Page MenuHomeVyOS Platform
Create Task
Maniphest T6147

Conntrack not working as expected with global state-policy
Closed, ResolvedPublicBUG
Actions

Description

As reported, this is not working:

set service ssh
set firewall global-options state-policy established action accept

Then, ssh to the router, and no conntrack entries shown:

vyos@vyos14:~$ netstat | grep ssh
tcp        0     36 192.168.188.122:ssh     192.168.188.80:51786    ESTABLISHED
vyos@vyos14:~$ sudo conntrack -L
conntrack v1.4.7 (conntrack-tools): 0 flow entries have been shown.

From firewall ruleset, there's seem to be an error in vyos_conntrack table:

sudo nft list table ip vyos_conntrack
....
        chain PREROUTING { # handle 3
                type filter hook prerouting priority raw; policy accept;
                counter packets 46 bytes 7441 jump VYOS_CT_IGNORE # handle 21
                counter packets 46 bytes 7441 jump VYOS_CT_TIMEOUT # handle 22
                counter packets 46 bytes 7441 jump FW_CONNTRACK # handle 23
                counter packets 46 bytes 7441 jump NAT_CONNTRACK # handle 24
                counter packets 46 bytes 7441 jump WLB_CONNTRACK # handle 25
                notrack # handle 26
        }

        chain OUTPUT { # handle 4
                type filter hook output priority raw; policy accept;
                counter packets 24 bytes 1692 jump VYOS_CT_IGNORE # handle 27
                counter packets 24 bytes 1692 jump VYOS_CT_TIMEOUT # handle 28
                counter packets 24 bytes 1692 jump FW_CONNTRACK # handle 29
                counter packets 24 bytes 1692 jump NAT_CONNTRACK # handle 30
                notrack # handle 31
        }

        chain VYOS_CT_HELPER { # handle 5
                ct helper set "ftp_tcp" tcp dport 21 return # handle 32
                ct helper set "ras_udp" udp dport 1719 return # handle 33
                ct helper set "q931_tcp" tcp dport 1720 return # handle 34
                ct helper set "rpc_tcp" tcp dport 111 return # handle 35
                ct helper set "rpc_udp" udp dport 111 return # handle 36
                ct helper set "pptp_tcp" tcp dport 1723 return # handle 37
                ct helper set "sip_tcp" tcp dport { 5060, 5061 } return # handle 39
                ct helper set "sip_udp" udp dport { 5060, 5061 } return # handle 41
                ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return # handle 43
                ct helper set "tftp_udp" udp dport 69 return # handle 44
                return # handle 45
        }

If we delete de "notrack" actions, we see the connection in the conntrack system:

vyos@epa2:~$ sudo nft delete rule ip vyos_conntrack PREROUTING handle 26
vyos@epa2:~$ sudo nft delete rule ip vyos_conntrack OUTPUT handle 31
vyos@epa2:~$ sudo conntrack -L | grep tcp
conntrack v1.4.7 (conntrack-tools): tcp      6 431964 ESTABLISHED src=192.168.77.32 dst=192.168.0.182 sport=60224 dport=22 src=192.168.0.182 dst=192.168.77.32 sport=22 dport=60224 [ASSURED] mark=0 use=1
9 flow entries have been shown.
vyos@epa2:~$

It seems that this was introduced in commit https://github.com/vyos/vyos-1x/commit/734d84f696944419a2d6f11bc16dda03900add34

Details

Difficulty level
Unknown (require assessment)
Version
1.4.0-epa2, 1.5-rolling-202403200018
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

n.fort changed the task status from Open to Confirmed.Mar 20 2024, 6:51 PM
n.fort triaged this task as High priority.
n.fort created this task.
n.fort added a project: VyOS 1.5 Circinus.Mar 20 2024, 6:56 PM
n.fort changed Version from 1.4.0-epa2 to 1.4.0-epa2, 1.5-rolling-202403200018.
sarthurdev claimed this task.Mar 20 2024, 8:14 PM
sarthurdev added a subscriber: sarthurdev.

This likely because the global state policy being reintroduced was not accounted for in the firewall check in conf script. I'll check this week.

pasik added a subscriber: pasik.Mar 20 2024, 9:27 PM
sarthurdev renamed this task from Conntrack not working as expected to Conntrack not working as expected with global state-policy.Mar 20 2024, 9:47 PM
sarthurdev changed the task status from Confirmed to In progress.
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.5 Circinus board.
sarthurdev changed the task status from In progress to Needs testing.Mar 20 2024, 10:10 PM
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.

PR: https://github.com/vyos/vyos-1x/pull/3159

pragmattic added a subscriber: pragmattic.Mar 25 2024, 6:19 PM
sarthurdev closed this task as Resolved.Mar 28 2024, 3:01 PM
sarthurdev moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.
sarthurdev moved this task from In Progress to Finished on the VyOS 1.5 Circinus board.