Seems to have fixed it

@adestis Could you share commands, on how to reproduce this bug? Thanks.

PR:
https://github.com/vyos/vyos-1x/pull/1180/files

From ISC-DHCP manual pages:
https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcp-options

PR : https://github.com/vyos/vyos-1x/pull/1179

PR for required interface "nodes" https://github.com/vyos/vyatta-cfg-firewall/pull/30

In fact you find a new bug in 1.4

Seems to be working fine as far as I can see.

Hello @Viacheslav, thanks for reply, so, if you'll bridge vtun94 and eth0.94 to br94 will it work in L2 level?
Did you push this update to nightbuild?

Some details in T4193

Resolved in T3873

PR: https://github.com/vyos/vyos-1x/pull/1178

PR: https://github.com/vyos/vyos-1x/pull/1177

Okay, thanks for the update. I have found a conntrack issue in the code. Will have a fix in shortly.

Looks like I see the same issue for 1.3.0. Reproducing steps:

set interfaces ethernet eth1 address 'dhcp'
set protocols static table 1 route 0.0.0.0/0 dhcp-interface eth1

Thanks, this does fix the ICMP issue, however rule 10 which is supposed to accept packets with related/established states (say a HTTP response following a request), doesn't seem to match any packets, and the packets get dropped by the default rule.

TCP Flags seems to be working on firewall filter config.

Tested on VyOS 1.4-rolling-202201180317 and working as expected

Fixed in 1.4 PR: https://github.com/vyos/vyos-1x/pull/1176

@klipz In my case, the only problem is adding the wlan interface to the bridge at startup (looks like an order thing), when vyos is started (and the wlan interface is up) no problem to add it to the bridge witth the CLI.

The XDP proof of concept program that is availbale in 1.4 does not support 802.1q - those headers are not parsed and processed.

What would be the use-case? We can start PDNS in one VRF context only.

PR for ping https://github.com/vyos/vyos-1x/pull/1175

You need to remove the state new match on the rule and it'll work.

Close the task
@Watcher7 Re-test it or describe steps hot to reproduce, as since 1.2-rc2 was implemented a lot of changes regarding vrf + frr.
You can set both vrf + next-hop address

I experience the same problem of VyOS failing to add wlan0 to bridge, which persists in all 1.3-epa and 1.3-LTS versions, as well as 1.4 nightly builds.

Tested and working as expected on VyOS 1.4-rolling-202201150317

There are some issues with powerdns in vrf context.

Included those flags in PR: https://github.com/vyos/vyos-1x/pull/1174

Think 2 flag options should be added.
According to nft wiki these are all the flags that nft could match: tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}

Included in PR: https://github.com/vyos/vyos-1x/pull/1174

It is a different task, it extends only the range which you can to use for rule numbers.
For example, if you want 3 rules
Rule 100, rule 1000, rule 10000 etc.
Accepting time it is another task. B.t.w firewall was rewritten in 1.4, I hope that commit time was decreased.

I think we will have a problem with such a large number of rules. Now, if there are 1500 vyos rules, it takes 30 minutes to load. If there are 999999 rules, it will take a very long time to load.

Thanks, will include a fix in a PR shortly

I can see the fix, but now trying invert selection on tcp flags doesn't work

PR: https://github.com/vyos/vyos-1x/pull/1173

Testing this feature in VyOS 1.4-rolling-202201100317 I'm getting some unexpected behavior.
Config:

For full support we need this added to FRR: https://github.com/FRRouting/frr/pull/9204

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1172

PR https://github.com/vyos/vyos-1x/pull/1171

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1170

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1170