.

- Creating a DNS caching service that uses multiple connected IPs is properly handled.

- Deleting a space no longer removes the ISO folders from the space and prevents ISO creation for the space

- Routing loop prevention filters are created in managed mesh confuguration

- Route validation logic is hardened to handle conflicts correctly

- Internal mesh and external mesh interfaces are properly created when managed mesh is enabled

- Improved check for kernel version mismatch on aggregator and bonders


Bonding Node
------------

.. warning::

   With the implementation of the nftables-based classification and policy engine, iptables
   is now disabled during the installation of Bonding 6.6 so as to not conflict with nftables.
   This does not remove the iptables package from the node. However, if you attempt to run any
   iptables command you will encounter a warning.

.. warning::

   Starting with 6.6, bonders require a reboot after kernel updates. The upgrade process will
   notify when this is the case

.. note::

   The salt-minion service no longer writes errors to /var/log/salt/minion to prevent
   unnecessary disk usage.

Additions:

- Since nodes will require a reboot after kernel upgrades, the upgrade process now offers to
  reboot when the kernel is updated.

- Improved source address selection for leg routes.

Fixes:

- Aggregators now route to tunnel IP addresses without requiring a bind to the aggregator-side
  tunnel address. This restores the ability to easily ssh to a bonder directly from the aggregator.

- When the salt-minion key is recreated the salt-minion restarts automatically.

- Tunnel bypass properly functions on PPPoE legs.

- Mobile broadband legs will properly set addressing after the interface starts.

- External requests to the bonder's web server can no longer bypass the firewall when TCP proxy
  is enabled.

- Private WAN router nodes will use the local gateway in its routing group, even when there are
  multiple gateways in separate routing groups.

- The CPU usage remaining the same between two periods during a speedtest no longer crashes the
  node.
