I‘m no expert here nor extremely strong opiniated. My thoughts though: if theres no exact equivalent, why try to re-implement the recent functionality with nftables at „all“ cost?
Jan 28 2022
Jan 27 2022
With nftables, this should in principle be possible with nested variables, and the firewall groups are based on these now.
Jan 18 2022
Jan 14 2022
@sdev: in your original commit for this task, recent rules are somehow semi-discarded (the time/counter condition will not be written out; however, the action will be written out) because of an apparent problem with nftables in this area.
Jan 13 2022
See comment in T4164: is working now.
See comment in T4164: my config runs through easily now.
@sdev this (and the other fixes) look promising: after upgrading to the latest rolling release from 13.1.2022, both the example provided in the ticket as well as my config (a copy of my production setup with rules covering PBR, empty groups, references to "defines" in PBR rules) ran through easily. My production config created no errors when loading the config after the update.
Jan 10 2022
I just realize it's getting more complicated as python/vyos/firewall.py will later write out the rules for these empty groups and when reading-them in, nftables will complain (again) when trying to resolve them, e.g.
To my understanding, the template data/templates/firewall/nftables.tmpl is probably the culprit, as it doesn't check whether group_conf.address (and similarly the others) has any elements at all and introduces the offending white-space:
Jan 9 2022
Dec 28 2021
@Viacheslav, appreciate your question, and yes, there is:
Nov 22 2021
Oct 31 2021
WIll be added in the next rolling release, @johannrichard could you test it?