vrf: nftables conntrack ct_iface_map contains multiple identical entries
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	c-po
	Jul 23 2024, 12:32 PM

Description

vyos@vyos:~$ sudo nft list table inet vrf_zones
table inet vrf_zones {
        map ct_iface_map {
                typeof iifname : ct zone
                elements = { "eth0" : 12817,
                             "dum0" : 12817,
                             "wg500" : 12817,
                             "wg501" : 12817,
                             "veth1" : 12817,
                             "bond10.5" : 12817,
                             "red" : 12817,
                             "bond10.500" : 12817,
                             "bond10.666" : 12817 }
        }

        chain vrf_zones_ct_in {
                type filter hook prerouting priority raw; policy accept;
                counter packets 1718123113 bytes 986223532227 ct original zone set iifname map @ct_iface_map
                counter packets 1718098550 bytes 986220580739 ct original zone set iifname map @ct_iface_map
                counter packets 1718095644 bytes 986220267697 ct original zone set iifname map @ct_iface_map
        }

        chain vrf_zones_ct_out {
                type filter hook output priority raw; policy accept;
                counter packets 179468909 bytes 41465072796 ct original zone set oifname map @ct_iface_map
                counter packets 179467883 bytes 41464947652 ct original zone set oifname map @ct_iface_map
                counter packets 179467781 bytes 41464933878 ct original zone set oifname map @ct_iface_map
        }

TODO

Add smoketest validating that also on interface removal, it's no longer part of the ct_iface_map

Details

Difficulty level: Normal (likely a few hours)
Version: 1.4.0
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	BUG	c-po	T6603 vrf: nftables conntrack ct_iface_map contains multiple identical entries
		Invalid	BUG	c-po	T6609 vrf: if NAT is configured aftert creating a VRF instance, nftables conntrack mapping for VRF zones is not populated

Event Timeline

c-po created this task.Jul 23 2024, 12:32 PM

c-po claimed this task.

Viacheslav triaged this task as Normal priority.Jul 23 2024, 1:28 PM

pasik subscribed.Jul 23 2024, 4:45 PM

c-po updated the task description. (Show Details)Jul 23 2024, 5:12 PM

c-po closed subtask T6609: vrf: if NAT is configured aftert creating a VRF instance, nftables conntrack mapping for VRF zones is not populated as Invalid.Jul 26 2024, 7:54 AM

https://github.com/vyos/vyos-1x/pull/3883

c-po moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.Jul 30 2024, 1:16 PM

c-po closed this task as Resolved.Aug 2 2024, 3:45 PM

c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.1) board.

vrf: nftables conntrack ct_iface_map contains multiple identical entriesClosed, ResolvedPublicBUGActions

Description

TODO

Details

Related ObjectsSearch...

Event Timeline

vrf: nftables conntrack ct_iface_map contains multiple identical entries
Closed, ResolvedPublicBUG
Actions

Related Objects
Search...