Page MenuHomeVyOS Platform

Custom conntrack rules cannot be deleted
Closed, ResolvedPublicBUG

Description

To reproduce, add a custom conntrack rule and delete it:

set system conntrack timeout custom rule 10 destination address '203.0.113.74'
set system conntrack timeout custom rule 10 destination port '80'
set system conntrack timeout custom rule 10 protocol tcp established '300'
set system conntrack timeout custom rule 10 source address '192.0.2.168'

Delete:

vyos@r4# delete system conntrack timeout 
[edit]
vyos@r4# commit
[ system conntrack timeout custom ]
iptables: Bad rule (does a matching rule exist in that chain?).
Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source 192.0.2.168   --destination 203.0.113.74   --dport 80  -j RETURN
iptables: Bad rule (does a matching rule exist in that chain?).
Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source 192.0.2.168   --destination 203.0.113.74   --dport 80  -j CT --timeout policy_timeout_10
nfct v1.4.6: netlink error: Device or resource busy
Conntrack timeout error: failed to run sudo /usr/sbin/nfct timeout delete policy_timeout_10 

[edit]
vyos@r4#

Some details in T3579

It seems commands for adding and delete rules are not same (some block mixed) so the pattern which was correct for 1.2 incorrect for 1.3:

vyos@r4# sudo iptables -S -t raw| grep -i timeout
-N VYATTA_CT_TIMEOUT
-A PREROUTING -j VYATTA_CT_TIMEOUT
-A OUTPUT -j VYATTA_CT_TIMEOUT
-A VYATTA_CT_TIMEOUT -s 192.0.2.168/32 -d 203.0.113.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j CT --timeout poli
-A VYATTA_CT_TIMEOUT -s 192.0.2.168/32 -d 203.0.113.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j RETURN
-A VYATTA_CT_TIMEOUT -j RETURN

For the same reason, we can see the different outputs for op mode in T2194

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.0
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)