I believe I’m running into part of the “geoip initialization” issue referenced here on the VyOS forum.
- Testing with 2026.04.13-0034-rolling.
- To be clear, the permissions issue is working great!
- However, on boot, geoip settings are not applying as I had expected them too.
- The workaround mentioned on the forum (calling update geoip in postconfig boot scrip) is helpful, but it does not fix where this bug causes failure to update the /run/nftables-geoip.conf if a change is made or a rule is added to the geoip settings for policy > route(6) or for firewall.
- Completely deleting a geoip rule succeeds, at least partially, but because geoip_refresh’s nft call fails, triggering geoip_update.
I noticed 3 points where it doesn't behave as I've come to expect from VyOS 1.4.
(While policy > route behaves similarly, I will use firewall in the examples below.)
- geoip_updated seems to usually (incorrectly) return False, so geoip_update is not called unless by update geoip. This when a geoip rule is added or changed.
- If a geoip rule is deleted, I believe geoip_updated still returns False, but geoip_refresh fails, so geoip_update is called, and completes.
- geoip_update completely overwrites /run/nftables-geoip.conf, so unless called by update geoip, it only writes the config for the calling script, leaving the other empty even if it is set in the config from before.
(I am aware that updating firewall settings, also updates policy settings, since policy is a dependency of firewall.)
To duplicate number 1, add a firewall rule using geoip, comparing the state of /run/nftables-geoip.conf before and after committing:
conf set firewall ipv4 input filter rule 120 action accept set firewall ipv4 input filter rule 120 source geoip country-code gb commit && save && exit
In testing here there is no change after the commit.
To duplicate number 2, run update geoip and confirm that /run/nftables-geoip.conf updated, delete the firewall rule just added, and inspect /run/nftables-geoip.conf again.
(This shows that deletion of a rule updates /run/nftables-geoip.conf in spite of number 1 above.)
update geoip vim /run/nftables-geoip.conf conf delete firewall ipv4 input filter rule 120 commit && save && exit
To duplicate number 3, add rules to firewall and policy > route and commit. Then add a country to the firewall rule only and commit. Compare /run/nftables-geoip.conf before and after changing the country.
(This only works to duplicate after number 1 above has been corrected.)
To change number 1 for testing, replace geoip_updated with the following:
def geoip_updated(conf):
changes = node_changed(conf, ['firewall'],
key_mangling=('-', '_'),
recursive=True,
expand_nodes=Diff.ADD | Diff.DELETE)
updated = False
for change in changes:
if updated:
break
chg = {}
chg = conf.get_config_dict(['firewall', f'{change}'],
key_mangling=('-', '_'),
no_tag_node_value_mangle=True,
get_first_key=True)
if chg:
for _, path in dict_search_recursive(chg, 'geoip'):
updated = True
break
return updatedThen restart vyos-configd service and change the rules.
sudo systemctl restart vyos-configd && systemctl status vyos-configd # add initial rules conf set firewall ipv4 input filter rule 120 action accept set firewall ipv4 input filter rule 120 source geoip country-code gb set policy route testroute rule 120 source geoip country-code ca commit && save run update geoip vim /run/nftables-geoip.conf # add rule to only policy set firewall route testroute rule 120 source geoip country-code fr commit && save vim /run/nftables-geoip.conf
Here is how it seems to cause the geoip settings to not load at boot:
- In testing with geoip rules only set in firewall, not in policy > route, during a reboot policy_route.py is still called as a dependency of firewall.py.
- policy_route.py writes its empty config to /run/nftables-geoip.conf.
- Then when firewall.py completes its call to geoip_refresh the file /run/nftables-geoip.conf already exists, so its empty config is just reloaded.
Perhaps I am not understanding how this is intended to work...?
Or if further information is needed, that can be made available.