PR: https://github.com/vyos/vyos-1x/pull/2355

show conntrack statistics shows only sudo conntrack -S command
This won't show any logs

In T5497#161764, @Apachez wrote:

I assume this will end up in config mode aswell before this task can be set to resolved?

Simply because this is a few more steps:

• Use the command
• Copy the output
• Delete current firewall
• Paste command output
• Commit

than this:

• Use the command
• Commit

I assume this will end up in config mode aswell before this task can be set to resolved?

Once PR https://github.com/vyos/vyos-1x/pull/2344 is merged, counters and logs for default action should be available once again.

It's an op-mode command, so it does not changes configuration. User may get something different from what he expected, so at least on this very first attempt of re-generating and re-ordering firewall rules, it's done in op-mode command with no impact on running configuration.

The syntax seems to have changed from "produce" to "generate" during this task?

Updated scan performed on VyOS 1.5-rolling-202310090023 (see attached file).

show conntrack statistics still fails in VyOS 1.5-rolling-202310090023:

Seems to be fixed in VyOS 1.5-rolling-202310090023:

Problem remains with "N/D" is being used in show firewall groups instead of "None".

Verified in VyOS 1.5-rolling-202310090023:

Verified in VyOS 1.5-rolling-202310090023:

Works as expected:

PR:
https://github.com/vyos/vyos-1x/pull/2352

Final testing before PR, the following corrects behavior when configuring the http-api using the http-api, for example:

PR created: https://github.com/vyos/vyos-build/pull/435

As @twan mentioned previously...

Turns out that packages/linux-kernel/arch/x86/configs/vyos_defconfig doesnt include xz as option for initrd:

Will attempt to:

I see, looks like a way more streamlined approach. Thank you for the information and the quick response!

A new firewall frontend engine was implemented in VyOS 1.4-rolling-202308040557.

Good to hear that this was implemented, thank you! Could you elaborate in which release this feature will be available?

In T5635#161656, @freebsdjlu wrote:

I think it depends on nftables , https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_by_socket_UID_.2F_GID , it is first handled by nftables and mark , then use rule .

PR created: https://github.com/vyos/vyos-1x/pull/2349

PR for 1.3 https://github.com/vyos/vyos-1x/pull/2348

PR for 1.3 https://github.com/vyos/vyos-1x/pull/2347

I think it depends on nftables , https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_by_socket_UID_.2F_GID , it is first handled by nftables and mark , then use rule .

PR for 1.4 https://github.com/vyos/vyos-1x/pull/2346

The blog over at claims:

PR: https://github.com/vyos/vyos-1x/pull/2344

Closing this one, because it's already implemented

PR https://github.com/vyos/vyos-1x/pull/2342

set policy local-route rule 23 destination port '222'
set policy local-route rule 23 protocol 'tcp'
set policy local-route rule 23 set table '123'
set policy local-route rule 23 source port '8888'

Check:

vyos@r4# ip rule show prio 23
23:	from all ipproto tcp sport 8888 dport 222 lookup 123
[edit]
vyos@r4#

It supports uidrange https://man7.org/linux/man-pages/man8/ip-rule.8.html
is it what you want?

uidrange NUMBER-NUMBER
       select the uid value to match.

I don't see gid option there.

Hello @sdev , could you please help to check if the fix can resolve the problem with FTP ALG? I tested the newest rolling release but the PASV command still causes the data connection gets failed. My testing FTP server and client are both Filezilla product, please correct me if any mistakes I made during the test.

Yes, I will add that as a first step ...

Added for 1.4, 1.5; as mentioned above, a backport to Equuleus will require a different implementation.