Page MenuHomeVyOS Platform
Create Task
Maniphest T8127

firewall: Simplify and optimize vyos_conntrack table
Open, NormalPublic
Actions

Description

Currently, even without a config that would enable conntrack, packets will traverse 9 rules before they are set to notrack the session. This is very inefficient. Even with conntrack enabled, traffic will traverse unnecessary rules; wasting CPU cycles.

Issues:

  1. This is the current output when there is nothing configured that would use conntrack:
table ip vyos_conntrack {
        chain VYOS_CT_IGNORE {
                return
        }

        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                counter jump VYOS_CT_IGNORE
                counter jump FW_CONNTRACK
                counter jump NAT_CONNTRACK
                counter jump WLB_CONNTRACK
                notrack
        }

        chain OUTPUT {
                type filter hook output priority raw; policy accept;
                counter jump VYOS_CT_IGNORE
                counter jump FW_CONNTRACK
                counter jump NAT_CONNTRACK
                notrack
        }

        chain VYOS_CT_HELPER {
                return
        }

        chain FW_CONNTRACK {
                return
        }

        chain NAT_CONNTRACK {
                return
        }

        chain WLB_CONNTRACK {
                return
        }
}

These 3 lines all do the same thing, which is track whether sessions should be tracked by default:

counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
counter jump WLB_CONNTRACK

There's no need to track these 3 conditions as separate; the only condition that needs to be tracked is whether packets should hit the notrack rule or not. These can all be covered by a single accept verdict if conntrack is in use somewhere in the config.

  1. The VYOS_CT_IGNORE rule only needs to be present when there is actually config either in system conntrack ignore or in firewall (ipv4|ipv6) prerouting raw with an action of notrack.

Expected outcome:

After the changes, this is what would be expected:

No conntrack related config:
table ip vyos_conntrack {
        chain VYOS_CT_IGNORE {
                return
        }

        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                notrack
        }

        chain OUTPUT {
                type filter hook output priority raw; policy accept;
                notrack
        }

        chain VYOS_CT_HELPER {
                return
        }
}
Config that enabled conntrack:
table ip vyos_conntrack {
        chain VYOS_CT_IGNORE {
                return
        }

        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                counter accept
                notrack
        }

        chain OUTPUT {
                type filter hook output priority raw; policy accept;
                counter accept
                notrack
        }

        chain VYOS_CT_HELPER {
                return
        }
}

Each condition has a single lookup before the action, compared to 9 from before.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Performance optimization

Event Timeline

L0crian created this task.Sat, Dec 27, 5:00 PM
L0crian triaged this task as Normal priority.
L0crian created this object in space S1 VyOS Public.
pasik subscribed.Sat, Dec 27, 5:48 PM