This bug report comes from [[ https://forum.vyos.io/t/packet-being-modified-while-changing-interfaces-and-vrfs/13862 | my forum post]] about an issue with packets being modified while changing interfaces.
This is a clean install of VyOS 1.4 build commit id 8e8e8e4bc5c5c4 with no prior configuration.
Even when disabled, conntrack seems to still be active:
```
vyos@test# show system conntrack
Configuration under specified path is empty
[edit]
```
```
vyos@test:~$ sudo conntrack -C
48
```
When investigating, I noticed that there are firewall rules even tho no firewall is configure:
```
vyos@test# show firewall
Configuration under specified path is empty
[edit]
```
```
vyos@test# sudo nft list ruleset
table ip nat {
chain VYOS_PRE_SNAT_HOOK {
type nat hook postrouting priority srcnat - 1; policy accept;
return
}
}
table inet mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
}
table ip raw {
chain VYOS_TCP_MSS {
type filter hook forward priority raw; policy accept;
}
chain vyos_global_rpfilter {
return
}
chain vyos_rpfilter {
type filter hook prerouting priority raw; policy accept;
counter packets 53756 bytes 62460828 jump vyos_global_rpfilter
}
chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority raw; policy accept;
}
}
table ip6 raw {
chain VYOS_TCP_MSS {
type filter hook forward priority raw; policy accept;
}
chain vyos_global_rpfilter {
return
}
chain vyos_rpfilter {
type filter hook prerouting priority raw; policy accept;
counter packets 55 bytes 5144 jump vyos_global_rpfilter
}
chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority raw; policy accept;
}
}
table inet vrf_zones {
map ct_iface_map {
typeof iifname : ct zone
elements = { "LAN" : 1000,
"WAN" : 2000,
"veth0" : 2000,
"veth1" : 1000,
"bond0.50" : 2000,
"bond0.100" : 1000 }
}
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
counter packets 53811 bytes 62465972 ct original zone set iifname map @ct_iface_map
}
chain vrf_zones_ct_out {
type filter hook output priority raw; policy accept;
counter packets 15713 bytes 862940 ct original zone set oifname map @ct_iface_map
}
}
table ip vyos_conntrack {
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 53756 bytes 62460828 jump VYOS_CT_IGNORE
counter packets 53756 bytes 62460828 jump VYOS_CT_TIMEOUT
counter packets 53756 bytes 62460828 jump FW_CONNTRACK
counter packets 53756 bytes 62460828 jump NAT_CONNTRACK
counter packets 53756 bytes 62460828 jump WLB_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter packets 15666 bytes 858492 jump VYOS_CT_IGNORE
counter packets 15666 bytes 858492 jump VYOS_CT_TIMEOUT
counter packets 15666 bytes 858492 jump FW_CONNTRACK
counter packets 15666 bytes 858492 jump NAT_CONNTRACK
notrack
}
chain VYOS_CT_HELPER {
return
}
chain FW_CONNTRACK {
return
}
chain NAT_CONNTRACK {
return
}
chain WLB_CONNTRACK {
return
}
}
table ip6 vyos_conntrack {
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 55 bytes 5144 jump VYOS_CT_IGNORE
counter packets 55 bytes 5144 jump VYOS_CT_TIMEOUT
counter packets 55 bytes 5144 jump FW_CONNTRACK
counter packets 55 bytes 5144 jump NAT_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter packets 47 bytes 4448 jump VYOS_CT_IGNORE
counter packets 47 bytes 4448 jump VYOS_CT_TIMEOUT
counter packets 47 bytes 4448 jump FW_CONNTRACK
counter packets 47 bytes 4448 jump NAT_CONNTRACK
notrack
}
chain VYOS_CT_HELPER {
return
}
chain FW_CONNTRACK {
return
}
chain NAT_CONNTRACK {
return
}
}
```
"sudo nft flush ruleset" makes my specific issue go away, but it's not a viable solution as I need firewall.
Three questions arise:
1) Should packets being forwarded from a virtual-ethernet interface to a vlan on a physical interface be modified by conntrack?
2) Should VyOS create these default nftables rules even tho "firewall" is not defined on the config?
3) Should "del system conntrack" **completely** disable conntrack?