Rewrite vyatta-conntrack in new XML and Python flavour
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	c-po
	May 25 2021, 6:50 PM

Description

Rewrite vyatta-conntrack in new XML and Python flavour

Details

Version: -
Is it a breaking change?: Perfectly compatible
Issue type: Unspecified (please specify)

Related Objects
Search...

Status	Subtype	Assigned	Task
In progress	FEATURE REQUEST	None	T3355 Remove all remaining legacy Vyatta code
Resolved	FEATURE REQUEST	c-po	T3535 Rewrite vyatta-conntrack-sync in new XML and Python flavor
Resolved	FEATURE REQUEST	c-po	T3579 Rewrite vyatta-conntrack in new XML and Python flavour

Event Timeline

c-po created this task.May 25 2021, 6:50 PM

c-po changed the task status from Open to In progress.

c-po claimed this task.

c-po triaged this task as Normal priority.

c-po edited a custom field.

c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

c-po mentioned this in rVYOSONEX5eadedcc1e5c: conntrack: T3579: initial implementation with XML and Python.May 27 2021, 6:32 AM

c-po mentioned this in rVYOSONEXed55e23822c8: Merge branch 't3579-conntrack' into current.

c-po mentioned this in rVYOSONEXec958eb3a973: conntrack: T3579: add module disable options.May 31 2021, 9:03 PM

Will the custom timeout feature also be implemented in the python code? This is an option in the perl flavour (but doesn't actually work in 1.3 RC4).

vyos@r1.tvi.lan# set system conntrack timeout
Possible completions:
 > custom       Define custom timeouts per connection
   icmp         ICMP timeout in seconds
   other        Generic connection timeout in seconds
 > tcp          TCP connection timeout options
 > udp          UDP timeout


[edit]

Yes, also this part will be migrated in the next couple of weeks as we plan to get rid of all legacy code in the 1.4 release cycle.

Can you please show us what does not work in VyOS 1.3? And probably how it should work in your opinion?

I tried to create a custom timeout rule for tcp port 80. First I assumed that everything was fine since the first commit succeeded without error messages. But when I wanted to alter the rule, it failed. Below you see an example where I first create a rule, and then try to delete it. Afterwards any commits regarding custom timeouts fails.

vyos@vyos-router:~$ conf
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 destination address 'a.b.3.74'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 destination port '80'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 protocol tcp established '300'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 source address 'c.d.236.168'
[edit]
vyos@vyos-router#
[edit]
vyos@vyos-router# commit
[edit]
vyos@vyos-router# del system conntrack timeout custom rule 10
[edit]
vyos@vyos-router# commit
[ system conntrack timeout custom ]
iptables: Bad rule (does a matching rule exist in that chain?).
Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source c.d.236.168   --destination a.b.3.74   --dport 80  -j RETURN
iptables: Bad rule (does a matching rule exist in that chain?).
Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source c.d.236.168   --destination a.b.3.74   --dport 80  -j CT --timeout policy_timeout_10
nfct v1.4.6: netlink error: Device or resource busy
Conntrack timeout error: failed to run sudo /usr/sbin/nfct timeout delete policy_timeout_10

[edit]
vyos@vyos-router# discard

  No changes have been discarded

[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 destination address 'a.b.3.74'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 destination port '80'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 protocol tcp established '300'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 source address 'c.d.236.168'
[edit]
vyos@vyos-router#
[edit]
vyos@vyos-router# commit
[ system conntrack timeout custom ]
nfct v1.4.6: netlink error: Device or resource busy
Conntrack timeout error: failed to run sudo /usr/sbin/nfct timeout add policy_timeout_10  inet tcp established 300

[[system conntrack]] failed
Commit failed
[edit]
vyos@vyos-router# discard

  Changes have been discarded

[edit]
vyos@vyos-router# exit
exit

vyos@vyos-router:~$ sh version

Version:          VyOS 1.3.0-rc4
Release Train:    equuleus

I believe I have found out why modification/deletion of rules fails. This is the rule definition in iptables:

sudo iptables -S -t raw| grep -i timeout
...
-A VYATTA_CT_TIMEOUT -s a.b.236.168/32 -d c.d.3.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j CT --timeout poli
-A VYATTA_CT_TIMEOUT -s a.b.236.168/32 -d c.d.3.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j RETURN
...

