8 files changed, 76 insertions, 7 deletions

diff --git a/data/templates/frr/policy.frr.j2 b/data/templates/frr/policy.frr.j2
index ed5876ae9..c28633f6f 100644
--- a/data/templates/frr/policy.frr.j2
+++ b/data/templates/frr/policy.frr.j2
@@ -252,6 +252,9 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }}
 {%                     if rule_config.match.rpki is vyos_defined %}
  match rpki {{ rule_config.match.rpki }}
 {%                     endif %}
+{%                     if rule_config.match.source_vrf is vyos_defined %}
+ match source-vrf {{ rule_config.match.source_vrf }}
+{%                     endif %}
 {%                     if rule_config.match.tag is vyos_defined %}
  match tag {{ rule_config.match.tag }}
 {%                     endif %}
diff --git a/interface-definitions/include/version/wanloadbalance-version.xml.i b/interface-definitions/include/version/wanloadbalance-version.xml.i
index 59f8729cc..34c3c76ff 100644
--- a/interface-definitions/include/version/wanloadbalance-version.xml.i
+++ b/interface-definitions/include/version/wanloadbalance-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/wanloadbalance-version.xml.i -->
-<syntaxVersion component='wanloadbalance' version='3'></syntaxVersion>
+<syntaxVersion component='wanloadbalance' version='4'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in
index cbab6173f..faba91ef0 100644
--- a/interface-definitions/policy.xml.in
+++ b/interface-definitions/policy.xml.in
@@ -1096,6 +1096,20 @@
                       </constraint>
                     </properties>
                   </leafNode>
+                  <leafNode name="source-vrf">
+                    <properties>
+                      <help>Source vrf</help>
+                      #include <include/constraint/vrf.xml.i>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>VRF instance name</description>
+                      </valueHelp>
+                      <completionHelp>
+                        <path>vrf name</path>
+                        <list>default</list>
+                      </completionHelp>
+                    </properties>
+                  </leafNode>
                   #include <include/policy/tag.xml.i>
                 </children>
               </node>
diff --git a/smoketest/scripts/cli/test_load-balancing_wan.py b/smoketest/scripts/cli/test_load-balancing_wan.py
index f652988b2..32e5f6915 100755
--- a/smoketest/scripts/cli/test_load-balancing_wan.py
+++ b/smoketest/scripts/cli/test_load-balancing_wan.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2022-2024 VyOS maintainers and contributors
+# Copyright (C) 2022-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -272,6 +272,9 @@ echo "$ifname - $state" > {hook_output_path}
         self.cli_set(base_path + ['wan', 'interface-health', isp2_iface, 'failure-count', '1'])
         self.cli_set(base_path + ['wan', 'interface-health', isp2_iface, 'nexthop', '192.0.2.2'])
         self.cli_set(base_path + ['wan', 'interface-health', isp2_iface, 'success-count', '1'])
+        self.cli_set(base_path + ['wan', 'rule', '5', 'exclude'])
+        self.cli_set(base_path + ['wan', 'rule', '5', 'inbound-interface', 'eth*'])
+        self.cli_set(base_path + ['wan', 'rule', '5', 'destination', 'address', '10.0.0.0/8'])
         self.cli_set(base_path + ['wan', 'rule', '10', 'failover'])
         self.cli_set(base_path + ['wan', 'rule', '10', 'inbound-interface', lan_iface])
         self.cli_set(base_path + ['wan', 'rule', '10', 'protocol', 'udp'])
@@ -291,6 +294,7 @@ echo "$ifname - $state" > {hook_output_path}
         # Verify isp1 + criteria
 
         nftables_search = [
+            [f'iifname "eth*"', 'ip daddr 10.0.0.0/8', 'return'],
             [f'iifname "{lan_iface}"', 'ip saddr 198.51.100.0/24', 'udp sport 53', 'ip daddr 192.0.2.0/24', 'udp dport 53', f'jump wlb_mangle_isp_{isp1_iface}']
         ]
 
diff --git a/smoketest/scripts/cli/test_policy.py b/smoketest/scripts/cli/test_policy.py
index 9d4fc0845..985097726 100755
--- a/smoketest/scripts/cli/test_policy.py
+++ b/smoketest/scripts/cli/test_policy.py
@@ -1149,6 +1149,16 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
                     },
                 },
             },
+            'vrf-match': {
+                'rule': {
+                    '10': {
+                        'action': 'permit',
+                        'match': {
+                            'source-vrf': 'TEST',
+                        },
+                    },
+                },
+            },
         }
 
