source|destination domain-group matcher is available in route policy, but it's not working.
Steps to reproduce error in fresh install
vyos@vyos# set firewall group domain-group dg01 address example.com [edit] vyos@vyos# set policy route FOO rule 10 destination group domain-group dg01 [edit] vyos@vyos# set policy route FOO rule 10 action drop [edit] vyos@vyos# commit [ policy route FOO ] Failed to apply policy based routing [[policy route FOO]] failed Commit failed [edit] vyos@vyos# compare [edit policy] +route FOO { + rule 10 { + action drop + destination { + group { + domain-group dg01 + } + } + } +} [edit]
Additional info: domain-group usage is written in the rule, but named_set is not defined in mangle table (and it's only written in vyos_filter table:
vyos@vyos# cat /run/nftables_policy.conf #!/usr/sbin/nft -f table ip mangle { chain VYOS_PBR_FOO { ip daddr @D_dg01 counter drop comment "FOO-10" } } vyos@vyos# sudo nft list table ip vyos_filter table ip vyos_filter { set D_dg01 { type ipv4_addr flags interval } ...