Picking up on the build issue

It's best if we just use packages targeted for buster, not another debian release. I suggest you create PRs for all pathches needed (in addition to the one you already submitted) in Debian's PTS for buster's conntrack-tools, and then ask them to make a new release with those patches included.

The new conntract package depend in newer libnetfilter. but you dont need to rebuild the package, just download the debs.

There was a new upstream release 1.4.6 7 days ago, but that shouldn't make it to debian stable (buster). Only the patch done by elbandi via PR could get released as 1.4.5-3, but it hasn't been yet. We could make a backport of 1.4.6 into buster-backports and add a custom apt pin for the package. (I'd rather not go the backport route, as that means the backporter needs to always update the upload for security fixes, rather I'd add all patches for bugs into 1.4.5 for buster and ask for a new buster release).

I opened the PR for our custom build of the package in vyos-build as well: https://github.com/vyos/vyos-build/pulls. I was waiting on testing results from anyone, but I went and tested it myself. The basic functionality works, I couldn't test the above bug. If it's merged and the new package build is added to CI, the above debian PR isn't needed (or our custom build isn't).

https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/merge_requests/1
if he merge the PR, we can use it!

Reopened, confirmed broken again.

https://github.com/jjakob/vyos-build/tree/conntrack-tools-wip builds conntrack-tools from upstream git snapshot 20200301.

@cpo I think you need to add it to CI in addition to vyos-build

That's bad, because debian stable (=buster) is fixing security bugs only. They will not fix/add this patches to conntrack package, they leave conntrack buggy. So you sould build an own conntrack-tools package for 1.3 too :( If not, vyos will be less good software.

Upstream still hasn't made a release with this patch: https://git.netfilter.org/conntrack-tools/commit/?id=c12fa8df76752b0a011430f069677b52e4dad164
So we could wait on upstream to release it and debian to package it, or build our own as we used to in 1.2.
It would be better to ask upstream to make a release as there's less work for us.

We don't build conntrack-tools in 1.3 (current/equuleus) any more, upstream Debian Buster conntrack and conntrackd packages are used. So as upstream gets patched, we'll pull in those patches automatically.
If I see things correctly, there are references to conntrack-tools in the build scripts that still need to be removed.

It's an upstream bug as @xrobau said. vyos dev sould upgrade https://github.com/vyos/conntrack-tools repo, and apply this patch:
https://git.netfilter.org/conntrack-tools/commit/?id=c12fa8df76752b0a011430f069677b52e4dad164

Confirmed here as well, I had a working config back on 1.2.3 and it broke when I upgraded to 1.3. This is what happens when I try to commit:

Confirming that I also report this on 1.3-rolling-202001240217. Just upgraded this morning and I see the same unknown layer 3 protocol error as reported.

This issue is still present in 1.3-rolling-202001240217

Confirmed fixed in

vyos@mke-fw1:~$ show version
Version:          VyOS 1.2-rolling-201911051339
Built by:         [email protected]
Built on:         Tue 05 Nov 2019 13:39 UTC
Build UUID:       3863567b-039d-4fdd-90cc-eda2e1b11bc6
Build Commit ID:  33c865b2ada281

In 1.2.3 build this error does not appear and it seems to work correctly

After adding the missing command set high-availability vrrp sync-group sync member int1, we have a new error when starting conntrackd

You have to add a sync-group.
set high-availability vrrp sync-group intgroup member int1
set service conntrack-sync failover-mechanism vrrp sync-group intgroup

Confirmed still present in VyOS 1.3-rolling-201911030242

Thanks, my mistake. Now it works

Yes, seems it's just forgotten sync-group. A sync-group is required for it to work, in the current implementation. The error message is confusing and bug-like though, as of me.

@dmbaturin I believe you forgot to create the Sync-Group. The following configuration is working, and it is really nice to see how this got created during migration from Vyos 1.1.8, and to finally have IPv6 in the VRRP configuration.