Page MenuHomeVyOS Platform

VyOS 1.2.0-rc2 fails to load configuration when conntrack modules are disabled in config
Closed, ResolvedPublicBUG

Description

Disabling modules within conntrack causes VyOS to fail to load the configuration:

modules {
    gre {
        disable
    }
    nfs {
        disable
    }
    pptp {
        disable
    }
    sqlnet {
        disable
    }
    tftp {
        disable
    }
}

Errors like the following are the result:

rmmod: ERROR: Module nf_nat_proto_gre is not currently loaded
rmmod: ERROR: Module nf_conntrack_proto_gre is not currently loaded

[[system conntrack]] failed
Commit failed

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rc2
Why the issue appeared?
Will be filled on close

Event Timeline

cwadge renamed this task from VyOS 1.2.0-rc1 fails to load configuration when conntrack modules are disabled in config to VyOS 1.2.0-rc2 fails to load configuration when conntrack modules are disabled in config.Oct 14 2018, 6:45 PM
cwadge created this task.

Changed description, as this is also present in RC2.

syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.
dmbaturin added a subscriber: dmbaturin.

Hi Chris,
I couldn't reproduce it in rc3, as stated. Please retest, and if you still get the error, we'll need to figure out the reproducing steps.

From my testing, simply disabling modules on a system that has no NAT or firewall configured and rebooting appears to work as expected.

I'll try to repro on RC3 and update the ticket from there. Thanks!

It seems that in RC3 no conntrack settings work at all, causing the configuration loading to fail. For instance,

system conntrack tcp loose enable

causes:

sysctl: cannot stat /proc/sys/net/ipv4 netfilter/ip_conntrack_tcp_loose: No such file or directory
In T902#23385, @cwadge wrote:

It seems that in RC3 no conntrack settings work at all, causing the configuration loading to fail. For instance,

system conntrack tcp loose enable

causes:

sysctl: cannot stat /proc/sys/net/ipv4 netfilter/ip_conntrack_tcp_loose: No such file or directory

This is actually fixed in T888 (https://github.com/vyos/vyatta-conntrack/commit/d531770031cc9e9bf27c889bf239f265ac2c28ae) but it seems it didn't make it into rc3.

Interestingly, disabling particular modules works fine in 1.1.8 regardless of whether NAT or firewall policies were in place.

I've tested this configuration again and it works for me, so I suppose it's fixed. If it reapprears, feel free to reopen.