Firewall chains are created when unnecessary
Open, NormalPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	L0crian
	Sep 3 2025, 5:01 PM

Description

Currently, if you configure any base section ('ipv4, ipv6, etc..."), it will create all chains for that table. The intention of the nftables.j2 file is to only create the chains if the user defined them:

{%     if ipv4.forward is vyos_defined %}
{%     if ipv4.input is vyos_defined %}
{%     if ipv4.output is vyos_defined %}
....etc

But default-action has a <defaultValue> defined, which always makes those sections present. This can slow down routing functions by forcing "through" traffic to enter a forward hook unnecessarily when the user just wanted to secure VyOS itself (authentication, CoPP, etc...).

Details

Version: -
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Feature (new functionality)

Related Objects

Mentioned In: T7475: Make it possible to disable connection tracking for specific firewall chains

Event Timeline

L0crian created this task.Sep 3 2025, 5:01 PM

L0crian mentioned this in T7475: Make it possible to disable connection tracking for specific firewall chains.

pasik subscribed.Sep 4 2025, 6:28 AM

Unknown Object (User) triaged this task as Normal priority.Sep 5 2025, 8:43 AM

L0crian renamed this task from Firewall chains are created no matter if the user intended to Firewall chains are created when unnecessary.Sep 25 2025, 4:49 PM

PR: https://github.com/vyos/vyos-1x/pull/4757

L0crian claimed this task.Sep 25 2025, 6:34 PM

Firewall chains are created when unnecessaryOpen, NormalPublicFEATURE REQUESTActions

Description

Details

Related Objects

Event Timeline

Firewall chains are created when unnecessary
Open, NormalPublicFEATURE REQUEST
Actions