In T5835#187933, @simplysoft wrote:

I'm not sure if that summary from you @Viacheslav is fully reflecting the current state.
I'm also not sure if the original implementation never worked, might very well have been broken while refactoring some vyos internals how the firewall is structured, but I guess you should have a better understanding of (the history of) your product. Otherwise I would be very surprised if a broken feature got into your product without every working / being tested.

In summary, it works with custom scripts and patches, but it still does not work from CLI (not fully integrated)
The scripts that should be involved are in the repo https://github.com/miniupnp/miniupnp/tree/miniupnpd_2_3_3/miniupnpd/netfilter_nft/scripts
Until we do not have them and they do not communicate with the firewall, the feature does not work.
A patch is attached in several posts above https://vyos.dev/T5835#174066

The original feature/bug is solved
The stop script executed is executing.
The locks are a separate task/bug.

Feel free to reopen it and update the task description, but I'm not expecting it to be implemented.

I think the original request was Add ability to resequence rule numbers for firewall, and we added this tool.
Auto-Apply configuration based on this tool is the wrong way. We haven't had such hacks before and probably won't implement them in the nearest feature.
All configuration changes have to be only per user commit; there should not be any auto-commits/auto applies configs. We have API for these tricks.
CLI is completely different from the cisco/arista logic.

I'm re-opening until we make a final decision

The service webproxy is deprecated and will be removed in 1.5

Removed in https://github.com/vyos/vyos-1x/pull/3435

For 1.4 also fixed

vyos@r1-right:~$ show version all | match "GNU C L"
ii  libc-bin                             2.36-9+deb12u7                   amd64        GNU C Library: Binaries
ii  libc-l10n                            2.36-9+deb12u7                   all          GNU C Library: localization files
ii  libc6:amd64                          2.36-9+deb12u7                   amd64        GNU C Library: Shared libraries
ii  locales                              2.36-9+deb12u7                   all          GNU C Library: National Language (locale) data [support]
vyos@r1-right:~$ 
vyos@r1-right:~$ show ver
Version:          VyOS 1.4-stable-202405090309
Release train:    sagitta

Fixed

vyos@r1-right:~$ show version all | match "GNU C L"
ii  libc-bin                             2.28-10+deb10u3                amd64        GNU C Library: Binaries
ii  libc-l10n                            2.28-10+deb10u3                all          GNU C Library: localization files
ii  libc6:amd64                          2.28-10+deb10u3                amd64        GNU C Library: Shared libraries
ii  locales                              2.28-10+deb10u3                all          GNU C Library: National Language (locale) data [support]
vyos@r1-right:~$ 
vyos@r1-right:~$ show version

Should be fixed in https://github.com/vyos/vyos-build/pull/600

Mostly impossible for policy local-route
I'm not expecting that it will be implemented at all.

The current workaround is manual DNAT rules:

set nat destination rule 100 destination port '80'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation redirect port '3128'

Add any rules before 100 for excluding DNAT and use "bypass"

PR https://github.com/vyos/vyos-build/pull/598

Min config for old implementation with redirect (1.2):

set service webproxy listen-address 192.168.122.12
set service webproxy url-filtering squidguard block-category 'aggressive'
set service webproxy url-filtering squidguard local-block 'mytest.local'
set service webproxy whitelist destination-address '192.0.2.1'
set service webproxy whitelist destination-address '192.0.2.2'
set service webproxy whitelist source-address '192.0.2.222'
set service webproxy whitelist source-address '192.0.2.223'

PR https://github.com/vyos/vyos-build/pull/594
PR https://github.com/vyos/vyos-1x/pull/3412

PR https://github.com/vyos/vyos-1x/pull/3411

Not all targets have username/password
For example for the future "location"

set system config-management commit-archive aws authentication access-key
set system config-management commit-archive aws authentication secret-key
set system config-management commit-archive aws bucket <my-bucket-name>
set system config-management commit-archive aws path '/'

This way, predefined targets are more preferred.

What about this format?
We still have named/predefined targets (scp|ftp|sftp|http|https) and <name> as tag

set system config-management commit-archive target scp <name> authentication username 'xxx'
set system config-management commit-archive target scp <name> authentication password 'xxx'
set system config-management commit-archive target scp <name> server '192.0.2.1'
set system config-management commit-archive target scp <name> path '/'

Should be fixed after rewriting commit-archive T6304

It is probably a commit in progress during this time of execution, so the file is locked by another commit.
@dex Can you send to syslog anu message or do any other commands not related to configure?

There were some improvements for 1.3 related ipset checks and implemented in T2189, but due to the old backend it is impossible to do anything else.
The 1.5/1.4 do not have this issue
Close the task

Will be available in the next rolling release.