Right now, VyOS cannot act as a transparent firewall. It requires either ebtables or the nftables bridge table. There's was never any support for ebtables, and there's no nftables support in any LTS version. But the transparent firewall is still a valid use case, and the lack of it surely prevents a number of people from using VyOS on their firewalls.

Since we are migrating to nftables in 1.4/Sagitta, implementing ebtables support is obviously a no-go. However, the new implementation is far from production-ready, and people already found a whole bunch of bugs in it since it was merged lately.

The most sensible option seems to be a limited backport of the nftables code just for bridge firewalls.

The old configuration mode CLI for firewall rules will be reused. As in, both the old Perl code that generated iptables rules from it to use in filter and NAT tables, and the new code that generates nftables rules for the bridge table will look for rules in the old set firewall ... configuration subtree.

The new code will not touch any tables other than bridge, so the old firewall and NAT functionality will not be affected by any possible bugs in the new implementation.

The operational mode CLI will have to be imported wholesale, though; but we'll put it into a separate sub-tree to let the old command work as before.

The only new configuration mode CLI will be commands for assigning bridge firewalls to interfaces.

set interfaces bridge br0 firewall bridge <name|ipv6-name> $ruleset

Firewall groups will be duplicated in IPsec for the old implementation and in nftables variables for the new ones.

When both IPv4 and IPv6 firewalls are assigned to an interface, we need to merge those rulesets. I think best we can do is to add protocol family option to every generated rule so that the rules have effect only for the protocol they were meant for.

The op mode will likely be run show firewall bridge ....