PR: https://github.com/vyos/vyos-1x/pull/2314

Add option protocol, PR https://github.com/vyos/vyos-1x/pull/2313

set policy local-route rule 100 destination '192.0.2.12'
set policy local-route rule 100 protocol 'tcp'
set policy local-route rule 100 set table '100'

Adding use outline from PR for future reference; the dir vyos-1x-current below refers to a local copy of the vyos-1x source:

PR created for part 1/2 (vyatta-cfg-system): https://github.com/vyos/vyatta-cfg-system/pull/209

Fixed

Build was successful and smoketests are currently in progress.

If build and smoketests are successful a commit will arrive later today.

... of course, feel free to experiment; I have not yet considered the proposed idea.

@Apachez note that those legacy image install scripts will be removed following
https://vyos.dev/T4516
Work on completing that is active this week and should be finished soon. You may want to hold off on this investigation until then.

Point 1 might be solved by using a hooks/live-script for the binary part which is the part after the chroot have been created.

PR created: https://github.com/vyos/vyos-build/pull/426

Turned out to be little of a challenge do "just" strip all binaries (and libraries, modules etc).

Also added flowtable as nothing needs to be sequenced in there either:
https://github.com/JeffWDH/vyos-1x/commit/ac22cc054d9c15af010c824ac9a05f5cc71fc954

I have not contributed code to this project before so let me know if I've missed conventions...

Just to be clear, the build I'm going from is just my own build of current to my own build of current -- it says 1.4 because I only changed the version string to 1.5 after this build went through since i'm the only one using my build :)

I just noticed that this still is a problem. Excerpt below from downloading an upgrade:

PR for 1.3 https://github.com/vyos/vyos-1x/pull/2310

In T5497#160905, @JeffWDH wrote:

1.5-rolling-202309250022

Is there a reason why some global options and some address groups (not all) are included in the output? Seems unintentional to me.

Is there a reason why some global options and some address groups (not all) are included in the output? Seems unintentional to me.

We have fwmark for policy local-route
But it is only for match mark and routing decision

vyos@vyos-lns# set policy local-route rule 100 
Possible completions:
+  destination          Destination address or prefix
   fwmark               Match fwmark value
   inbound-interface    Inbound Interface
 > set                  Packet modifications
+  source               Source address or prefix

Have to add Debian package "binutils" to make "strip" work within the chroot of livebuild.

This is an artifact of the remaining use in 1.3 of the legacy XorpConfigParser: the last use of that legacy piece was removed from 1.4 in Sep 2021, but is still called by 'vyatta_interface_rescan' in 1.3, so will be seen after changing MAC addresses if the config is not saved. A quick summary of the history is here and quoted below:

Implement hooks-script for livebuild that recursively go through following directories using "strip --strip-all" (syntax to be verified):

Shouldnt that be default for lb then in the vyos buildscripts and how does --debug affect things other than logging during build?

What is the "system update-check url" supposed to be once its implemented?

Note that is is the "--debug" flag that one wants in order to see the full mksquashfs command that is executed.

@stingalleman As mentioned above (and confirmed in discussions earlier this week), we've had few if any reports of issues with the udev approach, so we would be very interested to hear details of your case.

Not sure what to do on this one. The firewall is depending on conntrack module, which updates the conntrack related sysctls. It'd be the same if someone defines custom sysctls used by other conf scripts.

When will this bug be fixed? I am having a lot of issues with this.

Verified to be working as expected.

@jestabro I havent verified it yet but then perhaps the buildscript for VyOS should be altered to include --verbose?

Verified through smoketests.

Verified through smoketests.

PR: https://github.com/vyos/vyos-1x/pull/2305

PR removing zone-policy op-mode: https://github.com/vyos/vyos-1x/pull/2304

PR: https://github.com/vyos/vyos-1x/pull/2304

PR: https://github.com/vyos/vyos-1x/pull/2304

Op-mode command reduce
PR https://github.com/vyos/vyos-1x/pull/2302

vyos@r4:~$ show conf com | match firew
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 1 action 'accept'
set firewall ipv4 input filter rule 1 description 'Allow loopback'
set firewall ipv4 input filter rule 1 inbound-interface interface-name 'lo'
set firewall ipv4 input filter rule 1 source address '127.0.0.0/8'
set firewall ipv4 input filter rule 2 action 'accept'
set firewall ipv4 input filter rule 2 description 'Allow established/related'
set firewall ipv4 input filter rule 2 state established 'enable'
set firewall ipv4 input filter rule 2 state related 'enable'
set firewall ipv4 input filter rule 60 action 'accept'
set firewall ipv4 input filter rule 60 description 'Allow SSH from trusted networks'
set firewall ipv4 input filter rule 60 destination port '22'
set firewall ipv4 input filter rule 60 protocol 'tcp'
set firewall ipv4 input filter rule 10000 action 'drop'
set firewall ipv4 input filter rule 10000 description 'Drop everything else'
vyos@r4:~$ 
vyos@r4:~$ produce firewall rule-resequence start 10 step 10