github ovh/the-bastion v3.18.99-rc1
on GitHub

pre-release5 days ago

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

Will 2025 be the year of IPv6? Let's not try to answer this controversial question and just say that the main change of this pre-release is drum roll the official support of IPv6!
Most of the code was already IPv6-aware, but in some places IPv4 was assumed so these all have been adjusted to work with both IP versions.
Note that by default, IPv6 support is disabled, we've introduced the IPv6Allowed boolean option in bastion.conf that you must set to true to allow egress connections in IPv6. We've also taken this opportunity to add an IPv4Allowed option, which is enabled by default, you can set it to false should you want to have a strictly IPv6-only bastion!
A lot of tests have been added to ensure everything works correctly with this change, but as this is still an important change, and only a few tests have been done in-the-field yet, this'll be a pre-release for a few weeks.

We've also taken this opportunity to make a few other changes, such as:

  • speeding up the is_valid_ip check (35% speedup, noticeable for groups with thousands of ACLs)
  • set ECDSA as the default algorithm for generated egress keys instead of RSA, for new installs only (defaultAccountEgressKeyAlgorithm)

Some work has also been done around the unit tests (using the more standard TAP::Harness) and functional tests (speeding them up).

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: IPv6 support
  • chg: set ECDSA as default egress key algo for new installs
  • chg: groupInfo: remove deprecated JSON fields
  • enh: 35% faster is_valid_ip() when fast=1
  • enh: accountInfo: add osh-only information for accounts
  • enh: tests: add --skip-functional-tests and --skip-unit-tests
  • fix: accountInfo: don't attempt (and fail) to display info non-auditors don't have access to
  • fix: groupInfo: don't attempt to (and fail) display the guest list when account doesn't have access to it
  • fix: deny subnets for nc, mtr, ping, alive plugins
  • fix: is_in_any_net: support matching subnets
  • chore: faster tests by removing grant/revoke command dance
  • chore: tests: no longer run consistency check by default
  • chore: use proper naming of 'subnet' instead of 'prefix' or 'slash'
  • chore: use TAP::Harness for unit tests

⏩ Upgrading

Check out latest releases or
releases around ovh/the-bastion v3.18.99-rc1

Don't miss a new the-bastion release

NewReleases is sending notifications on new releases.

Get notifications