System Conntrack?

jimr999 · March 3, 2022, 3:29pm

On VyOS 1.4 (rolling); what is System Conntrack used for? It’s in the default configuration, but I cannot find it in the documentation anywhere.

system {
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}

Is it there to assist another function?
Can it be removed if none of those functions are being used?

Thanks

Erkin · March 3, 2022, 4:40pm

Short answer: You can simply delete it.

Long answer: That piece of config is only there if you migrated from 1.3. It used to be the case that all conntrack modules were enabled by default and had to be blacklisted individually. Since they aren’t particularly useful, we decided to disable them all by default, so what you’re seeing is a whitelist that allows all conntrack modules to keep up the previous behaviour in order to avoid breaking things in case you relied on them previously.

tl;dr: Backwards compatibility for a feature no one uses

jimr999 · March 3, 2022, 5:04pm

Can I assume that if that config is present without any other legacy or supporting configurations, that they will continue to do their job?

Indicator and reason for my suspicion was that ICMP/Traceroute traffic was not being passed in both directions.

Thanks again!

Jim

Erkin · March 3, 2022, 5:15pm

Yes, it’s completely harmless and likely not related to your problem. I’d simply delete it because the shorter the config the better :-), plus you shouldn’t rely on them even if you’re using conntrack because they can cause headaches with complex networks, which is why the first step in conntrack sync walkthrough is to delete it: High Availability Walkthrough — VyOS 1.4.x (sagitta) documentation
Really, it’s only there because we don’t want to break people’s networks that do use the modules.

jimr999 · March 3, 2022, 5:32pm

Great - Thanks again. I’ll get rid of it and see if I can find where the issue lies.

thomasjsn · March 4, 2022, 9:42am

I was thinking of adding this information to the documentation. Something along the lines of:

Enables conntrack modules. All modules are now disabled by default, while they used to be enabled in VyOS 1.3. Enabling the modules ensures backwards compatibility with VyOS 1.3 — keeping the previous behavior.

In most cases they can be disabled by removing the block of configuration — for some scenarios it is in fact recommended.

And then add a code block showing the system/conntrack/modules.

What do you think? Sufficient?

Erkin · March 4, 2022, 10:27am

Yes, mentioning that in the documentation is a good idea. I just checked and this migration script applies to 1.3 as well (conntrack module is at version 3), thus the migration clearly happened during 1.3 development, months before the LTS. So it’s better to mention backwards compatibility with 1.2 instead (where the old syntax applies) or just “previous versions”.

thomasjsn · March 4, 2022, 10:34am

Yeah, maybe “previous versions” is the best.

BTW, i just checked my freshly installed VyOS 1.4-rolling-202201230317 and I too have the system/conntrack/module config section.

system · March 6, 2022, 10:34am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.