summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2025-06-07 09:15:30 +0200
committerChristian Breunig <christian@breunig.cc>2025-06-07 10:55:24 +0200
commit08421b277b1f460ebc51673571bab975aece2215 (patch)
tree2b209eee82a39c007b20d44b4aed9121315266e8
parentb3ebf8f81afc0c4ceddd11c28421971b7b44fe69 (diff)
downloadvyos-1x-08421b277b1f460ebc51673571bab975aece2215.tar.gz
vyos-1x-08421b277b1f460ebc51673571bab975aece2215.zip
conntrack: T7208: nf_conntrack_buckets defaults and behavior
Previously, we used a lower limit of 1 and a default value of 32768 for the nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux kernel enforces an internal minimum of 1024. A configuration migrator will now adjust the lower limit to 1024 if necessary. The former default value of 32768 was passed as a kernel module option, which only took effect after the second system reboot. This was due to the option being rendered but not applied during the first boot. This behavior has been changed so that the value is now configurable at runtime and takes effect immediately. Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM, we now align the default value of nf_conntrack_buckets with the kernel's default for systems with more than 1GB of RAM to 65536 entries. Previously, we only supported half that amount.
-rw-r--r--data/templates/conntrack/sysctl.conf.j23
-rw-r--r--data/templates/conntrack/vyos_nf_conntrack.conf.j22
-rw-r--r--interface-definitions/include/version/conntrack-version.xml.i2
-rw-r--r--interface-definitions/system_conntrack.xml.in6
-rw-r--r--smoketest/config-tests/conntrack-basic35
-rw-r--r--smoketest/configs/conntrack-basic92
-rwxr-xr-xsmoketest/scripts/cli/test_system_conntrack.py13
-rwxr-xr-xsrc/conf_mode/system_conntrack.py2
-rw-r--r--src/migration-scripts/conntrack/5-to-630
9 files changed, 171 insertions, 14 deletions
diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2
index cd6c34ede..8d934db9c 100644
--- a/data/templates/conntrack/sysctl.conf.j2
+++ b/data/templates/conntrack/sysctl.conf.j2
@@ -1,10 +1,11 @@
# Autogenerated by system_conntrack.py
{# all values have defaults - thus no checking required #}
+net.netfilter.nf_conntrack_buckets = {{ hash_size }}
net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }}
net.netfilter.nf_conntrack_max = {{ table_size }}
net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }}
net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose is vyos_defined('enable') else '0' }}
net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }}
net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }}
-net.netfilter.nf_conntrack_timestamp = {{ '1' if log.timestamp is vyos_defined else '0' }} \ No newline at end of file
+net.netfilter.nf_conntrack_timestamp = {{ '1' if log.timestamp is vyos_defined else '0' }}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
deleted file mode 100644
index 1b12fec5f..000000000
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-# Autogenerated by system_conntrack.py
-options nf_conntrack hashsize={{ hash_size }}
diff --git a/interface-definitions/include/version/conntrack-version.xml.i b/interface-definitions/include/version/conntrack-version.xml.i
index 6995ce119..517424034 100644
--- a/interface-definitions/include/version/conntrack-version.xml.i
+++ b/interface-definitions/include/version/conntrack-version.xml.i
@@ -1,3 +1,3 @@
<!-- include start from include/version/conntrack-version.xml.i -->
-<syntaxVersion component='conntrack' version='5'></syntaxVersion>
+<syntaxVersion component='conntrack' version='6'></syntaxVersion>
<!-- include end -->
diff --git a/interface-definitions/system_conntrack.xml.in b/interface-definitions/system_conntrack.xml.in
index 54610b625..92c4d24cf 100644
--- a/interface-definitions/system_conntrack.xml.in
+++ b/interface-definitions/system_conntrack.xml.in
@@ -32,14 +32,14 @@
<properties>
<help>Hash size for connection tracking table</help>
<valueHelp>
- <format>u32:1-50000000</format>
+ <format>u32:1024-50000000</format>
<description>Size of hash to use for connection tracking table</description>
</valueHelp>
<constraint>
- <validator name="numeric" argument="--range 1-50000000"/>
+ <validator name="numeric" argument="--range 1024-50000000"/>
</constraint>
</properties>
- <defaultValue>32768</defaultValue>
