Page MenuHomeVyOS Platform
Create Task
Maniphest T5564

Both show firewall group and show firewall summary fails
Closed, ResolvedPublicBUG
Actions

Description

Both show firewall and show firewall statistics works.

But show firewall group fails:

vyos@vyos:~$ show firewall group
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/firewall.py", line 434, in <module>
    show_firewall_group(args.name)
  File "/usr/libexec/vyos/op_mode/firewall.py", line 338, in show_firewall_group
    references = find_references(group_type, group_name)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/firewall.py", line 303, in find_references
    for rule_id, rule_conf in priority_conf['rule'].items():
                              ~~~~~~~~~~~~~^^^^^^^^
KeyError: 'rule'

And so do show firewall summary:

vyos@vyos:~$ show firewall summary 
Traceback (most recent call last):
Ruleset Summary

IPv6 Ruleset:

Ruleset Hook    Ruleset Priority    Description
--------------  ------------------  -------------
forward         filter
input           filter
name            V6_TO_DMZ
name            V6_TO_LAN
name            V6_TO_MGMT
name            V6_TO_WAN
output          filter

IPv4 Ruleset:

Ruleset Hook    Ruleset Priority    Description
--------------  ------------------  -------------
forward         filter
input           filter
name            V4_TO_DMZ
name            V4_TO_LAN
name            V4_TO_MGMT
name            V4_TO_WAN
output          filter
  File "/usr/libexec/vyos/op_mode/firewall.py", line 438, in <module>
    show_summary()
  File "/usr/libexec/vyos/op_mode/firewall.py", line 391, in show_summary
    show_firewall_group()
  File "/usr/libexec/vyos/op_mode/firewall.py", line 338, in show_firewall_group
    references = find_references(group_type, group_name)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/firewall.py", line 303, in find_references
    for rule_id, rule_conf in priority_conf['rule'].items():
                              ~~~~~~~~~~~~~^^^^^^^^
KeyError: 'rule'

Current ruleset (commits and boots without errors):

