Skip to content

firewall: T7475: Add an option to disable conntrack for individual firewall chaisn #4698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 22, 2025
Merged

firewall: T7475: Add an option to disable conntrack for individual firewall chaisn #4698

merged 2 commits into from
Sep 22, 2025

Conversation

l0crian1
Copy link
Contributor

@l0crian1 l0crian1 commented Sep 5, 2025

Change summary

This change will allow conntrack to be disabled per nftables chain. This is important for users that want the most throughput possible (like service providers), while still being able to secure VyOS itself using the input and output chains.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T7475

Related PR(s)

How to test / Smoketest result

Disable conntrack in a chain:

set firewall ipv4 forward filter disable-conntrack

Generate traffic that would hit the chain you disabled

PC1#ping 10.0.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms

PC1#traceroute 10.0.2.10 numeric 
Type escape sequence to abort.
Tracing the route to 10.0.2.10
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.1.1 2 msec 2 msec 1 msec
  2 10.0.2.10 3 msec 2 msec 2 msec

Check the conntrack table. You will not see any entries for traffic in the chain you disabled conntrack for.

vyos@vyos:~$ show conntrack table ipv4
Entries not found

Smoketest results:

test_bridge_firewall (__main__.TestFirewall.test_bridge_firewall) ... ok
test_cyclic_jump_validation (__main__.TestFirewall.test_cyclic_jump_validation) ... ok
test_disable_conntrack_per_chain (__main__.TestFirewall.test_disable_conntrack_per_chain) ... ok
test_flow_offload (__main__.TestFirewall.test_flow_offload) ... ok
test_geoip (__main__.TestFirewall.test_geoip) ... ok
test_gre_match (__main__.TestFirewall.test_gre_match) ... ok
test_groups (__main__.TestFirewall.test_groups) ... ok
test_ipsec_metadata_match (__main__.TestFirewall.test_ipsec_metadata_match) ... ok
test_ipv4_advanced (__main__.TestFirewall.test_ipv4_advanced) ... ok
test_ipv4_basic_rules (__main__.TestFirewall.test_ipv4_basic_rules) ... ok
test_ipv4_dynamic_groups (__main__.TestFirewall.test_ipv4_dynamic_groups) ... ok
test_ipv4_global_state (__main__.TestFirewall.test_ipv4_global_state) ... ok
test_ipv4_mask (__main__.TestFirewall.test_ipv4_mask) ... ok
test_ipv4_remote_group (__main__.TestFirewall.test_ipv4_remote_group) ... ok
test_ipv4_state_and_status_rules (__main__.TestFirewall.test_ipv4_state_and_status_rules) ... ok
test_ipv4_synproxy (__main__.TestFirewall.test_ipv4_synproxy) ... ok
test_ipv6_advanced (__main__.TestFirewall.test_ipv6_advanced) ... ok
test_ipv6_basic_rules (__main__.TestFirewall.test_ipv6_basic_rules) ... ok
test_ipv6_dynamic_groups (__main__.TestFirewall.test_ipv6_dynamic_groups) ... ok
test_ipv6_mask (__main__.TestFirewall.test_ipv6_mask) ... ok
test_ipv6_remote_group (__main__.TestFirewall.test_ipv6_remote_group) ... ok
test_nested_groups (__main__.TestFirewall.test_nested_groups) ... ok
test_remote_group (__main__.TestFirewall.test_remote_group) ... ok
test_source_validation (__main__.TestFirewall.test_source_validation) ... ok
test_sysfs (__main__.TestFirewall.test_sysfs) ... ok
test_timeout_sysctl (__main__.TestFirewall.test_timeout_sysctl) ... ok
test_zone_basic (__main__.TestFirewall.test_zone_basic) ... ok
test_zone_flow_offload (__main__.TestFirewall.test_zone_flow_offload) ... ok
test_zone_with_vrf (__main__.TestFirewall.test_zone_with_vrf) ... ok

----------------------------------------------------------------------
Ran 29 tests in 536.548s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@l0crian1
Firewall: T7475: Disable conntrack per firewall chain
6611627 
- Added command to disable conntrack per firewall chain
- Added test_disable_conntrack_per_chain function to smoketest
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 5, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

sarthurdev
sarthurdev requested changes Sep 13, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests VPP 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • Config tests VPP 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

sarthurdev
sarthurdev approved these changes Sep 13, 2025
View reviewed changes
Copy link
Member

@sarthurdev sarthurdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic looks good, smoketests pass.

@dmbaturin dmbaturin changed the title Firewall: T7475: Disable conntrack per firewall chain firewall: T7475: Add an option to disable conntrack for individual firewall chaisn Sep 22, 2025
dmbaturin
dmbaturin approved these changes Sep 22, 2025
View reviewed changes
Copy link
Member

@dmbaturin dmbaturin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic and the CLI look good to me. I don't see much potential for multi-state conntrack options, so a valueless disable-conntrack should be fine.

@dmbaturin dmbaturin merged commit c035c4d into vyos:current Sep 22, 2025
16 of 17 checks passed
@vyosbot vyosbot added mirror-initiated This PR initiated for mirror sync workflow mirror-completed and removed mirror-initiated This PR initiated for mirror sync workflow labels Sep 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@sarthurdev sarthurdev sarthurdev approved these changes

@jestabro jestabro Awaiting requested review from jestabro

@sever-sever sever-sever Awaiting requested review from sever-sever

@c-po c-po Awaiting requested review from c-po

Assignees

@l0crian1 l0crian1

Labels
current mirror-completed rebase
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@l0crian1 @dmbaturin @sarthurdev @vyosbot