Page MenuHomeVyOS Platform
Create Task
Maniphest T5471

Conntrack logging doesnt seem to be working
Open, LowPublicBUG
Actions

Description

In 1.4-rolling there is the ability to log sessions who are new, updated or destroyed through the "set system conntrack log" setting:

vyos@vyos# set system conntrack log 
Possible completions:
 > icmp                 Log connection tracking events for ICMP
 > other                Log connection tracking events for all protocols other than TCP,
                        UDP and ICMP
 > tcp                  Log connection tracking events for TCP
 > udp                  Log connection tracking events for UDP

      
[edit]
vyos@vyos# set system conntrack log tcp 
Possible completions:
   destroy              Log connection deletion
   new                  Log connection creation
   update               Log connection updates

Also described in the manual over at: https://docs.vyos.io/en/latest/configuration/system/conntrack.html#cfgcmd-set-system-conntrack-log-icmp-new

So I did this:

set system conntrack log icmp new
set system conntrack log other new
set system conntrack log tcp new
set system conntrack log udp new

Assuming I would get a log entry for every new session thats setup by the conntrack and perhaps be able to monitor this live through "monitor log" command but the logs are nowhere to be found - or am I missing something here?

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202308060317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

Apachez created this task.Aug 12 2023, 8:53 PM
syncer triaged this task as Low priority.Aug 12 2023, 10:10 PM
pasik added a subscriber: pasik.Aug 13 2023, 9:38 AM
Apachez mentioned this in T5507: Improving Firewall Logs.Aug 24 2023, 6:05 PM
aga added a subscriber: aga.Aug 24 2023, 7:46 PM

Can also confirm this on multiple nodes with said config, running post-firewall-refactor-builds.

The logs are nowhere to be found...

Also, this is the output of "show conntrack statistics" on all of them:

                CPU          Found     Invalid          Insert    Insert fail    Drop     Early drop        Errors    Search restart
-----  -------  -----------  --------  ---------------  --------  -------------  -------  ----------------  --------  ----------------
cpu=0  found=0  invalid=318  insert=0  insert_failed=0  drop=0    early_drop=0   error=0  search_restart=0  (null)=0  (null)=0
cpu=1  found=0  invalid=304  insert=0  insert_failed=0  drop=0    early_drop=0   error=0  search_restart=0  (null)=4  (null)=0
cpu=2  found=0  invalid=255  insert=0  insert_failed=0  drop=0    early_drop=0   error=0  search_restart=0  (null)=0  (null)=0
cpu=3  found=0  invalid=240  insert=0  insert_failed=0  drop=0    early_drop=0   error=0  search_restart=0  (null)=0  (null)=0

"show conntrack table" is working as expected..

Apachez added a comment.Sep 13 2023, 9:42 PM

This is still the case in VyOS 1.5-rolling-202309130022:

vyos@vyos:~$ show conntrack table ipv4
Id          Original src        Original dst        Reply src           Reply dst           Protocol    State        Timeout    Mark    Zone
----------  ------------------  ------------------  ------------------  ------------------  ----------  -----------  ---------  ------  ------
3994342791  192.168.56.1:59066  192.168.56.2:22     192.168.56.2:22     192.168.56.1:59066  tcp         ESTABLISHED  599        0
37869154    192.168.1.2:59553   194.58.200.20:123   194.58.200.20:123   192.168.1.2:59553   udp                      236        0
440734394   192.168.56.1:138    192.168.56.255:138  192.168.56.255:138  192.168.56.1:138    udp                      422        0

vyos@vyos:~$ show conntrack table ipv6
Entries not found

vyos@vyos:~$ show conntrack statistics 
                CPU        Found     Invalid          Insert    Insert fail    Drop     Early drop        Errors    Search restart
-----  -------  ---------  --------  ---------------  --------  -------------  -------  ----------------  --------  ----------------
cpu=0  found=0  invalid=0  insert=0  insert_failed=0  drop=0    early_drop=0   error=0  search_restart=0  (null)=0  (null)=0
cpu=1  found=0  invalid=0  insert=0  insert_failed=0  drop=0    early_drop=0   error=0  search_restart=0  (null)=0  (null)=0
Apachez added a comment.Oct 10 2023, 5:27 AM

show conntrack statistics still fails in VyOS 1.5-rolling-202310090023:

vyos@vyos:~$ show conntrack statistics 
                CPU        Found     Invalid          Insert    Insert fail    Drop     Early drop        Errors    Search restart
-----  -------  ---------  --------  ---------------  --------  -------------  -------  ----------------  --------  ----------------
cpu=0  found=0  invalid=0  insert=0  insert_failed=0  drop=0    early_drop=0   error=0  search_restart=0  (null)=0  (null)=0
cpu=1  found=0  invalid=0  insert=0  insert_failed=0  drop=0    early_drop=0   error=0  search_restart=0  (null)=0  (null)=0
Viacheslav added a subscriber: Viacheslav.Oct 10 2023, 10:49 AM

show conntrack statistics shows only sudo conntrack -S command
This won't show any logs

n.fort added a subscriber: n.fort.Nov 6 2023, 5:56 PM

Does anyone knows real scenario where permanently storing/saving this logs are required?
Yes, this feature is not working on 1.4, neither on 1.5
But I can't think on a real case where this logs are needed. I know that keeping information of NAT for certain ISP is mandatory due lo legal requirements. But writing a log entry for every conntrack status change seems like it will flood logs, and may consume more resources than expected.
With usage of netflow/slflow, maybe this required information can be obtained in the netflow collector, and do not increase load on vyos router.

I think an op-mode command for debugging might be useful: get real-time conntrack events. Something like monitor log

Apachez added a comment.Nov 6 2023, 9:27 PM

I would mainly want to log new conntrack entries for various reasons.

Both in the way of default logging and then select which rules I dont want should produce any log (if any).

Or the other way around no logging by default but then select a few that should log (if any).

Both methods should be possible.

Sometimes you want to log when a session ended aswell but I dont think its that common nowadays.

The drawback with netflow/sflow is that its samplebased so it will miss 999 out of 1000 packets (or 16383 out of 16384 packets depending if you use 1000 or 16384 as samplerate).

HON added a subscriber: HON.Sat, Apr 13, 10:59 PM
Viacheslav added a comment.EditedThu, Apr 18, 1:43 PM

The old implementation used this script and https://github.com/vyos/vyatta-conntrack/blob/current/src/vyatta-conntrack-logging.c for the logging and it seems not impelemted for the current
At least there is not mention of the log

Viacheslav added a project: VyOS 1.5 Circinus.Thu, Apr 18, 1:44 PM