@n.fort @Viacheslav
Here is an example of what I am after for DNAT rule, specifically, using meta pkttype:

QoS Policy Limiter now works correctly.
But the shaper classes for tagged traffic don't work.

I was able to get it to work as expected by reducing the lease below 4294967295 and removing the /config/dhcpd.leases file. It should work per the instruction to make the lease effectively static. It had worked in the past so at some point the check that the resultant lease end day is numeric.

Example configuration:

PR: https://github.com/vyos/vyos-1x/pull/1881

My bad

Seems to be the same task -> https://vyos.dev/T5018

Just put this on a live system, and it behaves as intended (so far). Special meaning of _ would certainly have to be added to the check, i guess, but that needs further delving into bgp-regex syntax.

https://github.com/vyos/vyos-1x/pull/1880

@Jimz could you share an example of configuration?
I can't reproduce it with

set service dhcp-server shared-network-name Lan01 authoritative
set service dhcp-server shared-network-name Lan01 name-server '1.1.1.1'
set service dhcp-server shared-network-name Lan01 subnet 192.0.2.0/24 default-router '192.0.2.1'
set service dhcp-server shared-network-name Lan01 subnet 192.0.2.0/24 range R1 start '192.0.2.10'
set service dhcp-server shared-network-name Lan01 subnet 192.0.2.0/24 range R1 stop '192.0.2.254'
set service dhcp-server shared-network-name Lan01 subnet 192.0.2.0/24 static-mapping myhost ip-address '192.0.2.5'
set service dhcp-server shared-network-name Lan01 subnet 192.0.2.0/24 static-mapping myhost mac-address '02:a6:0c:88:3e:a2'

Let me give it another test-run in a bit and then i'll issue a PR.

Could you create a PR?

Discovered a couple of problems with chrony using the existing CLI.

PR https://github.com/vyos/vyos-1x/pull/1879

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1878

PR https://github.com/vyos/vyos-1x/pull/1877

@c-po Isnt this implementation wrong for "shaper" anyway?
The speed should only be taken from the interface as an last resort, if the default bandwidth is configured in a no percentage unit it should be used instead, no?

This was never reproduced; user will report if recurrence and we will reopen as needed.

Lower priority and will need testing when implemented.

Looking at the regex it seems that . (dot) is also allowed. Is that right? If so, the error message should be altered accordingly.

PR https://github.com/vyos/vyos-1x/pull/1875

As you can see LNS/MPLS-PE is being built on VyOS 1.4. MPLS-P are NSN (aka Alcatel Lucent) boxes as far as i know.

There is the regex
It seems don't validate correctly if only one letter before the hyphen, underscores

vyos@r14# set firewall group domain-group a_aa

Great project! As I understand it, you're using BGP label-unicast to transport labels, and I'm curious about the operating systems your PEs/Ps are running on - are they Cisco, Juniper, or other vendors? I'm particularly interested in learning about the interoperability between different vendors so that I can incorporate it into my testing. @aserkin

For "SSH" we have dynamic-protection

vyos@r14# set service ssh dynamic-protection  
Possible completions:
+  allow-from           Always allow inbound connections from these systems
   block-time           Block source IP in seconds. Subsequent blocks increase by a
                        factor of 1.5 (default: 120)
   detect-time          Remember source IP in seconds before reset their score (default:
                        1800)
   threshold            Block source IP when their cumulative attack score exceeds
                        threshold (default: 30)

BTW this configuration takes almost 20 minutes to load. I wonder if there's a way to speed up this process?

+1 for implementation

Thank you, @c-po. Will try raising limits to 4096.
Well in this project we're trying to implement L2TP network server with MPLE-PE functionality with our partner mobile operator. This is for b2b projects with a number of customers connecting their mobiles to corporate resources for some reasons.
So the config has three groups of BGP peers: four of ipv4-unicast peers (10.228.134.34, 10.228.134.36, 10.228.134.38, 10.228.134.40) for connection to L2TP LACs (actually they are mobile gateways - GGSN/PGW) and AAA servers, another pair is ipv4-vpn multihop peers (10.5.72.1,10.5.72.2) where customer's L3VPN connections are terminated, And one more peer connecting to 3d party carrier grade NAT solution for the customers who need Internet access.
The LNS and NAT nodes are implemented on a single server with KVM virtual machines interconnected with each other and with external world by OpenVSvitch/DPDK.
The VRF names are assigned by AAA server for each subscriber with Accel-VRF-Name attribute.
This is also where the defect https://github.com/FRRouting/frr/issues/12919 comes from. Just to spot on it)
Let me know if you nedd additional info.

I can confirm that after adding the aforementioned code block to my scripts everything works as expected.

@aserkin WOW that is a huge VRF config. With that amount you definately reach the max FD limit.

Backport PR:
https://github.com/vyos/vyos-1x/pull/1874

Backport PR for this and T4872:
https://github.com/vyos/vyos-1x/pull/1874