Page MenuHomeVyOS Platform
Create Task
Maniphest T6138

Conntrack table op-mode fails with flowtable offload entries
Closed, ResolvedPublicBUG
Actions

Description

To reproduce add firewall with flowtable offload

set firewall flowtable FLOW interface 'eth0'
set firewall flowtable FLOW interface 'eth1'
set firewall flowtable FLOW interface 'lo'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'FLOW'

Wait for conntrack entries for forward with offload

vyos@r4:~$ show conntrack table ipv4 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/conntrack.py", line 150, in <module>
    res = vyos.opmode.run(sys.modules[__name__])
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 263, in run
    res = func(**args)
          ^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/conntrack.py", line 137, in show
    return get_formatted_output(conntrack_data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/conntrack.py", line 115, in get_formatted_output
    timeout = meta['timeout']
              ~~~~^^^^^^^^^^^
KeyError: 'timeout'
vyos@r4:~$ 
vyos@r4:~$ sudo conntrack -L | grep -i off
udp      17 src=192.0.2.14 dst=1.1.1.1 sport=38006 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=38006 [OFFLOAD] mark=0 use=2
conntrack v1.4.6 (conntrack-tools): 12 flow entries have been shown.
vyos@r4:~$

Needs to check the parser

Example for getting entries for parse

vyos@r4:~$ sudo conntrack --dump --family ipv4 --output XML

<?xml version="1.0" encoding="utf-8"?>
<conntrack>
<flow><meta direction="original"><layer3 protonum="2" protoname="ipv4"><src>192.0.2.14</src><dst>34.117.118.44</dst></layer3><layer4 protonum="6" protoname="tcp"><sport>47650</sport><dport>80</dport></layer4></meta><meta direction="reply"><layer3 protonum="2" protoname="ipv4"><src>34.117.118.44</src><dst>192.168.122.14</dst></layer3><layer4 protonum="6" protoname="tcp"><sport>80</sport><dport>47650</dport></layer4></meta><meta direction="independent"><state>TIME_WAIT</state><timeout>114</timeout><mark>0</mark><use>1</use><id>904325086</id><assured/></meta></flow>
<flow><meta direction="original"><layer3 protonum="2" protoname="ipv4"><src>192.0.2.14</src><dst>1.1.1.1</dst></layer3><layer4 protonum="17" protoname="udp"><sport>39957</sport><dport>53</dport></layer4></meta><meta direction="reply"><layer3 protonum="2" protoname="ipv4"><src>1.1.1.1</src><dst>192.168.122.14</dst></layer3><layer4 protonum="17" protoname="udp"><sport>53</sport><dport>39957</dport></layer4></meta><meta direction="independent"><mark>0</mark><use>2</use><id>2458037145</id></meta></flow>
<flow><meta direction="original"><layer3 protonum="2" protoname="ipv4"><src>192.168.122.14</src><dst>192.168.122.1</dst></layer3><layer4 protonum="6" protoname="tcp"><sport>22</sport><dport>56010</dport></layer4></meta><meta direction="reply"><layer3 protonum="2" protoname="ipv4"><src>192.168.122.1</src><dst>192.168.122.14</dst></layer3><layer4 protonum="6" protoname="tcp"><sport>56010</sport><dport>22</dport></layer4></meta><meta direction="independent"><state>ESTABLISHED</state><timeout>431999</timeout><mark>0</mark><use>1</use><id>931438034</id><assured/></meta></flow>
</conntrack>
conntrack v1.4.6 (conntrack-tools): 3 flow entries have been shown.

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.5-rolling-202403190019
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Viacheslav triaged this task as Normal priority.Mar 19 2024, 8:05 AM
Viacheslav created this task.
Viacheslav added a project: VyOS 1.4 Sagitta (1.4.0-epa2).
pasik added a subscriber: pasik.Mar 19 2024, 8:20 AM
Viacheslav changed the task status from Open to In progress.Mar 19 2024, 8:44 AM
Viacheslav claimed this task.
Viacheslav added a comment.Mar 19 2024, 9:05 AM

PR https://github.com/vyos/vyos-1x/pull/3150

vyos@r4:~$ show conntrack table ipv4 
Id          Original src       Original dst         Reply src            Reply dst             Protocol    State        Timeout    Mark    Zone
----------  -----------------  -------------------  -------------------  --------------------  ----------  -----------  ---------  ------  ------
2589405901  192.0.2.14:37122   34.206.168.146:123   34.206.168.146:123   192.168.122.14:37122  udp                      99         0
931438034   192.168.122.14:22  192.168.122.1:56010  192.168.122.1:56010  192.168.122.14:22     tcp         ESTABLISHED  431999     0
4269448361  192.0.2.14:43882   34.117.118.44:80     34.117.118.44:80     192.168.122.14:43882  tcp         TIME_WAIT    116        0
821718377   192.0.2.14:36208   1.1.1.1:53           1.1.1.1:53           192.168.122.14:36208  udp                      n/a        0
vyos@r4:~$ 
vyos@r4:~$
Viacheslav closed this task as Resolved.Mar 19 2024, 5:14 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
tjh added a subscriber: tjh.Mar 25 2024, 4:10 AM

This is still an issue for 1.4.0-epa2.

tim@ferrari:~$ show conntrack table ipv4
Traceback (most recent call last):

File "/usr/libexec/vyos/op_mode/conntrack.py", line 150, in <module>
  res = vyos.opmode.run(sys.modules[__name__])
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 263, in run
  res = func(**args)
        ^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/conntrack.py", line 137, in show
  return get_formatted_output(conntrack_data)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/conntrack.py", line 115, in get_formatted_output
  timeout = meta['timeout']
            ~~~~^^^^^^^^^^^

KeyError: 'timeout'

Also the NAT tables are affected:

tim@ferrari:~$ show nat destination translations
Traceback (most recent call last):

File "/usr/libexec/vyos/op_mode/nat.py", line 337, in <module>
  res = vyos.opmode.run(sys.modules[__name__])
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 263, in run
  res = func(**args)
        ^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/nat.py", line 296, in _wrapper
  return func(*args, **kwargs)
         ^^^^^^^^^^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/nat.py", line 331, in show_translations
  return _get_formatted_translation(nat_translation, direction, family,
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/nat.py", line 266, in _get_formatted_translation
  timeout = meta['timeout']
            ~~~~^^^^^^^^^^^

KeyError: 'timeout'
tim@ferrari:~$ show nat source translations
Traceback (most recent call last):

File "/usr/libexec/vyos/op_mode/nat.py", line 337, in <module>
  res = vyos.opmode.run(sys.modules[__name__])
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 263, in run
  res = func(**args)
        ^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/nat.py", line 296, in _wrapper
  return func(*args, **kwargs)
         ^^^^^^^^^^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/nat.py", line 331, in show_translations
  return _get_formatted_translation(nat_translation, direction, family,
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/nat.py", line 266, in _get_formatted_translation
  timeout = meta['timeout']
            ~~~~^^^^^^^^^^^

KeyError: 'timeout'

If I disable offloads then these all work as expected.

Need a fix for 1.4.0-final/epa3

Viacheslav added a comment.Mar 25 2024, 8:42 AM

@tjh already backported