set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options resolver-cache
set firewall global-options resolver-interval '60'
set firewall global-options send-redirects 'disable'
set firewall global-options source-validation 'strict'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'disable'
set firewall group interface-group DMZ interface 'eth2'
set firewall group interface-group LAN interface 'eth3'
set firewall group interface-group MGMT interface 'eth0'
set firewall group interface-group WAN interface 'eth1'
set firewall group ipv6-network-group V6_DMZ
set firewall group ipv6-network-group V6_LAN
set firewall group ipv6-network-group V6_MGMT
set firewall group ipv6-network-group V6_WAN network '::/0'
set firewall group network-group V4_BOGONS network '0.0.0.0/8'
set firewall group network-group V4_BOGONS network '10.0.0.0/8'
set firewall group network-group V4_BOGONS network '100.64.0.0/10'
set firewall group network-group V4_BOGONS network '127.0.0.0/8'
set firewall group network-group V4_BOGONS network '169.254.0.0/16'
set firewall group network-group V4_BOGONS network '172.16.0.0/12'
set firewall group network-group V4_BOGONS network '192.0.0.0/24'
set firewall group network-group V4_BOGONS network '192.0.2.0/24'
set firewall group network-group V4_BOGONS network '192.168.0.0/16'
set firewall group network-group V4_BOGONS network '198.18.0.0/15'
set firewall group network-group V4_BOGONS network '198.51.100.0/24'
set firewall group network-group V4_BOGONS network '203.0.113.0/24'
set firewall group network-group V4_BOGONS network '224.0.0.0/4'
set firewall group network-group V4_BOGONS network '240.0.0.0/4'
set firewall group network-group V4_DMZ network '192.168.2.0/24'
set firewall group network-group V4_LAN network '192.168.3.0/24'
set firewall group network-group V4_MGMT network '192.168.56.0/24'
set firewall group network-group V4_RFC1918 network '10.0.0.0/8'
set firewall group network-group V4_RFC1918 network '172.16.0.0/12'
set firewall group network-group V4_RFC1918 network '192.168.0.0/16'
set firewall group network-group V4_WAN network '192.168.1.0/24'
set firewall group network-group V4_WAN network '0.0.0.0/0'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'accept'
set firewall ipv4 forward filter rule 10 state established 'enable'
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 state related 'enable'
set firewall ipv4 forward filter rule 30 action 'drop'
set firewall ipv4 forward filter rule 30 state invalid 'enable'
set firewall ipv4 forward filter rule 40 action 'jump'
set firewall ipv4 forward filter rule 40 jump-target 'V4_TO_WAN'
set firewall ipv4 forward filter rule 40 outbound-interface interface-group 'WAN'
set firewall ipv4 forward filter rule 50 action 'jump'
set firewall ipv4 forward filter rule 50 jump-target 'V4_TO_DMZ'
set firewall ipv4 forward filter rule 50 outbound-interface interface-group 'DMZ'
set firewall ipv4 forward filter rule 60 action 'jump'
set firewall ipv4 forward filter rule 60 jump-target 'V4_TO_LAN'
set firewall ipv4 forward filter rule 60 outbound-interface interface-group 'LAN'
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 state established 'enable'
set firewall ipv4 input filter rule 20 action 'accept'
set firewall ipv4 input filter rule 20 state related 'enable'
set firewall ipv4 input filter rule 30 action 'drop'
set firewall ipv4 input filter rule 30 state invalid 'enable'
set firewall ipv4 input filter rule 999999 action 'accept'
set firewall ipv4 input filter rule 999999 inbound-interface interface-name 'lo'
set firewall ipv4 input filter rule 999999 source address '127.0.0.0/8'
set firewall ipv4 name V4_TO_DMZ default-action 'drop'
set firewall ipv4 name V4_TO_LAN default-action 'drop'
set firewall ipv4 name V4_TO_MGMT default-action 'drop'
set firewall ipv4 name V4_TO_WAN default-action 'drop'
set firewall ipv4 output filter default-action 'accept'
set firewall ipv4 output filter rule 10 action 'accept'
set firewall ipv4 output filter rule 10 state established 'enable'
set firewall ipv4 output filter rule 20 action 'accept'
set firewall ipv4 output filter rule 20 state related 'enable'
set firewall ipv4 output filter rule 30 action 'drop'
set firewall ipv4 output filter rule 30 state invalid 'enable'
set firewall ipv4 output filter rule 999999 action 'accept'
set firewall ipv4 output filter rule 999999 destination address '127.0.0.0/8'
set firewall ipv4 output filter rule 999999 outbound-interface interface-name 'lo'
set firewall ipv6 forward filter default-action 'drop'
set firewall ipv6 forward filter rule 10 action 'accept'
set firewall ipv6 forward filter rule 10 state established 'enable'
set firewall ipv6 forward filter rule 20 action 'accept'
set firewall ipv6 forward filter rule 20 state related 'enable'
set firewall ipv6 forward filter rule 30 action 'drop'
set firewall ipv6 forward filter rule 30 state invalid 'enable'
set firewall ipv6 forward filter rule 40 action 'jump'
set firewall ipv6 forward filter rule 40 jump-target 'V6_TO_WAN'
set firewall ipv6 forward filter rule 40 outbound-interface interface-group 'WAN'
set firewall ipv6 forward filter rule 50 action 'jump'
set firewall ipv6 forward filter rule 50 jump-target 'V6_TO_DMZ'
set firewall ipv6 forward filter rule 50 outbound-interface interface-group 'DMZ'
set firewall ipv6 forward filter rule 60 action 'jump'
set firewall ipv6 forward filter rule 60 jump-target 'V6_TO_LAN'
set firewall ipv6 forward filter rule 60 outbound-interface interface-group 'LAN'
set firewall ipv6 input filter default-action 'accept'
set firewall ipv6 input filter rule 10 action 'accept'
set firewall ipv6 input filter rule 10 state established 'enable'
set firewall ipv6 input filter rule 20 action 'accept'
set firewall ipv6 input filter rule 20 state related 'enable'
set firewall ipv6 input filter rule 30 action 'drop'
set firewall ipv6 input filter rule 30 state invalid 'enable'
set firewall ipv6 input filter rule 999999 action 'accept'
set firewall ipv6 input filter rule 999999 inbound-interface interface-name 'lo'
set firewall ipv6 input filter rule 999999 source address '::1/128'
set firewall ipv6 name V6_TO_DMZ default-action 'drop'
set firewall ipv6 name V6_TO_LAN default-action 'drop'
set firewall ipv6 name V6_TO_MGMT default-action 'drop'
set firewall ipv6 name V6_TO_WAN default-action 'drop'
set firewall ipv6 output filter default-action 'accept'
set firewall ipv6 output filter rule 10 action 'accept'
set firewall ipv6 output filter rule 10 state established 'enable'
set firewall ipv6 output filter rule 20 action 'accept'
set firewall ipv6 output filter rule 20 state related 'enable'
set firewall ipv6 output filter rule 30 action 'drop'
set firewall ipv6 output filter rule 30 state invalid 'enable'
set firewall ipv6 output filter rule 999999 action 'accept'
set firewall ipv6 output filter rule 999999 destination address '::1/128'
set firewall ipv6 output filter rule 999999 outbound-interface interface-name 'lo'

