This bug report comes from my forum post about an issue with packets being modified while changing interfaces.
This is a clean install of VyOS 1.4 build commit id 8e8e8e4bc5c5c4 with no prior configuration.
Even when disabled, conntrack seems to still be active:
vyos@test# show system conntrack Configuration under specified path is empty [edit]
vyos@test:~$ sudo conntrack -C 48
When investigating, I noticed that there are firewall rules even tho no firewall is configured:
vyos@test# show firewall Configuration under specified path is empty [edit]
vyos@test# sudo nft list ruleset table ip nat { chain VYOS_PRE_SNAT_HOOK { type nat hook postrouting priority srcnat - 1; policy accept; return } } table inet mangle { chain FORWARD { type filter hook forward priority mangle; policy accept; } } table ip raw { chain VYOS_TCP_MSS { type filter hook forward priority raw; policy accept; } chain vyos_global_rpfilter { return } chain vyos_rpfilter { type filter hook prerouting priority raw; policy accept; counter packets 53756 bytes 62460828 jump vyos_global_rpfilter } chain VYOS_PREROUTING_HOOK { type filter hook prerouting priority raw; policy accept; } } table ip6 raw { chain VYOS_TCP_MSS { type filter hook forward priority raw; policy accept; } chain vyos_global_rpfilter { return } chain vyos_rpfilter { type filter hook prerouting priority raw; policy accept; counter packets 55 bytes 5144 jump vyos_global_rpfilter } chain VYOS_PREROUTING_HOOK { type filter hook prerouting priority raw; policy accept; } } table inet vrf_zones { map ct_iface_map { typeof iifname : ct zone elements = { "LAN" : 1000, "WAN" : 2000, "veth0" : 2000, "veth1" : 1000, "bond0.50" : 2000, "bond0.100" : 1000 } } chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; counter packets 53811 bytes 62465972 ct original zone set iifname map @ct_iface_map } chain vrf_zones_ct_out { type filter hook output priority raw; policy accept; counter packets 15713 bytes 862940 ct original zone set oifname map @ct_iface_map } } table ip vyos_conntrack { chain VYOS_CT_IGNORE { return } chain VYOS_CT_TIMEOUT { return } chain PREROUTING { type filter hook prerouting priority raw; policy accept; counter packets 53756 bytes 62460828 jump VYOS_CT_IGNORE counter packets 53756 bytes 62460828 jump VYOS_CT_TIMEOUT counter packets 53756 bytes 62460828 jump FW_CONNTRACK counter packets 53756 bytes 62460828 jump NAT_CONNTRACK counter packets 53756 bytes 62460828 jump WLB_CONNTRACK notrack } chain OUTPUT { type filter hook output priority raw; policy accept; counter packets 15666 bytes 858492 jump VYOS_CT_IGNORE counter packets 15666 bytes 858492 jump VYOS_CT_TIMEOUT counter packets 15666 bytes 858492 jump FW_CONNTRACK counter packets 15666 bytes 858492 jump NAT_CONNTRACK notrack } chain VYOS_CT_HELPER { return } chain FW_CONNTRACK { return } chain NAT_CONNTRACK { return } chain WLB_CONNTRACK { return } } table ip6 vyos_conntrack { chain VYOS_CT_IGNORE { return } chain VYOS_CT_TIMEOUT { return } chain PREROUTING { type filter hook prerouting priority raw; policy accept; counter packets 55 bytes 5144 jump VYOS_CT_IGNORE counter packets 55 bytes 5144 jump VYOS_CT_TIMEOUT counter packets 55 bytes 5144 jump FW_CONNTRACK counter packets 55 bytes 5144 jump NAT_CONNTRACK notrack } chain OUTPUT { type filter hook output priority raw; policy accept; counter packets 47 bytes 4448 jump VYOS_CT_IGNORE counter packets 47 bytes 4448 jump VYOS_CT_TIMEOUT counter packets 47 bytes 4448 jump FW_CONNTRACK counter packets 47 bytes 4448 jump NAT_CONNTRACK notrack } chain VYOS_CT_HELPER { return } chain FW_CONNTRACK { return } chain NAT_CONNTRACK { return } }
"sudo nft flush ruleset" makes my specific issue go away, but it's not a viable solution as I need firewall.
Three questions arise:
- Should packets being forwarded from a virtual-ethernet interface to a vlan on a physical interface be modified by conntrack?
- Should VyOS create these default nftables rules even tho "firewall" is not defined on the config?
- Should "del system conntrack" completely disable conntrack?