Disabling GRE conntrack module fails
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	stepler
	Feb 5 2021, 3:52 PM

Description

As of Linux kernel 5.0, nf_nat_proto_gre is gone and nf_conntrack_proto_gre is built-in to the kernel (no longer a module). Consequently, trying to disable the GRE conntack module fails:

vyos@vyos:~$ configure
[edit]
vyos@vyos# set system conntrack modules pptp disable
[edit]
vyos@vyos# set system conntrack modules gre disable
[edit]
vyos@vyos# commit
[ system conntrack hash-size 32768 ]
Updated conntrack hash size. This change will take affect when the system is rebooted.

[ system conntrack modules gre disable ]
rmmod: ERROR: Module nf_nat_proto_gre is not currently loaded
rmmod: ERROR: Module nf_conntrack_proto_gre is not currently loaded

[[system conntrack]] failed
Commit failed
[edit]
vyos@vyos# exit discard
exit
vyos@vyos:~$ show version

Version:          VyOS 1.3-beta-202102040443
Release Train:    equuleus

Built by:         [email protected]
Built on:         Thu 04 Feb 2021 04:43 UTC
Build UUID:       d3d7fa63-efaf-435f-9d02-a171a8ecf96b
Build Commit ID:  e5b0cc71295acd

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    d0204c55-cfc3-47a0-bc5b-459efcb76ba8

Copyright:        VyOS maintainers and contributors

As it is no longer possible to disable GRE connection tracking at runtime, the configuration node should be removed.

Details

Difficulty level: Easy (less than an hour)
Version: 1.3-beta-202102040443
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible

Event Timeline

stepler created this task.Feb 5 2021, 3:52 PM

Viacheslav changed the task status from Open to Confirmed.Feb 5 2021, 4:17 PM

Viacheslav triaged this task as Normal priority.

Viacheslav changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).

Viacheslav changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

PR
https://github.com/vyos/vyatta-conntrack/pull/2

Viacheslav removed Viacheslav as the assignee of this task.Feb 10 2021, 9:24 PM

stepler changed the task status from Confirmed to In progress.Feb 11 2021, 1:36 AM

stepler claimed this task.

PR https://github.com/vyos/vyatta-conntrack/pull/3
PR https://github.com/vyos/vyatta-cfg-firewall/pull/20
PR https://github.com/vyos/vyos-1x/pull/730

PR https://github.com/vyos/vyatta-cfg-firewall/pull/20 is still pending to clean up the following log entry:

Feb 15 16:20:48 vyos modprobe: FATAL: Module nf_nat_proto_gre not found in directory /lib/modules/5.10.14-amd64-vyos

Looks good on 1.4-rolling-202102162107 (including migration from self-built 1.2.0-rolling+202102162120).

Viacheslav changed the task status from Backport candidate to Needs testing.Feb 22 2021, 10:48 AM

Viacheslav changed the task status from Needs testing to Backport candidate.Feb 22 2021, 11:09 AM

@dmbaturin, don't forget to backport the other two PRs to 1.3:
https://github.com/vyos/vyatta-cfg-firewall/pull/20
https://github.com/vyos/vyos-1x/pull/730

pasik added a subscriber: pasik.Apr 21 2021, 7:33 AM

Looks good on 1.3-rolling-202104220921 (including migration from 1.2.7).

c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.May 24 2021, 7:40 PM

syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 6 2021, 11:43 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:16 PM

syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.

Disabling GRE conntrack module failsClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

Disabling GRE conntrack module fails
Closed, ResolvedPublicBUG
Actions