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.5-rolling-202309080021
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

Apachez created this task.Sep 9 2023, 10:00 AM
pasik added a subscriber: pasik.Sep 9 2023, 10:03 AM
Apachez added a comment.Sep 9 2023, 3:09 PM

Related: https://vyos.dev/T5513

Viacheslav added a subscriber: Viacheslav.Sep 10 2023, 11:46 AM

PR https://github.com/vyos/vyos-1x/pull/2235

vyos@r4:~$ show firewall group 
Firewall Groups

Name        Type                References              Members
----------  ------------------  ----------------------  ---------------
DMZ         interface_group     ipv4-forward-filter-50  eth2
                                ipv6-forward-filter-50
LAN         interface_group     ipv4-forward-filter-60  eth3
                                ipv6-forward-filter-60
MGMT        interface_group     N/D                     eth0
WAN         interface_group     ipv4-forward-filter-40  eth1
                                ipv6-forward-filter-40
V6_DMZ      ipv6_network_group  N/D                     N/D
V6_LAN      ipv6_network_group  N/D                     N/D
V6_MGMT     ipv6_network_group  N/D                     N/D
V6_WAN      ipv6_network_group  N/D                     ::/0
V4_BOGONS   network_group       N/D                     0.0.0.0/8
                                                        10.0.0.0/8
                                                        100.64.0.0/10
                                                        127.0.0.0/8
                                                        169.254.0.0/16
                                                        172.16.0.0/12
                                                        192.0.0.0/24
                                                        192.0.2.0/24
                                                        192.168.0.0/16
                                                        198.18.0.0/15
                                                        198.51.100.0/24
                                                        203.0.113.0/24
                                                        224.0.0.0/4
                                                        240.0.0.0/4
V4_DMZ      network_group       N/D                     192.168.2.0/24
V4_LAN      network_group       N/D                     192.168.3.0/24
V4_MGMT     network_group       N/D                     192.168.56.0/24
V4_RFC1918  network_group       N/D                     10.0.0.0/8
                                                        172.16.0.0/12
                                                        192.168.0.0/16
V4_WAN      network_group       N/D                     0.0.0.0/0
                                                        192.168.1.0/24
vyos@r4:~$
Viacheslav changed the task status from Open to Needs testing.Sep 10 2023, 1:30 PM
Apachez added a comment.Sep 11 2023, 9:41 AM

Confirmed working with VyOS 1.5-rolling-202309110651

A question before setting this to resolved:

What does N/D mean?

Shouldnt it be N/A instead?

Viacheslav added a comment.Sep 11 2023, 9:51 AM
In T5564#159459, @Apachez wrote:

Confirmed working with VyOS 1.5-rolling-202309110651

A question before setting this to resolved:

What does N/D mean?

Shouldnt it be N/A instead?

Was implemented there https://github.com/vyos/vyos-1x/commit/ac65673bd7b5d856246b0b73e6aeeea3c46297bc

n.fort added a subscriber: n.fort.Sep 11 2023, 9:54 AM

N/D == not defined

It's more precise to use N/D, when actually something wasn't defined (such as group members or references), rather than N/A

Viacheslav added a project: VyOS 1.4 Sagitta.Sep 11 2023, 9:58 AM
Viacheslav moved this task from Need Triage to Backport Candidates on the VyOS 1.5 Circinus board.
Apachez added a comment.Sep 11 2023, 10:20 AM

Thanks!

This can be put to resolved when the backports are confirmed aswell.

Apachez mentioned this in T5513: Anomalies in show firewall command after refactoring.Sep 11 2023, 10:32 AM

I was thinking about N/D and personally I would prefer "None" to be listed for the various "show firewall" commands instead of N/D.

