Heads up to anyone that has a “legacy” firewall zone configuration (prior to the implementation of T5160) AND firewall state-policy (global) installing a recent rolling image:
I’ve found that the migration of the global state policy doesn’t work; the new firewall syntax currently requires state policy to be defined in each custom firewall zone table.
More details filed in T5775.
PR for re adding global state policies: T5775: firewall: re-add state-policy to firewall. These commands are … by nicolas-fort · Pull Request #2539 · vyos/vyos-1x · GitHub
I’m delighted to report that the fix for this has been backported to the latest version of 1.4; special thanks to @GurliGebis.
I’ve tested it now, and the formerly-failing migration now works perfectly, with the restoration of Global State policy. 
Many thanks!
In the ticket linked in my original post, I showed the migration output going from 1.4-rolling-202306020317 to 1.5-rolling-202311220024.
In my testing today, I went from 1.4-rolling-202306020317 to a fresh build of the most recent code in the 1.4 repository, dubbed vyos-1.4-rolling-202312181512.
The migrated state policy in vyos-1.4-rolling-202312181512 now looks like this:
firewall {
global-options {
state-policy {
established {
action accept
}
invalid {
action drop
}
related {
action accept
}
}
}
Hi @marvin!
Thank you for for sharing this fantastic news! I echo the huge thanks to @GurliGebis! Also, a big thank you to you for testing and confirming that the formerly-failing migration now works perfectly, with the restoration of the Global State policy. Everyone in this community is a Rock Star 
, contributing to the continuous improvement of VyOS products. 
You’re very welcome, was pretty easy to backport 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.