Page MenuHomeVyOS Platform
Create Task
Maniphest T7209

Configured conntrack on input affects on forward
Open, Urgent!PublicBUG
Actions

Description

If conntrack is configured on input in firewall it affects forward traffic.
It can lead to performance degradation.
How to reproduce:

Network map
Host(192.168.0.2)-----(eth0 192.168.0.1)VyOS(eth1 192.168.1.1) ----Host(192.168.1.2)

Configuration:

set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 protocol 'icmp'
set firewall ipv4 input filter rule 20 action 'accept'
set firewall ipv4 input filter rule 20 state 'related'
set firewall ipv4 input filter rule 20 state 'established'
set interfaces ethernet eth0 address '192.168.0.1/24'
set interfaces ethernet eth1 address '192.168.1.1/24'

Run ping from Host 192.168.0.2 to Host 192.168.1.2

vyos@vyos:~$ sudo conntrack -L
icmp     1 29 src=192.168.0.2 dst=192.168.1.2 type=8 code=0 id=3318 src=192.168.1.2 dst=192.168.0.2 type=0 code=0 id=3318 mark=0 use=1
conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.

As we can see, we did not configure conntrack rules on forward, but conntrack flow exists

Details

Version
VyOS 1.5-rolling-202502190007, VyOS 1.4.1
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

a.apostoliuk created this task.Fri, Feb 28, 3:29 PM
a.apostoliuk triaged this task as Urgent! priority.
a.apostoliuk added a comment.Fri, Feb 28, 4:59 PM

I did more tests. If I create any rule called conntrack (in input, forward, with different conditions), Conntrack affects all traffic that passes through or to the router.

pasik subscribed.Fri, Feb 28, 5:35 PM
sarthurdev subscribed.EditedFri, Feb 28, 6:25 PM

I think this should be considered expected behaviour, during the several iterations of the firewall (including Vyatta era - without explicit tables and chains) we've not changed the logic of enabling conntrack.

The conntrack logic has always been to check if any firewall rule uses state matching, enable conntrack. If NAT is used, enable conntrack etc.

ref: https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/system_conntrack.py#L196

a.apostoliuk added a comment.Fri, Feb 28, 7:02 PM

@sarthurdev I think, conntract should be transferred from input or forward to the global section or used in prerouting. Because now it looks like conntrack is used only in these rules, not for all traffic.

syncer removed a project: VyOS 1.5 Circinus.Thu, Mar 6, 10:33 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.3), VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta (1.4.2).Wed, Mar 12, 5:52 PM