I have updated related task https://vyos.dev/T5513 because it turns out that default-action is missing counters.

So I dont know if that will be taken care of by T5513 or this task T5564 or if I should create a separate task?

Apachez added a comment.EditedOct 10 2023, 5:15 AM

Problem remains with "N/D" is being used in show firewall groups instead of "None".

But also that packet and byte counters are missing from all default actions listed by show firewall and show firewall statistics in VyOS 1.5-rolling-202310090023.

n.fort added a comment.Oct 10 2023, 10:08 AM

Once PR https://github.com/vyos/vyos-1x/pull/2344 is merged, counters and logs for default action should be available once again.

n.fort changed the task status from Needs testing to In progress.Oct 23 2023, 11:33 AM
n.fort claimed this task.

1.5 should not have such issues.
1.4: op-mode should be working as expected. Backport for https://github.com/vyos/vyos-1x/pull/2344 failed. I'll submit PR for 1.4 for such feature.

Apachez added a comment.Oct 24 2023, 2:28 PM

Using VyOS 1.5-rolling-202310220123.

Im not sure the output of show firewall and show firewall statistics are correct:

Example look at output of:

ipv4 Firewall "input filter"
ipv4 Firewall "output filter"
ipv6 Firewall "input filter"
ipv6 Firewall "output filter"

Where the "statistics" output incorrectly claims N/A or 0?

vyos@vyos:~$ show firewall
Rulesets Information

---------------------------------
ipv4 Firewall "forward filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------------------
10       accept    all                 0        0  ct state { established, related }  accept
20       accept    all                 0        0  ct state new ct status dnat  accept
30       drop      all                 0        0  ct state invalid
40       jump      all                 0        0  oifname @I_WAN  jump NAME_V4_TO_WAN
50       jump      all                 0        0  oifname @I_DMZ  jump NAME_V4_TO_DMZ
60       jump      all                 0        0  oifname @I_LAN  jump NAME_V4_TO_LAN
default  drop      all                 0        0

---------------------------------
ipv4 Firewall "input filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------------------
10       accept    all               651    56016  ct state { established, related }  accept
20       drop      all                 0        0  ct state invalid
999999   accept    all                 0        0  ip saddr 127.0.0.0/8 iifname "lo"  accept
default  accept    all                12     2188

---------------------------------
ipv4 Firewall "name V4_TO_DMZ"

Rule     Action    Protocol      Packets    Bytes
-------  --------  ----------  ---------  -------
default  drop      all                 0        0

---------------------------------
ipv4 Firewall "name V4_TO_LAN"

Rule     Action    Protocol      Packets    Bytes
-------  --------  ----------  ---------  -------
default  drop      all                 0        0

---------------------------------
ipv4 Firewall "name V4_TO_MGMT"

Rule     Action    Protocol      Packets    Bytes
-------  --------  ----------  ---------  -------
default  drop      all                 0        0

---------------------------------
ipv4 Firewall "name V4_TO_WAN"

Rule     Action    Protocol      Packets    Bytes
-------  --------  ----------  ---------  -------
default  drop      all                 0        0

---------------------------------
ipv4 Firewall "output filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------------------
10       accept    all               918   181794  ct state { established, related }  accept
20       drop      all                 0        0  ct state invalid
999999   accept    all                 0        0  ip daddr 127.0.0.0/8 oifname "lo"  accept
default  accept    all                66     7980

---------------------------------
ipv6 Firewall "forward filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------------------
10       accept    all                 0        0  ct state { established, related }  accept
20       accept    all                 0        0  ct state new ct status dnat  accept
30       drop      all                 0        0  ct state invalid
40       jump      all                 0        0  oifname @I_WAN  jump NAME6_V6_TO_WAN
50       jump      all                 0        0  oifname @I_DMZ  jump NAME6_V6_TO_DMZ
60       jump      all                 0        0  oifname @I_LAN  jump NAME6_V6_TO_LAN
default  drop      all                 0        0

---------------------------------
ipv6 Firewall "input filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------------------
10       accept    all                 0        0  ct state { established, related }  accept
20       drop      all                 0        0  ct state invalid
999999   accept    all                 0        0  ip6 saddr ::1 iifname "lo"  accept
default  accept    all                27     2832

