==================================
SD-WAN 6.7 release notes
==================================

We are pleased to announce the release of SD-WAN 6.7. This release brings
improvements to the management server database, support for bridge interfaces,
as well as a number of new API endpoints.

Major Features
--------------

- Improved scalability of the management server database. This prevents issues
  that could sometimes result in configuration updates getting stuck on servers
  with a large number of nodes.
- Implemented support for bridge interfaces. Details about configuration can be
  found in the
  `documentation </docs/bonds/interfaces.html#bridge-interface-options>`__.
- A new beta frontend which provides a modern streamlined experience is
  available. Check it out `here </beta/>`__.
- Added API endpoints for warnings and alerts. These endpoints offer increased
  observability for nodes and bonds, including:

  - Bond tunings, interfaces, legs, connected IPs, routes, services, details,
    and statuses.
  - Node protocols, filters, details, and statuses.

Deprecations
------------

.. warning::

    Debian 8 "Jessie" and Debian 9 "Stretch" will be deprecated in Bonding 6.8.

- Minimum MTU has been removed for legs. The API now returns 0, so existing
  queries will continue to function as normal.
- The Replify WAN optimization feature has been removed


Bondingadmin
------------

.. note::

    Flow collectors using the management VPN IP that share the same port should
    no longer be assigned to the same bond. Doing so could prevent traffic from
    being sent to the flow collector.

.. note::

  Gateway aggregators are now called persistent aggregators.

Additions:

- Bondingadmin now uses nftables instead of iptables for rule management.
- Bonding repositories now take up less storage space on bondingadmin.
- Bondingadmin now sends QoS profiles to aggregators only if they are needed,
  rather than all profiles on bondingadmin. This was known to cause longer load
  times for nftables on aggregators with a large number of profiles.
- A single static address can now be defined for routing group VLAN assignments.
- Multiple bonds can now have different connected IPs in the same subnet when
  included in private WAN.
- Interfaces now contain a free-form note field, similar to legs.
- The documentation has been updated to include PXE support for Debian 10
  "Buster". Configuration details can be found
  `here </docs/extending-bonded-internet/pxe-provisioning-server.html>`__.
- API endpoints have been added for creating and deleting QoS profiles.
- Access to salt-master has been added to bondingadmin but is restricted to only
  aggregator IPs.
- Network filters on bonds now allow minimum and maximum prefix lengths.
- Improved handling for errors reported by nodes. This could sometimes result in
  high CPU usage on bondingadmin.
- Aggregators and bonders can now be modified in bulk through API PATCH
  requests.
- Users are no longer able to delete spaces with associated resources. This
  prevents accidental deletion of items like classification profiles and flow
  collectors.
- ISOs for a space are now removed when the space is deleted.
- The node setup page has been updated to include Bonding installation
  instructions for RHEL 8 and openSUSE Leap 15.4.
- Bonding repos for all distributions are now accessible via the new endpoint
  `/download/ </download/>`__. For compatibility reasons, the Debian repos will
  continue to be accessible via the old url structure as well.
- A new beta frontend was added under ``/beta/``. It can be enabled as the
  default frontend by running ``bondingadmin-frontend-beta`` on the management
  server. The classic frontend can be restored by running
  ``bondingadmin-frontend-classic`` on the management server.
- Added a "Service Name" field for PPPoE legs
- Support for OpenSUSE Leap 15.4 has been added
- Spaces and QoS profiles will now run on any primary or secondary aggregators, not
  just the current aggregator.

Fixes:

- Routes can now overlap on different bonds.
- Fixed an issue where setting the cost value on a BGP protocol could result in
  connectivity issues between nodes.
- Fixed an issue that resulted in delayed start times for speed tests on servers
  with a large number of nodes.
- Fixed an issue where the repositories on bondingadmin would reset to the
  latest version.
- Fixed the method of exporting traffic to flow collectors using the management
  VPN IP as the source IP policy.
- QoS charts on bonds now include data from previously active profiles.
- Flow collectors can now be included in bond creation API requests.
- Fixed an issue where changing the space of a QoS profile would result in an
  error.
- The 'Ethernet interface' field on a VLAN interface can no longer be edited
  after creating the interface.
- Bond protocols and filter permissions are no longer dependent on route
  permissions.
- Added a fix for LetsEncrypt expired certificates on devices running Debian 8
  "Jessie".
- Fixed an issue that caused the upgradebonders script to fail.
- Fixed an issue where mobile broadband charts on bonds would not show any data.
- Fixed an issue where the incorrect support email was being used for nodes.
- Attempting to delete a routing group VLAN assignment now shows the correct
  error message.
- Fixed an issue where adding a private WAN gateway on a space would have no
  effect.
- Fixed an issue where aggfail would move bonds to a secondary aggregator even if it was down.
- API will no longer reject requests without CSRF token if token authentication is used.
- Fixed an issue where dns server updates were being set to the previous version.
- Fixed an issue where outage stats for the day were not updated if a connection issue
  happened during an update.
- Fixed an issue where inherited aggregators were not being shown for child spaces.


Bonding Node
------------

Additions:

- Optimized how nftables works on nodes, leading to faster rule loading times
  all around.
- /32 IPv4 DHCP addresses are now properly supported.
- Aggregators now support a single static address for routing group VLAN
  assignments.
- Updated the collect-bonding-info script to capture additional information.
- Improved security and portability of bonding hooks.

Fixes:

- Fixed an issue where the tunnel process could sometimes reach high CPU usages
  on aggregators.
- Fixed issues related to TCP proxy and CPE NAT IPs.
- Fixed an issue that caused TCP proxy rules to break nftables on aggregators.
- Fixed an issue with salt key not being sent to bondingadmin.
- Fixed an issue where tunnel did not properly handle TCP packets with an option
  length of 0.
- Fixed compatibility issues with the bonding-setup script on RHEL8.
- Fixed an issue where 6.6 nodes would try to load iptables after upgrading and
  crash.
- Fixed an issue related to VXLAN rules on RHEL8 that would cause nftables to
  crash.
- Fixed an issue where TCP MSS clamped packets would contain the incorrect TCP
  checksum value.
- Fixed an issue with SSL encryption on nodes that would require a reboot to
  bring them back online.
- Nodes can now restore the physical MAC address on an interface after setting
  and removing a custom one through bondingadmin.

Changes:

- DHCP services ``udhcpc`` and ``dhclient`` have been changed to ``dhcpv4-client`` and
  ``dhcpv6-client``, respectively.

