Configured zone-policy or add interface into vrf will be BGP process crash

As title.
Current version: VyOS 1.4-rolling-202207170217.

hi ,

could you share your current configuration ? and the steps how you set both service (vrf with fw) .also did you try it with a nightly version ?

I’ve found in our technical task two bugs , it’s possible that you are affected for those bugs with firewall+vrf :

https://phabricator.vyos.net/T3933

https://phabricator.vyos.net/T2251

if it’s possible to share your current configuration , so we can replicate the issues or update the cases. thanks

set firewall group ipv6-network-group Allow-ICMP-Network network '2400:*:*::14/127'
set firewall group ipv6-network-group Allow-ICMP-Network network '2400:*:*::12/127'
set firewall group ipv6-network-group Allow-ICMP-Network network '2400:*:*::e/127'
set firewall group ipv6-network-group Allow-ICMP-Network network '2400:*:*::c/127'
set firewall group ipv6-network-group Allow-ICMP-Network network '2400:*:*::126/127'
set firewall group ipv6-network-group Drop-Packet-Network network '2400:*::/32'
set firewall group network-group Allow-HKIX-CMI network '103.*.*.0/22'
set firewall group network-group Allow-HKIX-CMI network '103.*.*.0/22'
set firewall group network-group Allow-HKIX-CMI network '103.*.*.0/22'
set firewall group network-group Drop-Packet-Network network '121.*.*.0/24'
set firewall group network-group Drop-Packet-Network network '123.*.*.0/23'
set firewall group network-group Drop-Packet-Network network '100.*.*.0/30'
set firewall group network-group Drop-Packet-Network network '100.*.*.4/30'
set firewall group network-group Drop-Packet-Network network '100.*.*.8/30'
set firewall group network-group Drop-Packet-Network network '100.*.*.12/30'
set firewall ipv6-name Drop-Packet default-action 'accept'
set firewall ipv6-name Drop-Packet rule 10 action 'drop'
set firewall ipv6-name Drop-Packet rule 10 icmpv6 type-name 'time-exceeded'
set firewall ipv6-name Drop-Packet rule 10 protocol 'ipv6-icmp'
set firewall ipv6-name Drop-Packet rule 10 source group network-group 'Drop-Packet-Network'
set firewall name Drop-Packet default-action 'accept'
set firewall name Drop-Packet rule 10 action 'drop'
set firewall name Drop-Packet rule 10 icmp code '0'
set firewall name Drop-Packet rule 10 protocol 'icmp'
set firewall name Drop-Packet rule 10 source group network-group 'Drop-Packet-Network'
set interfaces ethernet eth2 hw-id '3c:ec:ef:e9:e2:b5'
set interfaces ethernet eth2 vif 892 address '100.*.*.2/30'
set interfaces ethernet eth2 vif 892 vrf 'HKIX'
set interfaces ethernet eth2 vif 2000 address '121.*.*.102/30'
set interfaces ethernet eth2 vif 2000 address '2400:*:*::15/127'
set interfaces ethernet eth2 vif 2000 vrf 'HKG-GT-2018'
set interfaces ethernet eth3 hw-id '6c:b3:11:21:31:ce'
set interfaces ethernet eth3 vif 2000 address '121.*.*.125/30'
set interfaces ethernet eth3 vif 2000 address '2400:*:*::126/127'
set interfaces ethernet eth3 vif 2000 description 'HK2018-Middle'
set interfaces ethernet eth3 vif 2000 vrf 'HK2018-Middle'
set vrf name HK2018-Middle protocols bgp address-family ipv4-unicast import vrf 'HKG-GT-2021'
set vrf name HK2018-Middle protocols bgp address-family ipv6-unicast import vrf 'HKG-GT-2021'
set vrf name HK2018-Middle protocols bgp local-as '****'
set vrf name HK2018-Middle protocols bgp neighbor 121.*.*.126 address-family ipv4-unicast nexthop-self
