Page MenuHomeVyOS Platform
Create Task
Maniphest T5488

System conntrack ignore does not take any effect
Closed, ResolvedPublicBUG
Actions

Description

System conntrack ignore does not take any effect.

vyos@r14# run show conf com | match conntrack
set system conntrack ignore rule 10 destination address '0.0.0.0/0'
[edit]
vyos@r14# sudo conntrack -C
3
[edit]
vyos@r14# curl vyos.io
[edit]
vyos@r14# 
[edit]
vyos@r14# sudo conntrack -C
5
[edit]
vyos@r14#

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202308140557
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav created this task.Aug 17 2023, 4:52 PM
Viacheslav added a comment.EditedAug 17 2023, 5:19 PM

Priority must be less than -200 https://github.com/vyos/vyos-1x/blob/08cb4f350b335d5af401f30850d410b4be38530d/data/vyos-firewall-init.conf#L23-L32
https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation#notrack_-_Bypass_connection_tracking

	chain PREROUTING {
		type filter hook prerouting priority -200; policy accept;
		counter packets 6405 bytes 444828 jump VYOS_CT_IGNORE
		counter packets 6405 bytes 444828 jump VYOS_CT_TIMEOUT
		counter packets 6405 bytes 444828 jump VYOS_CT_PREROUTING_HOOK
		counter packets 6405 bytes 444828 jump FW_CONNTRACK
		notrack
	}

	chain OUTPUT {
		type filter hook output priority -200; policy accept;
		counter packets 4990 bytes 537336 jump VYOS_CT_IGNORE
		counter packets 4990 bytes 537336 jump VYOS_CT_TIMEOUT
		counter packets 4990 bytes 537336 jump VYOS_CT_OUTPUT_HOOK
		counter packets 4990 bytes 537336 jump FW_CONNTRACK
		notrack
	}
Viacheslav changed the task status from Open to In progress.Aug 17 2023, 5:26 PM
Viacheslav claimed this task.
Viacheslav added a comment.Aug 17 2023, 5:44 PM

PR https://github.com/vyos/vyos-1x/pull/2155

pasik added a subscriber: pasik.Aug 17 2023, 7:35 PM
Viacheslav closed this task as Resolved.Aug 18 2023, 8:00 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.