Page MenuHomeVyOS Platform
Create Task
Maniphest T7612

Flowspec `local-install` CLI command is dysfunctional
Open, NormalPublicBUG
Actions

Description

As part of this PR, we got the CLI command:

set protocols bgp address-family ipv4-flowspec local-install

Which translates into this FRR config:

router bgp 65001
 address-family ipv4 flowspec
  local-install eth0
 exit-address-family
exit

This should use pbrd to install IP rules, iptables entries, and ipset entries. But:

  • pbrd is not running in VyOS
  • iptables compatibility exists, but it’s unclear how well it integrates with everything else
  • ipset is completely missing

In practice, FlowSpec prefixes received from peers are inactive and not installed anywhere.

We need to make it work or remove from CLI.

Details

Version
2025.07.04-1225-rolling, 1.4.2
Is it a breaking change?
Config syntax change (migratable)
Issue type
Bug (incorrect behavior)

Event Timeline

zsdc created this task.Jul 4 2025, 4:30 PM
zsdc added projects: VyOS 1.5 Circinus, VyOS 1.4 Sagitta.
Viacheslav subscribed.Jul 6 2025, 9:32 AM

It’s completely doesn’t work even with PBRD https://github.com/FRRouting/frr/issues/3160 (I didn’t check)

pasik subscribed.Jul 6 2025, 9:41 AM
Unknown Object (User) triaged this task as Normal priority.Jul 9 2025, 5:03 PM