Command "delete system conntrack ignore rule <rule-number>" does not delete nft rules after commit.
Example:
Configuration
set system conntrack ignore rule 10 destination address '10.0.15.1' set system conntrack ignore rule 10 destination port '51822' set system conntrack ignore rule 10 protocol 'udp
Nft chain
chain VYATTA_CT_IGNORE { meta l4proto udp ip daddr 10.0.15.1 udp dport 51822 counter packets 0 bytes 0 # CT notrack comment "ignore-10" meta l4proto udp ip daddr 10.0.15.1 udp dport 51822 counter packets 0 bytes 0 return comment "ignore-10" counter packets 457 bytes 34648 return }
vyos@vyos# delete system conntrack ignore rule 10 [edit] vyos@vyos# commit [ system conntrack ignore ] iptables: Bad rule (does a matching rule exist in that chain?). Conntrack ignore error: failed to run iptables -D VYATTA_CT_IGNORE -t raw -m comment --comment "ignore-10" -p udp --destination 10.0.15.1 --dport 51822 -j RETURN iptables: Bad rule (does a matching rule exist in that chain?). Conntrack ignore error: failed to run iptables -D VYATTA_CT_IGNORE -t raw -m comment --comment "ignore-10" -p udp --destination 10.0.15.1 --dport 51822 -j CT --notrack [edit]
After:
Rule 10 after removal is missing in configuration but the rule is present in nft
chain VYATTA_CT_IGNORE { meta l4proto udp ip daddr 10.0.15.1 udp dport 51822 counter packets 0 bytes 0 # CT notrack comment "ignore-10" meta l4proto udp ip daddr 10.0.15.1 udp dport 51822 counter packets 0 bytes 0 return comment "ignore-10" counter packets 657 bytes 50248 return }
In 1.4 it works correctly.