Page MenuHomeVyOS Platform
Create Task
Maniphest T4188

Firewall does not correctly handle conntracking
Closed, ResolvedPublicBUG
Actions

Description

I have upgraded to latest rolling release of VyOS 1.4, which broke my IPv6 setup. I have done some troubleshooting, and it appears firewall rules don't match some packets.

Firewall config:

# show firewall ipv6-name VPSToLocal6
 default-action drop
 rule 5 {
     action accept
     description "Allow ICMPv6"
     protocol ipv6-icmp
     state {
         new enable
     }
 }
 rule 10 {
     action accept
     description "Allow est/rel traffic"
     state {
         established enable
         related enable
     }
 }

Op mode:

$ show firewall ipv6-name VPSToLocal6
Ruleset Information

---------------------------------
IPv6 Firewall "VPSToLocal6"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ---------------------------------------
5        accept    ipv6-icmp           0        0  ct state { new } meta l4proto ipv6-icmp
10       accept    all                 0        0  ct state { established, related }
default  drop      all              1504   156208

As far as I understand, if I ping via IPv6 address, firewall should match the ICMPv6 packet with rule 5 and allow it through. This does not happen, and all ICMPv6 packets are matched by the default rule (drop).

Details

Version
1.4-rolling-202201150317
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

FileGo created this task.Jan 17 2022, 6:43 AM
pasik subscribed.Jan 17 2022, 7:48 AM
sarthurdev closed this task as Invalid.EditedJan 17 2022, 7:54 PM
sarthurdev subscribed.

You need to remove the state new match on the rule and it'll work.

I'm not entirely sure of the handling of states and ICMP in nftables, in iptables ICMP would always have the RELATED state iirc.

Edit: It appears that nftables does not conntrack ICMP(v6) traffic, it matches when using ct state untracked, but that value is not supported in VyOS atm.

FileGo reopened this task as Open.Jan 18 2022, 4:04 PM

Thanks, this does fix the ICMP issue, however rule 10 which is supposed to accept packets with related/established states (say a HTTP response following a request), doesn't seem to match any packets, and the packets get dropped by the default rule.

It seems to me as if the firewall is unable to match any states (new/related/established) for IPv6 traffic.

This config was working normally with the rolling release from the 30th December 2021 and has been broken for at least since the 13th January rolling release.

sarthurdev changed the task status from Open to In progress.Jan 18 2022, 5:29 PM
sarthurdev claimed this task.

Okay, thanks for the update. I have found a conntrack issue in the code. Will have a fix in shortly.

sarthurdev renamed this task from Firewall does not match ICMPv6 packets to Firewall does not correctly handle conntracking.Jan 18 2022, 5:30 PM
sarthurdev changed the task status from In progress to Needs testing.Jan 18 2022, 6:02 PM

PR: https://github.com/vyos/vyos-1x/pull/1178

Restricted Repository Identity mentioned this in rVYOSONEXc77369761f9c: Merge pull request #1178 from sarthurdev/firewall_T4188.Jan 18 2022, 6:59 PM
sarthurdev mentioned this in rVYOSONEXa7e14cba820f: firewall: T4188: Create default conntrack `FW_CONNTRACK` chain.Jan 18 2022, 6:59 PM
FileGo added a comment.Jan 19 2022, 7:52 AM

Seems to be working fine as far as I can see.

Thanks for the quick fix.

sarthurdev closed this task as Resolved.Jan 27 2022, 12:41 PM