Page MenuHomeVyOS Platform
Create Task
Maniphest T7209

Configured conntrack on input affects on forward
Open, LowPublicBUG
Actions

Description

If conntrack is configured on input in firewall it affects forward traffic.
It can lead to performance degradation.
How to reproduce:

Network map
Host(192.168.0.2)-----(eth0 192.168.0.1)VyOS(eth1 192.168.1.1) ----Host(192.168.1.2)

Configuration:

set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 protocol 'icmp'
set firewall ipv4 input filter rule 20 action 'accept'
set firewall ipv4 input filter rule 20 state 'related'
set firewall ipv4 input filter rule 20 state 'established'
set interfaces ethernet eth0 address '192.168.0.1/24'
set interfaces ethernet eth1 address '192.168.1.1/24'

Run ping from Host 192.168.0.2 to Host 192.168.1.2

vyos@vyos:~$ sudo conntrack -L
icmp     1 29 src=192.168.0.2 dst=192.168.1.2 type=8 code=0 id=3318 src=192.168.1.2 dst=192.168.0.2 type=0 code=0 id=3318 mark=0 use=1
conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.

As we can see, we did not configure conntrack rules on forward, but conntrack flow exists

Details

Version
VyOS 1.5-rolling-202502190007, VyOS 1.4.1
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

a.apostoliuk created this task.Feb 28 2025, 3:29 PM
a.apostoliuk triaged this task as Urgent! priority.
a.apostoliuk added a comment.Feb 28 2025, 4:59 PM

I did more tests. If I create any rule called conntrack (in input, forward, with different conditions), Conntrack affects all traffic that passes through or to the router.

pasik subscribed.Feb 28 2025, 5:35 PM
sarthurdev subscribed.EditedFeb 28 2025, 6:25 PM

I think this should be considered expected behaviour, during the several iterations of the firewall (including Vyatta era - without explicit tables and chains) we've not changed the logic of enabling conntrack.

The conntrack logic has always been to check if any firewall rule uses state matching, enable conntrack. If NAT is used, enable conntrack etc.

ref: https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/system_conntrack.py#L196

a.apostoliuk added a comment.Feb 28 2025, 7:02 PM

@sarthurdev I think, conntract should be transferred from input or forward to the global section or used in prerouting. Because now it looks like conntrack is used only in these rules, not for all traffic.

syncer removed a project: VyOS 1.5 Circinus.Mar 6 2025, 10:33 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.3), VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta (1.4.2).Mar 12 2025, 5:52 PM
syncer removed a project: VyOS 1.5 Circinus.Apr 13 2025, 6:51 AM
L0crian subscribed.Apr 25 2025, 12:15 AM

@a.apostoliuk @sarthurdev I saw this a while back and was thinking about it today. I think it'd be useful to be able to disable conntrack per chain. It could be useful for people using VyOS in an ISP environment, where the firewall is more a mechanism to secure VyOS itself, rather than filter through traffic. It'd be pretty easy to implement.

dmbaturin mentioned this in T7475: Make it possible to disable connection tracking for specific firewall chains.May 21 2025, 3:39 PM
dmbaturin subscribed.

@L0crian @a.apostoliuk @sarthurdev I think I agree with the idea to add an option to disable conntrack per chain. I made a task about that: T7475

dmbaturin added a parent task: T7475: Make it possible to disable connection tracking for specific firewall chains.May 21 2025, 3:40 PM
rherold subscribed.EditedJun 4 2025, 2:17 PM

I stumbled over it today on my 1.4 boxes. It would be nice to have the possibilty to exclude forwarding traffic from conntrack.

I would like to have conntrack only for local rules (INPUT/OUTPUT) but forward with notrack.

On the net I found:

nft add table ip stateless
nft add chain ip stateless prerouting '{ type filter hook prerouting priority -310; policy accept; }'
nft add rule ip stateless prerouting iif != lo fib daddr oif exists notrack

Replacing the ip family with the inet combo family should extend the same generic behavior to IPv4+IPv6.

And:

Note that for this statement to be effective, it has to be applied to packets before a conntrack lookup happens. Therefore, it needs to sit in a chain with either prerouting or output hook and a hook priority of -300 or less.

Viacheslav lowered the priority of this task from Urgent! to Normal.Jun 18 2025, 12:54 AM
Unknown Object (User) lowered the priority of this task from Normal to Low.Jun 24 2025, 3:19 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.4); removed VyOS 1.4 Sagitta (1.4.3).Jul 14 2025, 1:56 PM
dmbaturin removed a project: VyOS 1.4 Sagitta (1.4.4).Wed, Nov 19, 2:22 PM