To reproduce, add a custom conntrack rule and delete it:
set system conntrack timeout custom rule 10 destination address '203.0.113.74' set system conntrack timeout custom rule 10 destination port '80' set system conntrack timeout custom rule 10 protocol tcp established '300' set system conntrack timeout custom rule 10 source address '192.0.2.168'
Delete:
vyos@r4# delete system conntrack timeout [edit] vyos@r4# commit [ system conntrack timeout custom ] iptables: Bad rule (does a matching rule exist in that chain?). Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10" -p tcp --source 192.0.2.168 --destination 203.0.113.74 --dport 80 -j RETURN iptables: Bad rule (does a matching rule exist in that chain?). Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10" -p tcp --source 192.0.2.168 --destination 203.0.113.74 --dport 80 -j CT --timeout policy_timeout_10 nfct v1.4.6: netlink error: Device or resource busy Conntrack timeout error: failed to run sudo /usr/sbin/nfct timeout delete policy_timeout_10 [edit] vyos@r4#
Some details in T3579
It seems commands for adding and delete rules are not same (some block mixed) so the pattern which was correct for 1.2 incorrect for 1.3:
vyos@r4# sudo iptables -S -t raw| grep -i timeout -N VYATTA_CT_TIMEOUT -A PREROUTING -j VYATTA_CT_TIMEOUT -A OUTPUT -j VYATTA_CT_TIMEOUT -A VYATTA_CT_TIMEOUT -s 192.0.2.168/32 -d 203.0.113.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j CT --timeout poli -A VYATTA_CT_TIMEOUT -s 192.0.2.168/32 -d 203.0.113.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j RETURN -A VYATTA_CT_TIMEOUT -j RETURN
For the same reason, we can see the different outputs for op mode in T2194