I finally managed to narrow this down further. This problem is caused by enabling the extended nexthop capability. FRR intentionally sends RAs when this capability is enabled, althought so far I don't understand why. I opened a discussion in the FRR repo: https://github.com/FRRouting/frr/discussions/15994

Just so I dont get the vocabulary wrong here...

Ill put it into "known issue" since IMHO a complete "resolved" would be when this feature exists in config-mode aswell.

Feel free to reopen it, but I'm not expecting it to be implemented.

The thing is that adding this as op-mode only doesnt really solve anything.

I think the original request was Add ability to resequence rule numbers for firewall, and we added this tool.
Auto-Apply configuration based on this tool is the wrong way. We haven't had such hacks before and probably won't implement them in the nearest feature.
All configuration changes have to be only per user commit; there should not be any auto-commits/auto applies configs. We have API for these tricks.
CLI is completely different from the cisco/arista logic.

Also NAT-rules are in the need of a resequence feature in the config-mode:

I'm closing this task a solution was included. I'm not in favor of introducing similar command in configuration mode.

Should be fixed after rewriting commit-archive T6304

PR https://github.com/vyos/vyos-1x/pull/3386

Thanks for the hints, that makes sense. Let's see how that can be implemented :)

For added service when typing just:

You would still be limited to not be able to use " as part of your password.

There should also be migration scripts, as CLI will be changed.

Proposal:

set system config-management commit-archive uri "stor01z-cs.int.trae32566.org/cr01b-vyos"
set system config-management commit-archive scheme "sftp"
set system config-management commit-archive username "cr01b"
set system config-management commit-archive password "$T3$TP@$$W0^%"

We could improve it by breaking up configuration, having the user providing a URI, Protocol and optional username/password as separate values.
Then we can properly encode username/password. This would also give more flexibility how username/password are handled and passed on.

In both cases it is kind of an user error, the password would have to be properly url encoded if provided in one (@ should be %40 in an URI, a ! should be %21).

Running into this issue on VyOS 1.5-rolling-202404280021

set protocols static route xxx.xxx.74.149/32 dhcp-interface eth1.999

@modzilla99 Could you provide an example of set commands to reproduce?

I decided to dig into this a little more and try to trace this out:

side note, if you flush ruleset, and only add:

Something I just figured out is that the minute I do: