Page MenuHomeVyOS Platform

Conntrack/NAT not being disabled when VRFs are defined
Closed, ResolvedPublicBUG

Description

This bug report comes from my forum post about an issue with packets being modified while changing interfaces.

This is a clean install of VyOS 1.4 build commit id 8e8e8e4bc5c5c4 with no prior configuration.

Even when disabled, conntrack seems to still be active:

vyos@test# show system conntrack
Configuration under specified path is empty
[edit]
vyos@test:~$ sudo conntrack -C
48

When investigating, I noticed that there are firewall rules even tho no firewall is configured:

vyos@test# show firewall
Configuration under specified path is empty
[edit]
vyos@test# sudo nft list ruleset
table ip nat {
	chain VYOS_PRE_SNAT_HOOK {
		type nat hook postrouting priority srcnat - 1; policy accept;
		return
	}
}
table inet mangle {
	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
	}
}
table ip raw {
	chain VYOS_TCP_MSS {
		type filter hook forward priority raw; policy accept;
	}

	chain vyos_global_rpfilter {
		return
	}

	chain vyos_rpfilter {
		type filter hook prerouting priority raw; policy accept;
		counter packets 53756 bytes 62460828 jump vyos_global_rpfilter
	}

	chain VYOS_PREROUTING_HOOK {
		type filter hook prerouting priority raw; policy accept;
	}
}
table ip6 raw {
	chain VYOS_TCP_MSS {
		type filter hook forward priority raw; policy accept;
	}

	chain vyos_global_rpfilter {
		return
	}

	chain vyos_rpfilter {
		type filter hook prerouting priority raw; policy accept;
		counter packets 55 bytes 5144 jump vyos_global_rpfilter
	}

	chain VYOS_PREROUTING_HOOK {
		type filter hook prerouting priority raw; policy accept;
	}
}
table inet vrf_zones {
	map ct_iface_map {
		typeof iifname : ct zone
		elements = { "LAN" : 1000,
			     "WAN" : 2000,
			     "veth0" : 2000,
			     "veth1" : 1000,
			     "bond0.50" : 2000,
			     "bond0.100" : 1000 }
	}

	chain vrf_zones_ct_in {
		type filter hook prerouting priority raw; policy accept;
		counter packets 53811 bytes 62465972 ct original zone set iifname map @ct_iface_map
	}

	chain vrf_zones_ct_out {
		type filter hook output priority raw; policy accept;
		counter packets 15713 bytes 862940 ct original zone set oifname map @ct_iface_map
	}
}
table ip vyos_conntrack {
	chain VYOS_CT_IGNORE {
		return
	}

	chain VYOS_CT_TIMEOUT {
		return
	}

	chain PREROUTING {
		type filter hook prerouting priority raw; policy accept;
		counter packets 53756 bytes 62460828 jump VYOS_CT_IGNORE
		counter packets 53756 bytes 62460828 jump VYOS_CT_TIMEOUT
		counter packets 53756 bytes 62460828 jump FW_CONNTRACK
		counter packets 53756 bytes 62460828 jump NAT_CONNTRACK
		counter packets 53756 bytes 62460828 jump WLB_CONNTRACK
		notrack
	}

	chain OUTPUT {
		type filter hook output priority raw; policy accept;
		counter packets 15666 bytes 858492 jump VYOS_CT_IGNORE
		counter packets 15666 bytes 858492 jump VYOS_CT_TIMEOUT
		counter packets 15666 bytes 858492 jump FW_CONNTRACK
		counter packets 15666 bytes 858492 jump NAT_CONNTRACK
		notrack
	}

	chain VYOS_CT_HELPER {
		return
	}

	chain FW_CONNTRACK {
		return
	}

	chain NAT_CONNTRACK {
		return
	}

	chain WLB_CONNTRACK {
		return
	}
}
table ip6 vyos_conntrack {
	chain VYOS_CT_IGNORE {
		return
	}

	chain VYOS_CT_TIMEOUT {
		return
	}

	chain PREROUTING {
		type filter hook prerouting priority raw; policy accept;
		counter packets 55 bytes 5144 jump VYOS_CT_IGNORE
		counter packets 55 bytes 5144 jump VYOS_CT_TIMEOUT
		counter packets 55 bytes 5144 jump FW_CONNTRACK
		counter packets 55 bytes 5144 jump NAT_CONNTRACK
		notrack
	}

	chain OUTPUT {
		type filter hook output priority raw; policy accept;
		counter packets 47 bytes 4448 jump VYOS_CT_IGNORE
		counter packets 47 bytes 4448 jump VYOS_CT_TIMEOUT
		counter packets 47 bytes 4448 jump FW_CONNTRACK
		counter packets 47 bytes 4448 jump NAT_CONNTRACK
		notrack
	}

	chain VYOS_CT_HELPER {
		return
	}

	chain FW_CONNTRACK {
		return
	}

	chain NAT_CONNTRACK {
		return
	}
}

"sudo nft flush ruleset" makes my specific issue go away, but it's not a viable solution as I need firewall.

Three questions arise:

  1. Should packets being forwarded from a virtual-ethernet interface to a vlan on a physical interface be modified by conntrack?
  2. Should VyOS create these default nftables rules even tho "firewall" is not defined on the config?
  3. Should "del system conntrack" completely disable conntrack?

Details

Version
1.4
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav triaged this task as Normal priority.Feb 27 2024, 5:07 PM
Viacheslav subscribed.

Provide please show configuration commands or attach /config/config.boot file.

Full configuration:

vyos@test:~$ show configuration commands
set interfaces bonding bond0 member interface 'eth4'
set interfaces bonding bond0 member interface 'eth5'
set interfaces bonding bond0 vif 50 address '172.29.21.2/30'
set interfaces bonding bond0 vif 50 vrf 'WAN'
set interfaces bonding bond0 vif 100 address 'xxx.xxx.91.3/24'
set interfaces bonding bond0 vif 100 vrf 'LAN'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:70'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:71'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:72'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:73'
set interfaces ethernet eth4 hw-id 'xx:xx:xx:xx:xx:41'
set interfaces ethernet eth5 hw-id 'xx:xx:xx:xx:xx:42'
set interfaces loopback lo
set interfaces virtual-ethernet veth0 address '10.255.255.1/30'
set interfaces virtual-ethernet veth0 peer-name 'veth1'
set interfaces virtual-ethernet veth0 vrf 'WAN'
set interfaces virtual-ethernet veth1 address '10.255.255.2/30'
set interfaces virtual-ethernet veth1 peer-name 'veth0'
set interfaces virtual-ethernet veth1 vrf 'LAN'
set policy route-map DENY rule 100 action 'deny'
set service ntp allow-client address '0.0.0.0/0'
set service ntp allow-client address '::/0'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh port '22'
set service ssh vrf 'LAN'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'test'
set system login user vyos authentication encrypted-password xxxxxx
set system login user vyos authentication plaintext-password xxxxxx
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set vrf name LAN protocols static route 0.0.0.0/0 next-hop 10.255.255.1 interface 'veth1'
set vrf name LAN table '1000'
set vrf name WAN protocols bgp neighbor 172.29.21.1 address-family ipv4-unicast nexthop-self
set vrf name WAN protocols bgp neighbor 172.29.21.1 address-family ipv4-unicast route-map export 'DENY'
set vrf name WAN protocols bgp neighbor 172.29.21.1 address-family ipv4-unicast soft-reconfiguration inbound
set vrf name WAN protocols bgp neighbor 172.29.21.1 remote-as '22222'
set vrf name WAN protocols bgp neighbor 172.29.21.1 update-source '172.29.21.1'
set vrf name WAN protocols bgp system-as '11111'
set vrf name WAN table '2000'
sarthurdev renamed this task from Conntrack/NAT not being disabled to Conntrack/NAT not being disabled when VRFs are defined.Feb 27 2024, 7:07 PM
sarthurdev changed the task status from Open to In progress.
sarthurdev claimed this task.
sarthurdev added a project: VyOS 1.5 Circinus.
sarthurdev changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
sarthurdev changed the task status from In progress to Needs testing.Feb 27 2024, 10:09 PM
sarthurdev moved this task from Open to In Progress on the VyOS 1.5 Circinus board.
sarthurdev moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.
sarthurdev moved this task from In Progress to Finished on the VyOS 1.5 Circinus board.