Conntrack not working as expected with global state-policy
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	n.fort
	Mar 20 2024, 6:51 PM

Description

As reported, this is not working:

set service ssh
set firewall global-options state-policy established action accept

Then, ssh to the router, and no conntrack entries shown:

vyos@vyos14:~$ netstat | grep ssh
tcp        0     36 192.168.188.122:ssh     192.168.188.80:51786    ESTABLISHED
vyos@vyos14:~$ sudo conntrack -L
conntrack v1.4.7 (conntrack-tools): 0 flow entries have been shown.

From firewall ruleset, there's seem to be an error in vyos_conntrack table:

sudo nft list table ip vyos_conntrack
....
        chain PREROUTING { # handle 3
                type filter hook prerouting priority raw; policy accept;
                counter packets 46 bytes 7441 jump VYOS_CT_IGNORE # handle 21
                counter packets 46 bytes 7441 jump VYOS_CT_TIMEOUT # handle 22
                counter packets 46 bytes 7441 jump FW_CONNTRACK # handle 23
                counter packets 46 bytes 7441 jump NAT_CONNTRACK # handle 24
                counter packets 46 bytes 7441 jump WLB_CONNTRACK # handle 25
                notrack # handle 26
        }

        chain OUTPUT { # handle 4
                type filter hook output priority raw; policy accept;
                counter packets 24 bytes 1692 jump VYOS_CT_IGNORE # handle 27
                counter packets 24 bytes 1692 jump VYOS_CT_TIMEOUT # handle 28
                counter packets 24 bytes 1692 jump FW_CONNTRACK # handle 29
                counter packets 24 bytes 1692 jump NAT_CONNTRACK # handle 30
                notrack # handle 31
        }

        chain VYOS_CT_HELPER { # handle 5
                ct helper set "ftp_tcp" tcp dport 21 return # handle 32
                ct helper set "ras_udp" udp dport 1719 return # handle 33
                ct helper set "q931_tcp" tcp dport 1720 return # handle 34
                ct helper set "rpc_tcp" tcp dport 111 return # handle 35
                ct helper set "rpc_udp" udp dport 111 return # handle 36
                ct helper set "pptp_tcp" tcp dport 1723 return # handle 37
                ct helper set "sip_tcp" tcp dport { 5060, 5061 } return # handle 39
                ct helper set "sip_udp" udp dport { 5060, 5061 } return # handle 41
                ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return # handle 43
                ct helper set "tftp_udp" udp dport 69 return # handle 44
                return # handle 45
        }

If we delete de "notrack" actions, we see the connection in the conntrack system:

vyos@epa2:~$ sudo nft delete rule ip vyos_conntrack PREROUTING handle 26
vyos@epa2:~$ sudo nft delete rule ip vyos_conntrack OUTPUT handle 31
vyos@epa2:~$ sudo conntrack -L | grep tcp
conntrack v1.4.7 (conntrack-tools): tcp      6 431964 ESTABLISHED src=192.168.77.32 dst=192.168.0.182 sport=60224 dport=22 src=192.168.0.182 dst=192.168.77.32 sport=22 dport=60224 [ASSURED] mark=0 use=1
9 flow entries have been shown.
vyos@epa2:~$

It seems that this was introduced in commit https://github.com/vyos/vyos-1x/commit/734d84f696944419a2d6f11bc16dda03900add34

Details

Version: 1.4.0-epa2, 1.5-rolling-202403200018
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: rVYOSONEXf7a005ebecdf: Merge pull request #3160 from vyos/mergify/bp/sagitta/pr-3159
rVYOSONEXd19be874eb5c: conntrack: T6147: Enable conntrack when firewall state-policy is defined
rVYOSONEX62bda3b082a7: conntrack: T6147: Enable conntrack when firewall state-policy is defined
rVYOSONEX33dfe6e07e5c: Merge pull request #3159 from sarthurdev/T6147

Event Timeline

n.fort created this task.Mar 20 2024, 6:51 PM

n.fort changed the task status from Open to Confirmed.

n.fort triaged this task as High priority.

n.fort added a project: VyOS 1.5 Circinus.Mar 20 2024, 6:56 PM

n.fort changed Version from 1.4.0-epa2 to 1.4.0-epa2, 1.5-rolling-202403200018.

This likely because the global state policy being reintroduced was not accounted for in the firewall check in conf script. I'll check this week.

pasik subscribed.Mar 20 2024, 9:27 PM

sarthurdev renamed this task from Conntrack not working as expected to Conntrack not working as expected with global state-policy.Mar 20 2024, 9:47 PM

sarthurdev changed the task status from Confirmed to In progress.

sarthurdev moved this task from Open to In Progress on the VyOS 1.5 Circinus board.

PR: https://github.com/vyos/vyos-1x/pull/3159

Restricted Repository Identity mentioned this in rVYOSONEX33dfe6e07e5c: Merge pull request #3159 from sarthurdev/T6147.Mar 21 2024, 12:03 AM

sarthurdev mentioned this in rVYOSONEX62bda3b082a7: conntrack: T6147: Enable conntrack when firewall state-policy is defined.Mar 21 2024, 12:03 AM

Restricted Repository Identity mentioned this in rVYOSONEXd19be874eb5c: conntrack: T6147: Enable conntrack when firewall state-policy is defined.Mar 21 2024, 12:03 AM

Restricted Repository Identity mentioned this in rVYOSONEXf7a005ebecdf: Merge pull request #3160 from vyos/mergify/bp/sagitta/pr-3159.Mar 21 2024, 4:30 AM

pragmattic subscribed.Mar 25 2024, 6:19 PM

sarthurdev closed this task as Resolved.Mar 28 2024, 3:01 PM

sarthurdev moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.

sarthurdev moved this task from In Progress to Finished on the VyOS 1.5 Circinus board.

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.5 Circinus, VyOS 1.4 Sagitta.May 11 2024, 5:04 PM

dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).

Conntrack not working as expected with global state-policyClosed, ResolvedPublicBUGActions

Description

Details

Related Objects

Event Timeline

Conntrack not working as expected with global state-policy
Closed, ResolvedPublicBUG
Actions