Page MenuHomeVyOS Platform

Custom conntrack rules cannot be deleted
Closed, ResolvedPublicBUG

Description

To reproduce, add a custom conntrack rule and delete it:

set system conntrack timeout custom rule 10 destination address '203.0.113.74'
set system conntrack timeout custom rule 10 destination port '80'
set system conntrack timeout custom rule 10 protocol tcp established '300'
set system conntrack timeout custom rule 10 source address '192.0.2.168'

Delete:

[email protected]# delete system conntrack timeout 
[edit]
[email protected]# commit
[ system conntrack timeout custom ]
iptables: Bad rule (does a matching rule exist in that chain?).
Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source 192.0.2.168   --destination 203.0.113.74   --dport 80  -j RETURN
iptables: Bad rule (does a matching rule exist in that chain?).
Conntrack timeout error: failed to run iptables -D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10"  -p tcp  --source 192.0.2.168   --destination 203.0.113.74   --dport 80  -j CT --timeout policy_timeout_10
nfct v1.4.6: netlink error: Device or resource busy
Conntrack timeout error: failed to run sudo /usr/sbin/nfct timeout delete policy_timeout_10 

[edit]
[email protected]#

Some details in T3579

It seems commands for adding and delete rules are not same (some block mixed) so the pattern which was correct for 1.2 incorrect for 1.3:

[email protected]# sudo iptables -S -t raw| grep -i timeout
-N VYATTA_CT_TIMEOUT
-A PREROUTING -j VYATTA_CT_TIMEOUT
-A OUTPUT -j VYATTA_CT_TIMEOUT
-A VYATTA_CT_TIMEOUT -s 192.0.2.168/32 -d 203.0.113.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j CT --timeout poli
-A VYATTA_CT_TIMEOUT -s 192.0.2.168/32 -d 203.0.113.74/32 -p tcp -m tcp --dport 80 -m comment --comment timeout-10 -j RETURN
-A VYATTA_CT_TIMEOUT -j RETURN

For the same reason, we can see the different outputs for op mode in T2194

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.0
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav changed the task status from Open to In progress.Feb 4 2022, 10:43 AM
Viacheslav claimed this task.
dmbaturin renamed this task from Delete custom conntrack timeout firewall bug to Custom conntrack rules cannot be deleted.Mar 21 2022, 11:55 AM
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).