         self.cli_set(['policy', 'access-list', access_list, 'rule', '10', 'action', 'permit'])
@@ -1260,6 +1270,8 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
                         self.cli_set(path + ['rule', rule, 'match', 'rpki', 'valid'])
                     if 'protocol' in rule_config['match']:
                         self.cli_set(path + ['rule', rule, 'match', 'protocol', rule_config['match']['protocol']])
+                    if 'source-vrf' in rule_config['match']:
+                        self.cli_set(path + ['rule', rule, 'match', 'source-vrf', rule_config['match']['source-vrf']])
                     if 'tag' in rule_config['match']:
                         self.cli_set(path + ['rule', rule, 'match', 'tag', rule_config['match']['tag']])
 
@@ -1438,6 +1450,9 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
                     if 'rpki-valid' in rule_config['match']:
                         tmp = f'match rpki valid'
                         self.assertIn(tmp, config)
+                    if 'source-vrf' in rule_config['match']:
+                        tmp = f'match source-vrf {rule_config["match"]["source-vrf"]}'
+                        self.assertIn(tmp, config)
                     if 'tag' in rule_config['match']:
                         tmp = f'match tag {rule_config["match"]["tag"]}'
                         self.assertIn(tmp, config)
diff --git a/src/conf_mode/load-balancing_wan.py b/src/conf_mode/load-balancing_wan.py
index b3dd80a9a..92d9acfba 100755
--- a/src/conf_mode/load-balancing_wan.py
+++ b/src/conf_mode/load-balancing_wan.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2023-2024 VyOS maintainers and contributors
+# Copyright (C) 2023-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -71,8 +71,8 @@ def verify(lb):
 
     if 'rule' in lb:
         for rule_id, rule_conf in lb['rule'].items():
-            if 'interface' not in rule_conf:
-                raise ConfigError(f'Interface not specified on load-balancing wan rule {rule_id}')
+            if 'interface' not in rule_conf and 'exclude' not in rule_conf:
+                raise ConfigError(f'Interface or exclude not specified on load-balancing wan rule {rule_id}')
 
             if 'failover' in rule_conf and 'exclude' in rule_conf:
                 raise ConfigError(f'Failover cannot be configured with exclude on load-balancing wan rule {rule_id}')
diff --git a/src/helpers/vyos-load-balancer.py b/src/helpers/vyos-load-balancer.py
index 2f07160b4..30329fd5c 100755
--- a/src/helpers/vyos-load-balancer.py
+++ b/src/helpers/vyos-load-balancer.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 
-# Copyright 2024 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2024-2025 VyOS maintainers and contributors <maintainers@vyos.io>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -95,7 +95,7 @@ def on_state_change(lb, ifname, state):
 def get_ipv4_address(ifname):
     # Get primary ipv4 address on interface (for source nat)
     addr_json = get_interface_address(ifname)
-    if 'addr_info' in addr_json and len(addr_json['addr_info']) > 0:
+    if addr_json and 'addr_info' in addr_json and len(addr_json['addr_info']) > 0:
         for addr_info in addr_json['addr_info']:
             if addr_info['family'] == 'inet':
                 if 'local' in addr_info:
diff --git a/src/migration-scripts/wanloadbalance/3-to-4 b/src/migration-scripts/wanloadbalance/3-to-4
new file mode 100644
index 000000000..e49f46a5b
--- /dev/null
+++ b/src/migration-scripts/wanloadbalance/3-to-4
@@ -0,0 +1,33 @@
+# Copyright 2025 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.configtree import ConfigTree
+
+base = ['load-balancing', 'wan']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    if config.exists(base + ['rule']):
+        for rule in config.list_nodes(base + ['rule']):
+            rule_base = base + ['rule', rule]
+
+            if config.exists(rule_base + ['inbound-interface']):
+                ifname = config.return_value(rule_base + ['inbound-interface'])
+
+                if ifname.endswith('+'):
+                    config.set(rule_base + ['inbound-interface'], value=ifname.replace('+', '*'))