Page MenuHomeVyOS Platform
Create Task
Maniphest T3579

Rewrite vyatta-conntrack in new XML and Python flavour
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Rewrite vyatta-conntrack in new XML and Python flavour

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Related Objects
Search...

StatusSubtypeAssignedTask
 In progressFEATURE REQUESTNoneT3355 Remove all remaining legacy Vyatta code
 ResolvedFEATURE REQUESTc-poT3535 Rewrite vyatta-conntrack-sync in new XML and Python flavor
 ResolvedFEATURE REQUESTc-poT3579 Rewrite vyatta-conntrack in new XML and Python flavour

Event Timeline

c-po changed the task status from Open to In progress.May 25 2021, 6:50 PM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po created this task.
c-po changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
vindenesen added a subscriber: vindenesen.Jun 3 2021, 6:37 AM

Will the custom timeout feature also be implemented in the python code? This is an option in the perl flavour (but doesn't actually work in 1.3 RC4).

[email protected]# set system conntrack timeout
Possible completions:
 > custom       Define custom timeouts per connection
   icmp         ICMP timeout in seconds
   other        Generic connection timeout in seconds
 > tcp          TCP connection timeout options
 > udp          UDP timeout


[edit]
c-po added a comment.Jun 3 2021, 7:42 AM

Yes, also this part will be migrated in the next couple of weeks as we plan to get rid of all legacy code in the 1.4 release cycle.

Can you please show us what does not work in VyOS 1.3? And probably how it should work in your opinion?

vindenesen added a comment.Jun 3 2021, 8:30 AM

I tried to create a custom timeout rule for tcp port 80. First I assumed that everything was fine since the first commit succeeded without error messages. But when I wanted to alter the rule, it failed. Below you see an example where I first create a rule, and then try to delete it. Afterwards any commits regarding custom timeouts fails.

vyos@vyos-router:~$ conf
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 destination address 'a.b.3.74'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 destination port '80'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 protocol tcp established '300'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 source address 'c.d.236.168'
[edit]
vyos@vyos-router#
[edit]
vyos@vyos-router# commit
[edit]
vyos@vyos-router# del system conntrack timeout custom rule 10
[edit]
vyos@vyos-router# commit
[ system conntrack timeout custom ]
iptables: Bad rule (does a matching rule exist in that chain?).
Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source c.d.236.168   --destination a.b.3.74   --dport 80  -j RETURN
iptables: Bad rule (does a matching rule exist in that chain?).
Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source c.d.236.168   --destination a.b.3.74   --dport 80  -j CT --timeout policy_timeout_10
nfct v1.4.6: netlink error: Device or resource busy
Conntrack timeout error: failed to run sudo /usr/sbin/nfct timeout delete policy_timeout_10

[edit]
vyos@vyos-router# discard

  No changes have been discarded

[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 destination address 'a.b.3.74'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 destination port '80'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 protocol tcp established '300'
[edit]
vyos@vyos-router# set system conntrack timeout custom rule 10 source address 'c.d.236.168'
[edit]
vyos@vyos-router#
[edit]
vyos@vyos-router# commit
[ system conntrack timeout custom ]
nfct v1.4.6: netlink error: Device or resource busy
Conntrack timeout error: failed to run sudo /usr/sbin/nfct timeout add policy_timeout_10  inet tcp established 300

[[system conntrack]] failed
Commit failed
[edit]
vyos@vyos-router# discard

  Changes have been discarded

[edit]
vyos@vyos-router# exit
exit

vyos@vyos-router:~$ sh version

Version:          VyOS 1.3.0-rc4
Release Train:    equuleus
vindenesen added a comment.Jun 7 2021, 9:10 AM

I believe I have found out why modification/deletion of rules fails. This is the rule definition in iptables:

sudo iptables -S -t raw| grep -i timeout
...
-A VYATTA_CT_TIMEOUT -s a.b.236.168/32 -d c.d.3.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j CT --timeout poli
-A VYATTA_CT_TIMEOUT -s a.b.236.168/32 -d c.d.3.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j RETURN
...

And this is the commands the perl script uses to delete the rules:

-D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source a.b.236.168   --destination c.d.3.74   --dport 80  -j RETURN
-D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source a.b.236.168   --destination c.d.3.74   --dport 80  -j CT --timeout policy_timeout_10

They don't match, which results in that the rules aren't deleted from the running iptables config, and thus we are unable to delete the policy with nfct timeout delete policy_timeout_10. I'm able to manually delete the rules using

sudo iptables -D VYATTA_CT_TIMEOUT -t raw -s a.b.236.168/32 -d c.d.3.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j CT --timeout poli
sudo iptables -D VYATTA_CT_TIMEOUT -t raw -s a.b.236.168/32 -d c.d.3.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j RETURN
sudo nfct timeout delete policy_timeout_10
pasik added a subscriber: pasik.Jun 7 2021, 9:40 AM
Viacheslav added a subscriber: Viacheslav.Jun 7 2021, 12:39 PM

In the crux.

set system conntrack timeout custom rule 10 destination address '203.0.113.74'
set system conntrack timeout custom rule 10 destination port '80'
set system conntrack timeout custom rule 10 protocol tcp established '300'
set system conntrack timeout custom rule 10 source address '192.0.2.168'

commit

vyos@r2-lts# commit
[ system conntrack hash-size 32768 ]
Updated conntrack hash size. This change will take affect when the system is rebooted.

[ system conntrack timeout custom ]
iptables: No chain/target/match by that name.
nfct v1.4.2: error: Device or resource busy
iptables: No chain/target/match by that name.
Conntrack timeout error: failed to run iptables -I VYATTA_CT_TIMEOUT 2 -t raw -m comment --comment "timeout-10"  -p tcp  --source 192.0.2.168   --destination 203.0.113.74   --dport 80  -j RETURN

[[system conntrack]] failed
Commit failed
[edit]
c-po moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.Jun 13 2021, 3:22 PM
c-po added a comment.EditedJan 10 2022, 8:38 PM

@Viacheslav / @vindenesen that is a bug I have also seen in the old iptables based implementation. Can you please file a bug report towards VyOS 1.2 and 1.3?

Viacheslav mentioned this in T4165: Custom conntrack rules cannot be deleted.Jan 10 2022, 10:00 PM
sarthurdev mentioned this in T4145: Conntrack table not showing after firewall rewriting.Feb 15 2022, 7:10 PM
c-po closed this task as Resolved.Dec 25 2022, 6:44 PM
c-po set Issue type to Unspecified (please specify).