Firewall offload counters show always zero
Closed, InvalidPublicBUG
Actions

Assigned To

None

Authored By

	Viacheslav
	Mon, Apr 8, 10:52 AM

Description

Firewall offload counters always show zero

set firewall flowtable FLOWTABLE interface 'eth0'
set firewall flowtable FLOWTABLE interface 'eth1'
set firewall flowtable FLOWTABLE offload 'software'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'FLOWTABLE'
set firewall ipv4 forward filter rule 20 action 'offload'
set firewall ipv4 forward filter rule 20 offload-target 'FLOWTABLE'
set firewall ipv4 forward filter rule 20 state 'established'
set firewall ipv4 forward filter rule 20 state 'related'

Show:

vyos@r4:~$ show firewall ipv4 forward filter 
Ruleset Information

---------------------------------
ipv4 Firewall "forward filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ---------------------------------------------------------------------
10       offload   all                 0        0  flow add @VYOS_FLOWTABLE_FLOWTABLE
20       offload   all                 0        0  ct state { established, related }  flow add @VYOS_FLOWTABLE_FLOWTABLE
default  accept    all                 0        0

vyos@r4:~$

Check nft:

vyos@r4:~$ sudo nft list table vyos_filter
table ip vyos_filter {
	flowtable VYOS_FLOWTABLE_FLOWTABLE {
		hook ingress priority filter
		devices = { eth0, eth1 }
		counter
	}

	chain VYOS_FORWARD_filter {
		type filter hook forward priority filter; policy accept;
		counter packets 928376 bytes 1800341472 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-10"
		counter packets 928376 bytes 1800341472 accept comment "FWD-filter default-action accept"
		counter packets 0 bytes 0 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-10"
		ct state { established, related } counter packets 0 bytes 0 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-20"
		counter packets 0 bytes 0 accept comment "FWD-filter default-action accept"
	}

Check conntrack:

