You need to remove the state new match on the rule and it'll work.

Close the task
@Watcher7 Re-test it or describe steps hot to reproduce, as since 1.2-rc2 was implemented a lot of changes regarding vrf + frr.
You can set both vrf + next-hop address

I experience the same problem of VyOS failing to add wlan0 to bridge, which persists in all 1.3-epa and 1.3-LTS versions, as well as 1.4 nightly builds.

Tested and working as expected on VyOS 1.4-rolling-202201150317

There are some issues with powerdns in vrf context.

Included those flags in PR: https://github.com/vyos/vyos-1x/pull/1174

Think 2 flag options should be added.
According to nft wiki these are all the flags that nft could match: tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}

Included in PR: https://github.com/vyos/vyos-1x/pull/1174

It is a different task, it extends only the range which you can to use for rule numbers.
For example, if you want 3 rules
Rule 100, rule 1000, rule 10000 etc.
Accepting time it is another task. B.t.w firewall was rewritten in 1.4, I hope that commit time was decreased.

I think we will have a problem with such a large number of rules. Now, if there are 1500 vyos rules, it takes 30 minutes to load. If there are 999999 rules, it will take a very long time to load.

Thanks, will include a fix in a PR shortly

I can see the fix, but now trying invert selection on tcp flags doesn't work

PR: https://github.com/vyos/vyos-1x/pull/1173

Testing this feature in VyOS 1.4-rolling-202201100317 I'm getting some unexpected behavior.
Config:

For full support we need this added to FRR: https://github.com/FRRouting/frr/pull/9204

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1172

PR https://github.com/vyos/vyos-1x/pull/1171

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1170

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1170

Re-tested in VyOS 1.4-rolling-202201140317
Now it works, thank you!

PR https://github.com/vyos/vyos-1x/pull/1169

@NikolayP Could you re-test it?

Some detail here T1280

@sdev: in your original commit for this task, recent rules are somehow semi-discarded (the time/counter condition will not be written out; however, the action will be written out) because of an apparent problem with nftables in this area.

Thanks; I just tested commenting out line 5 of that file, and it successfully works around the issue, allowing me to set a link-local IPv6 address as my endpoint. The wireguard connection itself also works, and I can pass traffic.

@odhnera Try to comment or delete the validation string and restart vyos-configd service

Getting link-local addresses to work would probably be very low-priority, but I did run into an extremely niche case where I wanted to do that. It's not the type of situation that would happen in a production environment, but I was running VyOS on a computer tethered via ethernet to an Android-based phone, and I wanted to connect to a wireguard peer running on the phone. Modern version of Android randomize the IPv4 address of their tethered interface on each reboot, but their link-local IPv6 address remains the same, making it more convenient to use it.

Link-local addresses with %ethX are not accepted in any protocols/peers/etc. A few services are allowed to set them as listen like ssh/dns at the moment.
Is there a real use case why you need it on wireguard interfaces?

It generates by openvpn, maybe something new in the new OpenVPN version
So I see only one option - add mode server-bridge

PR: https://github.com/vyos/vyos-1x/pull/1167