Page MenuHomeVyOS Platform
Create Task
Maniphest T4145

Conntrack table not showing after firewall rewriting
Closed, ResolvedPublicBUG
Actions

Description

To reproduce
Set any rules for connection tracking and check conntrack table:

vyos@r11-roll:~$ show conf com | match fire
set firewall state-policy established action 'accept'
set firewall state-policy invalid action 'accept'
set firewall state-policy related action 'accept'

Show:

vyos@r11-roll:~$ show conntrack table ipv4 
Can't locate Vyatta/IpTables/Mgr.pm in @INC (you may need to install the Vyatta::IpTables::Mgr module) (@INC contains: /opt/vyatta/share/perl5 /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.32.1 /usr/local/share/perl/5.32.1 /usr/lib/x86_64-linux-gnu/perl5/5.32 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.32 /usr/share/perl/5.32 /usr/local/lib/site_perl) at /opt/vyatta/share/perl5/Vyatta/Conntrack/ConntrackUtil.pm line 27.
BEGIN failed--compilation aborted at /opt/vyatta/share/perl5/Vyatta/Conntrack/ConntrackUtil.pm line 27.
Compilation failed in require at /opt/vyatta/bin/sudo-users/vyatta-show-conntrack.pl line 32.
BEGIN failed--compilation aborted at /opt/vyatta/bin/sudo-users/vyatta-show-conntrack.pl line 32.
vyos@r11-roll:~$

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202201060318
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

Viacheslav created this task.Jan 6 2022, 12:07 PM
Viacheslav renamed this task from Conntrack table not showing after firewall after firewall rewriting to Conntrack table not showing after firewall rewriting.Jan 6 2022, 12:22 PM
pasik added a subscriber: pasik.Jan 6 2022, 1:10 PM
sarthurdev added a subscriber: sarthurdev.Jan 6 2022, 3:23 PM

PR: https://github.com/vyos/vyatta-conntrack/pull/6

Updates the vyatta-conntrack package to work without legacy firewall and fixes the op-mode commands. Should also fix some conntrack functionality (untested).

vyatta-conntrack should probably be shortlisted for an XML/Python rewrite.

Viacheslav changed the task status from Open to Needs testing.Jan 6 2022, 4:21 PM
Viacheslav assigned this task to sarthurdev.
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.Jan 6 2022, 5:26 PM
n.fort added a subscriber: n.fort.Feb 15 2022, 7:04 PM

Comman "show conntrack ..." not available any more in latest?

vyos@vyos:~$ show con
configuration   conntrack-sync  console-server  container
vyos@vyos:~$ show con


vyos@vyos:~$ show version 

Version:          VyOS 1.4-rolling-202201230317
sarthurdev added a subscriber: c-po.Feb 15 2022, 7:10 PM

I think @c-po has started migrating it in T3579 but op-mode not yet complete.

Viacheslav added a comment.Jul 8 2022, 10:11 PM

PR https://github.com/vyos/vyos-1x/pull/1404

vyos@r14:~$ show conntrack table ipv4 
Connection id    Source              Destination          Protocol    State        Timeout
---------------  ------------------  -------------------  ----------  -----------  ---------
3409467955       192.168.122.14:22   192.168.122.1:59856  tcp         ESTABLISHED  431999
2033666077       255.255.255.255:67  0.0.0.0:68           udp                      19
Viacheslav added a comment.EditedJul 22 2022, 12:35 PM

PR to new format + IPv6 entries https://github.com/vyos/vyos-1x/pull/1425

vyos@r14:~$ show conntrack table ipv4
Id          Original src         Original dst        Reply src           Reply dst            Protocol    State        Timeout    Mark    Zone
----------  -------------------  ------------------  ------------------  -------------------  ----------  -----------  ---------  ------  ------
1584867853  192.168.122.1:52992  192.168.122.14:22   192.168.122.14:22   192.168.122.1:52992  tcp         ESTABLISHED  430105     0
311010180   192.168.122.1:52580  192.168.122.14:22   192.168.122.14:22   192.168.122.1:52580  tcp         ESTABLISHED  431999     0
1350737116  192.168.122.14:123   34.xxx.168.146:123  34.xxx.168.146:123  192.168.122.14:123   udp                      26         0
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ show conntrack table ipv6
Id          Original src     Original dst     Reply src        Reply dst        Protocol    State    Timeout    Mark    Zone
----------  ---------------  ---------------  ---------------  ---------------  ----------  -------  ---------  ------  ------
1859329605  2001:db8::1:500  2001:db8::2:500  2001:db8::2:500  2001:db8::1:500  udp                  179        0
vyos@r14:~$
Viacheslav closed this task as Resolved.Jul 22 2022, 7:30 PM
Viacheslav moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.
Viacheslav added a parent task: T4564: Root task for rewriting [op-mode] to vyos.opmode format.Jul 23 2022, 5:44 PM
Viacheslav claimed this task.Jul 26 2022, 7:34 PM