vyos@r4:~$ sudo conntrack -L | grep "100.64.0.2"
tcp      6 src=100.64.0.2 dst=140.82.121.5 sport=52292 dport=443 src=140.82.121.5 dst=192.168.122.222 sport=443 dport=6371 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=172.64.41.4 sport=57414 dport=443 src=172.64.41.4 dst=192.168.122.222 sport=443 dport=6367 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=54.247.114.10 sport=55228 dport=443 src=54.247.114.10 dst=192.168.122.222 sport=443 dport=5227 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=57.144.110.1 sport=49482 dport=443 src=57.144.110.1 dst=192.168.122.222 sport=443 dport=6620 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=104.16.60.8 sport=43272 dport=443 src=104.16.60.8 dst=192.168.122.222 sport=443 dport=6313 [OFFLOAD] mark=0 use=2
tcp      6 6 CLOSE src=100.64.0.2 dst=140.82.121.3 sport=51944 dport=443 src=140.82.121.3 dst=192.168.122.222 sport=443 dport=6678 [ASSURED] mark=0 use=1
udp      17 src=100.64.0.2 dst=172.67.74.141 sport=47220 dport=443 src=172.67.74.141 dst=192.168.122.222 sport=443 dport=6076 [OFFLOAD] mark=0 use=2
udp      17 src=100.64.0.2 dst=104.26.1.157 sport=50242 dport=443 src=104.26.1.157 dst=192.168.122.222 sport=443 dport=5395 [OFFLOAD] mark=0 use=2
tcp      6 42 TIME_WAIT src=100.64.0.2 dst=185.44.104.99 sport=50452 dport=80 src=185.44.104.99 dst=192.168.122.222 sport=80 dport=6615 [ASSURED] mark=0 use=1
tcp      6 src=100.64.0.2 dst=104.16.60.8 sport=43298 dport=443 src=104.16.60.8 dst=192.168.122.222 sport=443 dport=6089 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=104.16.60.8 sport=36932 dport=443 src=104.16.60.8 dst=192.168.122.222 sport=443 dport=5485 [OFFLOAD] mark=0 use=2
udp      17 src=100.64.0.2 dst=172.67.74.141 sport=49344 dport=443 src=172.67.74.141 dst=192.168.122.222 sport=443 dport=6216 [OFFLOAD] mark=0 use=2
udp      17 src=100.64.0.2 dst=104.26.0.157 sport=52592 dport=443 src=104.26.0.157 dst=192.168.122.222 sport=443 dport=6421 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=140.82.113.21 sport=58466 dport=443 src=140.82.113.21 dst=192.168.122.222 sport=443 dport=6336 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=216.58.215.100 sport=38804 dport=443 src=216.58.215.100 dst=192.168.122.222 sport=443 dport=6129 [OFFLOAD] mark=0 use=2
tcp      6 11 TIME_WAIT src=100.64.0.2 dst=185.44.104.99 sport=60626 dport=80 src=185.44.104.99 dst=192.168.122.222 sport=80 dport=6285 [ASSURED] mark=0 use=1
udp      17 src=100.64.0.2 dst=104.26.1.157 sport=51311 dport=443 [UNREPLIED] src=104.26.1.157 dst=192.168.122.222 sport=443 dport=5225 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=185.199.108.154 sport=33520 dport=443 src=185.199.108.154 dst=192.168.122.222 sport=443 dport=6117 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=216.58.208.195 sport=41586 dport=443 src=216.58.208.195 dst=192.168.122.222 sport=443 dport=6017 [OFFLOAD] mark=0 use=2
udp      17 src=100.64.0.2 dst=104.26.0.157 sport=45853 dport=443 src=104.26.0.157 dst=192.168.122.222 sport=443 dport=5943 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=140.82.121.3 sport=51952 dport=443 src=140.82.121.3 dst=192.168.122.222 sport=443 dport=5653 [OFFLOAD] mark=0 use=3
tcp      6 src=100.64.0.2 dst=104.16.60.8 sport=43296 dport=443 src=104.16.60.8 dst=192.168.122.222 sport=443 dport=7003 [OFFLOAD] mark=0 use=2
udp      17 src=100.64.0.2 dst=104.26.0.157 sport=56452 dport=443 src=104.26.0.157 dst=192.168.122.222 sport=443 dport=6141 [OFFLOAD] mark=0 use=2
tcp      6 55 ESTABLISHED src=100.64.0.2 dst=34.107.243.93 sport=49458 dport=443 src=34.107.243.93 dst=192.168.122.222 sport=443 dport=5777 [ASSURED] mark=0 use=1
tcp      6 src=100.64.0.2 dst=142.250.186.194 sport=48240 dport=443 src=142.250.186.194 dst=192.168.122.222 sport=443 dport=5164 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=18.158.42.99 sport=46778 dport=443 src=18.158.42.99 dst=192.168.122.222 sport=443 dport=6915 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=216.239.38.181 sport=37794 dport=443 src=216.239.38.181 dst=192.168.122.222 sport=443 dport=5347 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=142.250.203.194 sport=59012 dport=443 src=142.250.203.194 dst=192.168.122.222 sport=443 dport=5630 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=142.250.203.193 sport=59212 dport=443 src=142.250.203.193 dst=192.168.122.222 sport=443 dport=5034 [OFFLOAD] mark=0 use=2
udp      17 src=100.64.0.2 dst=1.1.1.1 sport=57953 dport=53 src=1.1.1.1 dst=192.168.122.222 sport=53 dport=5041 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=104.16.60.8 sport=43286 dport=443 src=104.16.60.8 dst=192.168.122.222 sport=443 dport=5213 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=142.250.203.130 sport=60900 dport=443 src=142.250.203.130 dst=192.168.122.222 sport=443 dport=5042 [OFFLOAD] mark=0 use=2
tcp      6 src=100.64.0.2 dst=104.16.60.8 sport=43280 dport=443 src=104.16.60.8 dst=192.168.122.222 sport=443 dport=5777 [OFFLOAD] mark=0 use=2
udp      17 src=100.64.0.2 dst=104.26.1.157 sport=41440 dport=443 src=104.26.1.157 dst=192.168.122.222 sport=443 dport=6603 [OFFLOAD] mark=0 use=2
conntrack v1.4.6 (conntrack-tools): 38 flow entries have been shown.
vyos@r4:~$

Details

Difficulty level: Normal (likely a few hours)
Version: VyOS 1.5-rolling-202403310021
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

Viacheslav created this task.Mon, Apr 8, 10:52 AM

Viacheslav triaged this task as Normal priority.Mon, Apr 8, 10:55 AM

After deleting and adding the firewall, it looks good
So, for some reason, the rule 10 and default action accept were applied 2 times to the firewall

	chain VYOS_FORWARD_filter {
		type filter hook forward priority filter; policy accept;
		counter packets 928376 bytes 1800341472 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-10"
		counter packets 928376 bytes 1800341472 accept comment "FWD-filter default-action accept"
		counter packets 0 bytes 0 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-10"
		ct state { established, related } counter packets 0 bytes 0 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-20"
		counter packets 0 bytes 0 accept comment "FWD-filter default-action accept"
	}

After reconfiguration, it looks good

	chain VYOS_FORWARD_filter {
		type filter hook forward priority filter; policy accept;
		counter packets 3056 bytes 215241 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-10"
		ct state { established, related } counter packets 2850 bytes 204323 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-20"
		counter packets 3056 bytes 215241 accept comment "FWD-filter default-action accept"
	}

So, in some cases, it could generate the wrong config. I'll try to reproduce it again.

pasik added a subscriber: pasik.Mon, Apr 8, 11:19 AM

Viacheslav changed the task status from Open to Needs testing.Tue, Apr 9, 4:06 PM

Can't reproduce it, close the task

Firewall offload counters show always zeroClosed, InvalidPublicBUGActions

Description

Details

Event Timeline

Firewall offload counters show always zero
Closed, InvalidPublicBUG
Actions