And this is the commands the perl script uses to delete the rules:

-D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source a.b.236.168   --destination c.d.3.74   --dport 80  -j RETURN
-D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source a.b.236.168   --destination c.d.3.74   --dport 80  -j CT --timeout policy_timeout_10

They don't match, which results in that the rules aren't deleted from the running iptables config, and thus we are unable to delete the policy with nfct timeout delete policy_timeout_10. I'm able to manually delete the rules using

sudo iptables -D VYATTA_CT_TIMEOUT -t raw -s a.b.236.168/32 -d c.d.3.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j CT --timeout poli
sudo iptables -D VYATTA_CT_TIMEOUT -t raw -s a.b.236.168/32 -d c.d.3.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j RETURN
sudo nfct timeout delete policy_timeout_10

pasik subscribed.Jun 7 2021, 9:40 AM

In the crux.

set system conntrack timeout custom rule 10 destination address '203.0.113.74'
set system conntrack timeout custom rule 10 destination port '80'
set system conntrack timeout custom rule 10 protocol tcp established '300'
set system conntrack timeout custom rule 10 source address '192.0.2.168'

commit

vyos@r2-lts# commit
[ system conntrack hash-size 32768 ]
Updated conntrack hash size. This change will take affect when the system is rebooted.

[ system conntrack timeout custom ]
iptables: No chain/target/match by that name.
nfct v1.4.2: error: Device or resource busy
iptables: No chain/target/match by that name.
Conntrack timeout error: failed to run iptables -I VYATTA_CT_TIMEOUT 2 -t raw -m comment --comment "timeout-10"  -p tcp  --source 192.0.2.168   --destination 203.0.113.74   --dport 80  -j RETURN

[[system conntrack]] failed
Commit failed
[edit]

c-po moved this task from Open to In Progress on the VyOS 1.4 Sagitta board.Jun 13 2021, 3:22 PM

c-po mentioned this in rVYOSONEX2c17993105b6: conntrack: T3579: remove debug print().Aug 16 2021, 4:10 PM

c-po mentioned this in rVYOSONEX18ac0c694a30: conntrack: T3579: bugfix when deleting non existent iptable rules.Aug 16 2021, 4:28 PM

c-po mentioned this in rVYOSONEX05b5d09ca70c: conntrack: T3579: migrate "conntrack ignore" tree to vyos-1x and nftables.Jan 10 2022, 8:32 PM

@Viacheslav / @vindenesen that is a bug I have also seen in the old iptables based implementation. Can you please file a bug report towards VyOS 1.2 and 1.3?

c-po mentioned this in rVYOSONEX062762154ae1: conntrack: T3579: use "notrack" over "return" in nft statements.Jan 10 2022, 8:42 PM

c-po mentioned this in rVYOSONEXfd1b1ff19b0f: conntrack: T3579: make the timeout tree re-usable as XML include.Jan 10 2022, 9:27 PM

Viacheslav mentioned this in T4165: Custom conntrack rules cannot be deleted.Jan 10 2022, 10:00 PM

c-po mentioned this in rVYOSONEX9bc2f5db25c7: conntrack: T3579: prepare for "conntrack timeout custom rule" CLI commands.Jan 10 2022, 10:06 PM

c-po mentioned this in rVYOSONEX76d912d63ca4: conntrack: T3579: dry-run newly generated config before install.Jan 10 2022, 10:18 PM

sarthurdev mentioned this in T4145: Conntrack table not showing after firewall rewriting.Feb 15 2022, 7:10 PM

c-po closed this task as Resolved.Dec 25 2022, 6:44 PM

c-po set Issue type to Unspecified (please specify).

Rewrite vyatta-conntrack in new XML and Python flavourClosed, ResolvedPublicFEATURE REQUESTActions

Description

Details

Related ObjectsSearch...

Event Timeline

Rewrite vyatta-conntrack in new XML and Python flavour
Closed, ResolvedPublicFEATURE REQUEST
Actions

Related Objects
Search...