set vrf name HK2018-Middle protocols bgp neighbor 121.*.*.126 address-family ipv4-unicast route-map export 'ExportCTGNET'
set vrf name HK2018-Middle protocols bgp neighbor 121.*.*.126 address-family ipv4-unicast route-map import 'RemoveASN-****'
set vrf name HK2018-Middle protocols bgp neighbor 121.*.*.126 address-family ipv4-unicast route-reflector-client
set vrf name HK2018-Middle protocols bgp neighbor 121.*.*.126 remote-as '**'
set vrf name HK2018-Middle protocols bgp neighbor 2400:*:*::127 address-family ipv6-unicast nexthop-self
set vrf name HK2018-Middle protocols bgp neighbor 2400:*:*::127 address-family ipv6-unicast route-map export 'ExportCTGNET'
set vrf name HK2018-Middle protocols bgp neighbor 2400:*:*::127 address-family ipv6-unicast route-map import 'RemoveASN-****'
set vrf name HK2018-Middle protocols bgp neighbor 2400:*:*::127 address-family ipv6-unicast route-reflector-client
set vrf name HK2018-Middle protocols bgp neighbor 2400:*:*::127 remote-as '**'
set vrf name HK2018-Middle protocols bgp parameters log-neighbor-changes
set vrf name HK2018-Middle table '268'
set zone-policy zone Downstream-2018 from Internet-Exchange firewall ipv6-name 'Drop-Packet'
set zone-policy zone Downstream-2018 from Internet-Exchange firewall name 'Drop-Packet'
set zone-policy zone Downstream-2018 from Local firewall ipv6-name 'Drop-Packet'
set zone-policy zone Downstream-2018 from Local firewall name 'Drop-Packet'
set zone-policy zone Downstream-2018 from Upstream-2018 firewall ipv6-name 'Drop-Packet'
set zone-policy zone Downstream-2018 from Upstream-2018 firewall name 'Drop-Packet'
set zone-policy zone Downstream-2018 interface 'HK2018-Middle'
set zone-policy zone Downstream-2018 interface 'eth3.2000'
set zone-policy zone Internet-Exchange from Downstream-2018 firewall ipv6-name 'Drop-Packet'
set zone-policy zone Internet-Exchange from Downstream-2018 firewall name 'Drop-Packet'
set zone-policy zone Internet-Exchange interface 'HKIX'
set zone-policy zone Internet-Exchange interface 'eth2.892'
set zone-policy zone Local default-action 'drop'
set zone-policy zone Local from Downstream-2018 firewall ipv6-name 'Drop-Packet'
set zone-policy zone Local from Downstream-2018 firewall name 'Drop-Packet'
set zone-policy zone Local from Internet-Exchange firewall ipv6-name 'Drop-Packet'
set zone-policy zone Local from Internet-Exchange firewall name 'Drop-Packet'
set zone-policy zone Local from Upstream-2018 firewall ipv6-name 'Drop-Packet'
set zone-policy zone Local from Upstream-2018 firewall name 'Drop-Packet'
set zone-policy zone Local local-zone
set zone-policy zone Upstream-2018 from Downstream-2018 firewall ipv6-name 'Drop-Packet'
set zone-policy zone Upstream-2018 from Downstream-2018 firewall name 'Drop-Packet'
set zone-policy zone Upstream-2018 from Internet-Exchange firewall ipv6-name 'Drop-Packet'
set zone-policy zone Upstream-2018 from Internet-Exchange firewall name 'Drop-Packet'
set zone-policy zone Upstream-2018 from Local firewall ipv6-name 'Drop-Packet'
set zone-policy zone Upstream-2018 from Local firewall name 'Drop-Packet'
set zone-policy zone Upstream-2018 interface 'HKG-GT-2018'
set zone-policy zone Upstream-2018 interface 'eth2.2000'

When I modify or add interface configured, like:
set interfaces ethernet eth2 vif 3000 address ‘xxx.xxx.xxx.xxx’
set interfaces ethernet eth2 vif 3000 vrf ‘HKG-GT-2018’
set zone-policy zone Upstream-2018 interface ‘eth2.3000’
commit

Then BGP process crash by random.