Updated scan performed on VyOS 1.5-rolling-202310090023 (see attached file).

show conntrack statistics still fails in VyOS 1.5-rolling-202310090023:

Seems to be fixed in VyOS 1.5-rolling-202310090023:

Problem remains with "N/D" is being used in show firewall groups instead of "None".

Verified in VyOS 1.5-rolling-202310090023:

Verified in VyOS 1.5-rolling-202310090023:

Works as expected:

PR:
https://github.com/vyos/vyos-1x/pull/2352

Final testing before PR, the following corrects behavior when configuring the http-api using the http-api, for example:

PR created: https://github.com/vyos/vyos-build/pull/435

As @twan mentioned previously...

Turns out that packages/linux-kernel/arch/x86/configs/vyos_defconfig doesnt include xz as option for initrd:

Will attempt to:

I see, looks like a way more streamlined approach. Thank you for the information and the quick response!

A new firewall frontend engine was implemented in VyOS 1.4-rolling-202308040557.

Good to hear that this was implemented, thank you! Could you elaborate in which release this feature will be available?

In T5635#161656, @freebsdjlu wrote:

I think it depends on nftables , https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_by_socket_UID_.2F_GID , it is first handled by nftables and mark , then use rule .

PR created: https://github.com/vyos/vyos-1x/pull/2349

PR for 1.3 https://github.com/vyos/vyos-1x/pull/2348

PR for 1.3 https://github.com/vyos/vyos-1x/pull/2347

I think it depends on nftables , https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_by_socket_UID_.2F_GID , it is first handled by nftables and mark , then use rule .

PR for 1.4 https://github.com/vyos/vyos-1x/pull/2346

The blog over at claims:

PR: https://github.com/vyos/vyos-1x/pull/2344

Closing this one, because it's already implemented

PR https://github.com/vyos/vyos-1x/pull/2342

set policy local-route rule 23 destination port '222'
set policy local-route rule 23 protocol 'tcp'
set policy local-route rule 23 set table '123'
set policy local-route rule 23 source port '8888'

Check:

vyos@r4# ip rule show prio 23
23:	from all ipproto tcp sport 8888 dport 222 lookup 123
[edit]
vyos@r4#

It supports uidrange https://man7.org/linux/man-pages/man8/ip-rule.8.html
is it what you want?

uidrange NUMBER-NUMBER
       select the uid value to match.

I don't see gid option there.

Hello @sdev , could you please help to check if the fix can resolve the problem with FTP ALG? I tested the newest rolling release but the PASV command still causes the data connection gets failed. My testing FTP server and client are both Filezilla product, please correct me if any mistakes I made during the test.

Yes, I will add that as a first step ...

Added for 1.4, 1.5; as mentioned above, a backport to Equuleus will require a different implementation.

The similar bug with load if we change something in service https api

curl -k --location 192.168.122.11 --request POST 'https://192.168.122.11/config-file' --form data='{"op": "load", "file": "config.boot"}' --form key='foo'
{"success": false, "error": "", "data": null}

Based on the requirements, it is natural to add this to the commit_revision post-commit hook of the config_mgmt module: this is low overhead as we use the existing configtree representation of the current config to save with ConfigTree().to_json().

@rherold Could you re-check it?

for me , it's ok . I didn't see another issue related it . we can close