---------------------------------
ipv6 Firewall "name V6_TO_DMZ"

Rule     Action    Protocol      Packets    Bytes
-------  --------  ----------  ---------  -------
default  drop      all                 0        0

---------------------------------
ipv6 Firewall "name V6_TO_LAN"

Rule     Action    Protocol      Packets    Bytes
-------  --------  ----------  ---------  -------
default  drop      all                 0        0

---------------------------------
ipv6 Firewall "name V6_TO_MGMT"

Rule     Action    Protocol      Packets    Bytes
-------  --------  ----------  ---------  -------
default  drop      all                 0        0

---------------------------------
ipv6 Firewall "name V6_TO_WAN"

Rule     Action    Protocol      Packets    Bytes
-------  --------  ----------  ---------  -------
default  drop      all                 0        0

---------------------------------
ipv6 Firewall "output filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------------------
10       accept    all                 0        0  ct state { established, related }  accept
20       drop      all                 0        0  ct state invalid
999999   accept    all                 0        0  ip6 daddr ::1 oifname "lo"  accept
default  accept    all                38     3832

vyos@vyos:~$ show firewall statistics
Rulesets Statistics

---------------------------------
ipv4 Firewall "forward filter"

Rule     Packets    Bytes    Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       0          0        accept    any       any            any                  any
20       0          0        accept    any       any            any                  any
30       0          0        drop      any       any            any                  any
40       0          0        jump      any       any            any                  WAN
50       0          0        jump      any       any            any                  DMZ
60       0          0        jump      any       any            any                  LAN
default  N/A        N/A      drop      any       any            any                  any

---------------------------------
ipv4 Firewall "input filter"

Rule     Packets    Bytes    Action    Source       Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  -----------  -------------  -------------------  --------------------
10       678        57868    accept    any          any            any                  any
20       0          0        drop      any          any            any                  any
999999   0          0        accept    127.0.0.0/8  any            lo                   any
default  N/A        N/A      accept    any          any            any                  any

---------------------------------
ipv4 Firewall "name V4_TO_DMZ"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  drop      any       any            any                  any

---------------------------------
ipv4 Firewall "name V4_TO_LAN"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  drop      any       any            any                  any

---------------------------------
ipv4 Firewall "name V4_TO_MGMT"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  drop      any       any            any                  any

---------------------------------
ipv4 Firewall "name V4_TO_WAN"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  drop      any       any            any                  any

---------------------------------
ipv4 Firewall "output filter"

Rule     Packets    Bytes    Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       950        196698   accept    any       any            any                  any
20       0          0        drop      any       any            any                  any
999999   0          0        accept    any       127.0.0.0/8    any                  lo
default  N/A        N/A      accept    any       any            any                  any

---------------------------------
ipv6 Firewall "forward filter"

Rule     Packets    Bytes    Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       0          0        accept    any       any            any                  any
20       0          0        accept    any       any            any                  any
30       0          0        drop      any       any            any                  any
40       0          0        jump      any       any            any                  WAN
50       0          0        jump      any       any            any                  DMZ
60       0          0        jump      any       any            any                  LAN
default  N/A        N/A      drop      any       any            any                  any

---------------------------------
ipv6 Firewall "input filter"

Rule     Packets    Bytes    Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       0          0        accept    any       any            any                  any
20       0          0        drop      any       any            any                  any
999999   0          0        accept    ::1/128   any            lo                   any
default  N/A        N/A      accept    any       any            any                  any

---------------------------------
ipv6 Firewall "name V6_TO_DMZ"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  drop      any       any            any                  any

---------------------------------
ipv6 Firewall "name V6_TO_LAN"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  drop      any       any            any                  any

---------------------------------
ipv6 Firewall "name V6_TO_MGMT"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  drop      any       any            any                  any

---------------------------------
ipv6 Firewall "name V6_TO_WAN"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  drop      any       any            any                  any

---------------------------------
ipv6 Firewall "output filter"

Rule     Packets    Bytes    Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       0          0        accept    any       any            any                  any
20       0          0        drop      any       any            any                  any
999999   0          0        accept    any       ::1/128        any                  lo
default  N/A        N/A      accept    any       any            any                  any
n.fort added a comment.Oct 26 2023, 10:25 AM

PR: https://github.com/vyos/vyos-1x/pull/2408

n.fort closed this task as Resolved.Nov 8 2023, 6:57 PM