Page MenuHomePhabricator

Conntrack helpers are no longer active by default
Closed, ResolvedPublicBUG

Description

PPTP clients in local (inside nat) net can't connect to PPTP server.
I can solve this problem only for ONE client by adding rule to destination nat like this:

sh nat destination rule 1

inbound-interface eth0
protocol gre
translation {
    address a.b.c.d
}

But this is not solution, because client address is not fixed and there can be many clients.

I tried enable/disable conntrack modules pptp and gre, but unsuccesfully.

On versions 1.1.7 and 1.1.8 all work fine. Problem there is on version 1.2.0.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0
Why the issue appeared?
Issues in third-party code
vlesk created this task.Dec 27 2018, 5:21 PM
syncer assigned this task to zsdc.Dec 27 2018, 5:30 PM
syncer triaged this task as Normal priority.Dec 27 2018, 6:06 PM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
vlesk added a comment.Dec 28 2018, 3:26 AM

I suppose problem in conntrack modules. Not only PPTP doesn't work. Publishing of FTP server after upgrade to version 1.2.0 from 1.1.8 also stop working. Disabling/Enabling ftp conntrack do not solve problem too.

zsdc added a comment.Dec 30 2018, 2:43 AM

I can confirm, that problem with connection tracking is exist. Reason in this change in Linux kernel. Now, by default, all connection helpers is disabled. You may try to search in your log files something like:

kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.

If you want, you may read more about this here.
So, we need to add all helpers by hand. You may try next workaround. Add this to /config/scripts/vyatta-postconfig-bootup.script:

sleep 10
iptables -t raw -I VYATTA_CT_HELPER 1 -p tcp --dport 1723 -j CT --helper pptp
iptables -t raw -I VYATTA_CT_HELPER 2 -p tcp --dport 21 -j CT --helper ftp

Then reboot or, if you want tot apply it without rebooting, just execute all commands in root shell.

And wait for fix in furthers builds, of course. :)

dmbaturin renamed this task from PPTP Passthrough don't work with NAT on Vyos 1.2.0 to Conntrack helpers are no longer active by default.Dec 31 2018, 8:08 AM
dmbaturin edited projects, added VyOS-1.2.0-GA; removed VyOS 1.3 Equuleus.
dmbaturin changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
dmbaturin changed the task status from Open to Needs testing.Dec 31 2018, 8:38 AM
dmbaturin added a subscriber: dmbaturin.

@zsdc The fix for T1011 should have fixed this, but there's a crucial and annoying detail: apparently when the nf_conntrack module is (re)loaded without nf_conntrack_helper=1 option, the sysctl value gets overwritten.

I've adjusted modprobe options everywhere to make sure it's always loaded with helper option enabled. Let's keep the old behaviour in 1.2.0, cleaning it up is a task for firewall/conntrack scripts rewrite in a future release.

pasik added a subscriber: pasik.Jan 1 2019, 7:56 PM
vlesk added a comment.Jan 4 2019, 11:33 AM

Today I maked new ISOs. Now FTP and PPTP conntrack modules work as expected!
Problem resolved for me.

zsdc changed the task status from Needs testing to Confirmed.Jan 7 2019, 2:04 PM
zsdc reassigned this task from zsdc to dmbaturin.
zsdc added a subscriber: zsdc.

OK. So, for now, anyone can use workarounds provided in T1011 or here. And wait for permanent fix in further builds.

syncer reassigned this task from dmbaturin to c-po.Jan 20 2019, 12:45 PM
syncer closed this task as Resolved.Jan 20 2019, 1:26 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-EPA3) board.