It requires a migration of the VTI interface to python first.

Well - making all IPv6 stuff a noop is not coded into VyOS. Can you show real life examples of increased attack surface?

it's enabled by default.

It's useful when the user is sure he doesn't want IPv6, as it lessens the attack surface, especially if the user doesn't know he needs to configure a IPv6 firewall separately to the IPv4 firewall. Even link-local addresses can be used to launch attacks in the absence of a firewall config.
IMO the configured interface addresses and v6 nodes should become no-ops, possibly print a warning on commit.
On the other hand, leaving IPv6 enabled, would be better to move in the direction of v6 adoption. Personally, I'd prefer this, and leave v6 enabled by default.

in my opinion it should be always enabled

Actually why do you wan't to disbale IPv6 on the system? I think this is a huge workpackage.

Downloaded the latest rolling, the only thing I have done with the rolling was installing it on a fresh Proxmox VM. I created two firewall groups with the same name - one for address-group and the other is for port-group.

@c-po this is operation commands, as I understand you propose to write py script with return_effective_ , correct?

can you try to reproduce in rolling, please?

Regarding the reference counter for changes. It can also be implemented by storing in an Interface specific class level dictionary the last know state of the interface.
However, should multiple instances of the class be run by multiple programs then this could become problematic and this limitation should be kept in mind.

The recent change in implementation have changed the code from "if/else" to data-driven.
For example, every class now has a "definition" dictionary which indicates what the interface can/cannot do, for example, be bonded or not or it it supports vlan.

Thanks for the quick fix - I was to blind finding it on my own :/

There this three types of functions which as class can have:

• "normal" when the first argument is "self"
• classmethod (using the @classmethod decorator before the function). In that case self replaced from an instance of the class by a reference to the class itself (often called cls, in that case InterfaceClass)
• staticmethod (where the function does not need class data and is jus placed under the class) can be called with InterfaceClass.func()

DFLT_BGP_IMPORT_CHECK can only be set by changing the profile? It can't be set directly? We don't need to change the default timers, just this parameter.

We don't can do it as default behavior.
Frr documentation, frr has profiles

Fix will be in any rolling release after vyos-1.3-rolling-202003270650-amd64.iso

While you are working on this I'd suggest the default behavior to be to check if IGP routes exist by default. The reason most implementations check IGP is described in my initial bug submission along with diagrams. Since advertising unconditionally breaks dynamic routing it may make sense to make this a default.

@jestabro Create it please.

Thanks, @Viacheslav. We will need to add a migration script for the previous setting; that is simple in this case, since, as you observed, it was a no-op, and can just be dropped. If you are busy, I can add it.

@jestabro I fixed commit to