Page MenuHomeVyOS Platform

Helper leftovers found in nftables (firewall) even with all helpers disabled
Closed, ResolvedPublicBUG

Description

Looking at output of "nft -s list ruleset" after the firewall refactoring released in VyOS 1.4-rolling-202308140557 I noticed the following:

table ip raw {
	ct helper rpc_tcp {
		type "rpc" protocol tcp
		l3proto ip
	}

	ct helper rpc_udp {
		type "rpc" protocol udp
		l3proto ip
	}

	ct helper tns_tcp {
		type "tns" protocol tcp
		l3proto ip
	}
	...

Since I dont have any helpers enabled I dont expect the above rules to exist.

Following is currently configured in section firewall:

set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'strict'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'disable'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 1 action 'drop'
set firewall ipv4 forward filter rule 1 state invalid 'enable'
set firewall ipv4 forward filter rule 2 action 'accept'
set firewall ipv4 forward filter rule 2 state established 'enable'
set firewall ipv4 forward filter rule 3 action 'accept'
set firewall ipv4 forward filter rule 3 state related 'enable'
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 1 action 'drop'
set firewall ipv4 input filter rule 1 state invalid 'enable'
set firewall ipv4 input filter rule 2 action 'accept'
set firewall ipv4 input filter rule 2 state established 'enable'
set firewall ipv4 input filter rule 3 action 'accept'
set firewall ipv4 input filter rule 3 state related 'enable'
set firewall ipv4 output filter default-action 'accept'
set firewall ipv4 output filter rule 1 action 'drop'
set firewall ipv4 output filter rule 1 state invalid 'enable'
set firewall ipv4 output filter rule 2 action 'accept'
set firewall ipv4 output filter rule 2 state established 'enable'
set firewall ipv4 output filter rule 3 action 'accept'
set firewall ipv4 output filter rule 3 state related 'enable'
set firewall ipv6 forward filter default-action 'accept'
set firewall ipv6 forward filter rule 1 action 'drop'
set firewall ipv6 forward filter rule 1 state invalid 'enable'
set firewall ipv6 forward filter rule 2 action 'accept'
set firewall ipv6 forward filter rule 2 state established 'enable'
set firewall ipv6 forward filter rule 3 action 'accept'
set firewall ipv6 forward filter rule 3 state related 'enable'
set firewall ipv6 input filter default-action 'accept'
set firewall ipv6 input filter rule 1 action 'drop'
set firewall ipv6 input filter rule 1 state invalid 'enable'
set firewall ipv6 input filter rule 2 action 'accept'
set firewall ipv6 input filter rule 2 state established 'enable'
set firewall ipv6 input filter rule 3 action 'accept'
set firewall ipv6 input filter rule 3 state related 'enable'
set firewall ipv6 output filter default-action 'accept'
set firewall ipv6 output filter rule 1 action 'drop'
set firewall ipv6 output filter rule 1 state invalid 'enable'
set firewall ipv6 output filter rule 2 action 'accept'
set firewall ipv6 output filter rule 2 state established 'enable'
set firewall ipv6 output filter rule 3 action 'accept'
set firewall ipv6 output filter rule 3 state related 'enable'

Details

Version
VyOS 1.4-rolling-202308140557
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Apachez reopened this task as Open.EditedAug 27 2023, 8:38 AM

Then how come these helpers are always enabled as pointed out at https://vyos.dev/T5080#149232 ?

I assume removing these (or at least make them as an IF-statement) would also remove the leftovers in the nft ruleset:

https://github.com/vyos/vyos-1x/blob/current/src/init/vyos-router#L335

nfct helper add rpc inet tcp
nfct helper add rpc inet udp
nfct helper add tns inet tcp

and

https://github.com/vyos/vyos-1x/blob/current/data/vyos-firewall-init.conf#L40

ct helper rpc_tcp {
    type "rpc" protocol tcp;
}

ct helper rpc_udp {
    type "rpc" protocol udp;
}

ct helper tns_tcp {
    type "tns" protocol tcp;
}

Edit: The cleanup should be that the "nfct helper add" should only be runned if/when rpc and tns helpers are enabled.

And the vyos-firewall-init.conf should have the rpc_tcp, rpc_udp and tns_tcp chains removed and the VYOS_CT_HELPER chain be by default configured as:

chain VYOS_CT_HELPER {
    return
}

They are only defined. Only when the VYOS_CT_HELPER chain is reached will they take effect - see links in my above comment. Being in the default config will have no effect on connection tracking if bypassed by the notrack rule.

If we were to toggle the helpers and kernel modules, the firewall/NAT/conntrack conf scripts would each need additional checks/dependencies to check if the modules are to be enabled/disabled.

So how are all the other helpers added to the ruleset if not dynamically?

Such as ftp, h323, nfs, pptp, sip, sqlnet, tftp?

Or am I missing something here?

The kernel modules handle tracking of those, rpc/tns are userspace helpers.

Apachez claimed this task.

Seems to be fixed in VyOS 1.5-rolling-202310090023:

Looking through output of nft -s list ruleset the only lines related to "helper" are (no helpers configured/enabled in VyOS config):

table ip vyos_conntrack {
...
        chain PREROUTING {                                                  
                type filter hook prerouting priority raw; policy accept;    
                counter jump VYOS_CT_HELPER                                
                counter jump VYOS_CT_IGNORE             
                counter jump VYOS_CT_TIMEOUT               
                counter jump FW_CONNTRACK                  
                counter jump NAT_CONNTRACK                                  
                counter jump WLB_CONNTRACK                              
                notrack                                                    
        }                                               
                                                           
        chain OUTPUT {                                                  
                type filter hook output priority raw; policy accept;        
                counter jump VYOS_CT_HELPER                             
                counter jump VYOS_CT_IGNORE                  
                counter jump VYOS_CT_TIMEOUT            
                counter jump FW_CONNTRACK                               
                counter jump NAT_CONNTRACK              
                notrack                                                 
        }                                                               
                                                   
        chain VYOS_CT_HELPER {                                       
                return                                     
        }                                                           
...
}                                                                       
table ip6 vyos_conntrack {                                              
...
        chain PREROUTING {                                          
                type filter hook prerouting priority raw; policy accept;
                counter jump VYOS_CT_HELPER                                 
                counter jump VYOS_CT_IGNORE                             
                counter jump VYOS_CT_TIMEOUT                               
                counter jump FW_CONNTRACK                               
                counter jump NAT_CONNTRACK                              
                notrack                                                 
        }                                                                   
                                                                        
        chain OUTPUT {                                                  
                type filter hook output priority raw; policy accept;    
                counter jump VYOS_CT_HELPER                             
                counter jump VYOS_CT_IGNORE                             
                counter jump VYOS_CT_TIMEOUT                            
                counter jump FW_CONNTRACK                               
                counter jump NAT_CONNTRACK                              
                notrack                                                 
        }                                                               
                                                                        
        chain VYOS_CT_HELPER {                                          
                return                                                  
        }                                                               
...
}