It would be prefered if it was possible to completely disable conntrack and by that any firewall rules.
Something like "set firewall disable" or "set system conntrack disable".
The purpose would be to maximize performance of VyOS specially when filtering already occurs elsewhere in the network.
As workaround there seems to exist this command to bypass conntrack for specific firewall rules:
set system conntrack ignore <rule number>
Then how come conntrack modules are loaded (and there is content in the ruleset "sudo nft -s list ruleset") when I have no firewall rules configured?
vyos@vyos:~$ sudo lsmod | grep -i conntrack nf_conntrack 180224 3 nf_nat,nfnetlink_cthelper,nft_ct nf_defrag_ipv6 24576 1 nf_conntrack nf_defrag_ipv4 16384 1 nf_conntrack
The firewall section have no explicit rules configured, mostly defaults set:
firewall {
all-ping enable
broadcast-ping disable
config-trap enable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation strict
state-policy {
established {
action accept
}
invalid {
action drop
}
related {
action accept
}
}
syn-cookies enable
twa-hazards-protection disable
}Also this feature would be used to be able to disable conntrack (and firewall rules) with a simple "disable" directive even if they are configured in the config.
Similar to how you can have preconfigured an ACL (on other vendors boxes) but as long as its not being used by any interface it will not occupy any space in the ASIC/dataplane.
It is a bug that it’s on by default, see other task. Will be fixed after new firewall refactor is merged.
As for above config, state-policy being defined would enable conntrack.