https://github.com/vyos/vyos-1x/pull/284

This check interferes with the commit.
https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/interfaces-vxlan.py#L163

I created a network diagram for "l2vpn evpn" implementation.
I used this instruction vxlan-bgp-vpn

It requires a migration of the VTI interface to python first.

Well - making all IPv6 stuff a noop is not coded into VyOS. Can you show real life examples of increased attack surface?

it's enabled by default.

It's useful when the user is sure he doesn't want IPv6, as it lessens the attack surface, especially if the user doesn't know he needs to configure a IPv6 firewall separately to the IPv4 firewall. Even link-local addresses can be used to launch attacks in the absence of a firewall config.
IMO the configured interface addresses and v6 nodes should become no-ops, possibly print a warning on commit.
On the other hand, leaving IPv6 enabled, would be better to move in the direction of v6 adoption. Personally, I'd prefer this, and leave v6 enabled by default.

in my opinion it should be always enabled

Actually why do you wan't to disbale IPv6 on the system? I think this is a huge workpackage.

Downloaded the latest rolling, the only thing I have done with the rolling was installing it on a fresh Proxmox VM. I created two firewall groups with the same name - one for address-group and the other is for port-group.

@c-po this is operation commands, as I understand you propose to write py script with return_effective_ , correct?