https://github.com/vyos/vyos-1x/pull/1535

PR adding libpam-google-authenticator package to VyOS:
https://github.com/vyos/vyos-1x/pull/1541

It seems that we have two constraints here.

Made a fix and now we have:

Let me see if I can fix it.

Doing further testing, it seems adding the explicit-null broke the configuration:

Good news. It seems the patch worked properly. Here we show MPLS labels generated via segment routing for the prefix command:

As I mentioned above, use it before the configuration, it described in the doc

#!/bin/vbash

Interesting article on how and when to match ipsec options: https://thermalcircle.de/doku.php?id=blog:linux:nftables_demystifying_ipsec_expressions

There is PR https://github.com/vyos/vyos-1x/pull/1516 for T4667 but it brakes all GRE traffic

PR https://github.com/vyos/vyos-1x/pull/1540

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1539

Hi all,

Do you have a proposed cli format?

Added a pull request for this fix.

Nope, i use CLI for configuration and script for vrrp (wireguard interface enable/disable)

Fix for 1.3 https://github.com/vyos/vyos-build/pull/261

This is also an issue on the 1.3.x builds due to a similar issue. See https://github.com/jordansissel/fpm/issues/1923

It should be possible in https://github.com/vyos/vyos-1x/pull/1534 T2199

set firewall interface ethXvX

It seems you use some custom scripts for configuration
You have to use

if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

before your configuration script

Refactor PR: https://github.com/vyos/vyos-1x/pull/1534

PR for filter tables: https://github.com/vyos/vyos-1x/pull/1534

Should be fixed in https://github.com/vyos/vyatta-cfg-firewall/pull/34

Already renamed:

PR: https://github.com/vyos/vyos-1x/pull/1533

In T1185#133944, @sdev wrote:

A similar syntax change is in progress as part of a larger firewall refactor. It should reach the 1.4 branch in a week or so. It should allow for any valid existing interface name.

In T1185#133941, @roedie wrote:

Just a suggestion, would it be a weird idea to move the firewall config from the interface section to the firewall section? A bit like the zone config. So something like:

set firewall local interface eth0 name <firewall-filter>
set firewall in interface eth0 name <firewall-filter>
set firewall out interface eth0 name <firewall-filter>
set firewall local interface bond0.10v22v6 ipv6-name <firewall-filter>

The problem is that using zone-policy firewall is a bit overkill for a pure router or even a router with async routing. In which scenario I guess only the local variant would be useful.

Or, come to think, some free from of set interfaces unknown <typeyourownname> firewall local name <ruleset> where you can only config stuff that doesn't really depend on an interface.

Just a suggestion, would it be a weird idea to move the firewall config from the interface section to the firewall section? A bit like the zone config. So something like: