[BUG] Vrouter app firewall rules for VyOS 1.5

[nblair2]

Bug Report

Description

It looks like VyOS made some changes with version 1.4, using zone based firewalls. This means that rules configured by the vrouter app get created correctly, but are not assigned correctly to a processing stage.

Steps to Reproduce

1. Boot experiment with
   scenario.yml
   topology.yml
2. Wait for ospf routes to transmit
3. from LAN1-ws run ping 10.0.2.2

Expected Behavior

LAN1-ws should not be able to reach LAN2-ws.

Actual Behavior

LAN1-ws can reach LAN2-ws

rtr1

Firewall statistics show no packets hitting the allow established/related rule.

rtr2

Firewall statistics show no packets hitting the rule the drop all rule.

Environment

• Operating System: VyOS
• Version: 1.5-rolling-202509032030

Additional Context

I will investigate a little more, but my first impression is that a fix will not be backward compatible. Wondering if a fix needs to respect older versions of vyos (so we would need to add a flag in the vrouter app for vyos version or something like that)?

Checklist

• I have included no proprietary/sensitive information in my issue.

[nblair2]

Using the above topo / scenario making zones for each LAN/interface and then assigning the already-created firewall rule to the zone works:

Edit rtr2 config

configure
# Make zones
set firewall zone LAN2 member interface eth1
set firewall zone WAN member interface eth0
# Assign rule
set firewall zone LAN2 from WAN firewall name 'drop-all'
commit

re-test

LAN1-ws unable to reach LAN2-ws

Firewall statistics show rule is being hit