Firewall unexpectedly changes some sysctl options.
Initial configuration:
set system sysctl parameter net.netfilter.nf_conntrack_tcp_loose value '0' set firewall ipv4 input filter rule 5 action 'accept' set firewall ipv4 input filter rule 5 inbound-interface interface-name 'lo' set firewall ipv4 input filter rule 5 source address '127.0.0.0/8'
Be sure that option tcp_loose is 0 and change any firewall rule.
After commit it uses the value 1
vyos@r4# echo 0 | sudo tee /proc/sys/net/netfilter/nf_conntrack_tcp_loose 0 vyos@r4# cat /proc/sys/net/netfilter/nf_conntrack_tcp_loose 0 vyos@r4# set firewall ipv4 input filter rule 5 description foo [edit] vyos@r4# commit [edit] vyos@r4# [edit] vyos@r4# cat /proc/sys/net/netfilter/nf_conntrack_tcp_loose 1 [edit] vyos@r4#
There is the reason https://github.com/vyos/vyos-1x/blob/38cab26959ded78a737db2272fe25106a2de47b0/data/templates/conntrack/sysctl.conf.j2#L9 it is not rely on system sysctl options