+ <defaultValue>65536</defaultValue>
</leafNode>
<node name="ignore">
<properties>
diff --git a/smoketest/config-tests/conntrack-basic b/smoketest/config-tests/conntrack-basic
new file mode 100644
index 000000000..8c375d244
--- /dev/null
+++ b/smoketest/config-tests/conntrack-basic
@@ -0,0 +1,35 @@
+set firewall global-options timeout icmp '30'
+set firewall global-options timeout other '600'
+set firewall global-options timeout udp other '300'
+set firewall global-options timeout udp stream '300'
+set interfaces ethernet eth0 vif 5 address '192.0.2.1/24'
+set interfaces ethernet eth1 vif 7 description 'FTTH-PPPoE'
+set nat source rule 100 log
+set nat source rule 100 outbound-interface name 'pppoe0'
+set nat source rule 100 source address '192.0.2.0/24'
+set nat source rule 100 translation address 'masquerade'
+set service ntp allow-client address '172.16.0.0/12'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set system config-management commit-revisions '200'
+set system conntrack expect-table-size '2048'
+set system conntrack hash-size '1024'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system conntrack table-size '262144'
+set system conntrack timeout
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system name-server '172.16.254.30'
+set system syslog local facility all level 'debug'
+set system syslog local facility local7 level 'debug'
+set system syslog remote 172.16.100.1 facility all level 'warning'
diff --git a/smoketest/configs/conntrack-basic b/smoketest/configs/conntrack-basic
new file mode 100644
index 000000000..8ecb78aeb
--- /dev/null
+++ b/smoketest/configs/conntrack-basic
@@ -0,0 +1,92 @@
+interfaces {
+ ethernet eth0 {
+ duplex auto
+ speed auto
+ vif 5 {
+ address 192.0.2.1/24
+ }
+ }
+ ethernet eth1 {
+ vif 7 {
+ description FTTH-PPPoE
+ }
+ }
+}
+nat {
+ source {
+ rule 100 {
+ log
+ outbound-interface pppoe0
+ source {
+ address 192.0.2.0/24
+ }
+ translation {
+ address masquerade
+ }
+ }
+ }
+}
+system {
+ config-management {
+ commit-revisions 200
+ }
+ conntrack {
+ expect-table-size 2048
+ hash-size 1023
+ table-size 262144
+ timeout {
+ icmp 30
+ other 600
+ udp {
+ other 300
+ stream 300
+ }
+ }
+ }
+ console {
+ device ttyS0 {
+ speed 115200
+ }
+ }
+ domain-name vyos.net
+ host-name vyos
+ login {
+ user vyos {
+ authentication {
+ encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+ plaintext-password ""
+ }
+ }
+ }
+ name-server 172.16.254.30
+ ntp {
+ allow-clients {
+ address 172.16.0.0/12
+ }
+ server 0.pool.ntp.org {
+ }
+ server 1.pool.ntp.org {
+ }
+ server 2.pool.ntp.org {
+ }
+ }
+ syslog {
+ global {
+ facility all {
+ level debug
+ }
+ facility protocols {
+ level debug
+ }
+ }
+ host 172.16.100.1 {
+ facility all {
+ level warning
+ }
+ }
+ }
+}
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@18:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: 1.3-beta-202101091250
diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py
index f6bb3cf7c..27ca28298 100755
--- a/smoketest/scripts/cli/test_system_conntrack.py
+++ b/smoketest/scripts/cli/test_system_conntrack.py
@@ -20,7 +20,10 @@ import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.firewall import find_nftables_rule
-from vyos.utils.file import read_file, read_json
+from vyos.utils.file import read_file
+from vyos.utils.file import read_json
+from vyos.utils.system import sysctl_read
+from vyos.xml_ref import default_value
base_path = ['system', 'conntrack']
@@ -168,8 +171,8 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
self.assertTrue(find_nftables_rule('ip vyos_conntrack', 'VYOS_CT_HELPER', [rule]) == None)
def test_conntrack_hash_size(self):
- hash_size = '65536'
- hash_size_default = '32768'
+ hash_size = '8192'
+ hash_size_default = default_value(base_path + ['hash-size'])
self.cli_set(base_path + ['hash-size', hash_size])
@@ -178,7 +181,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
# verify new configuration - only effective after reboot, but
# a valid config file is sufficient
- tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf')
+ tmp = sysctl_read('net.netfilter.nf_conntrack_buckets')
self.assertIn(hash_size, tmp)
# Test default value by deleting the configuration
@@ -189,7 +192,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
# verify new configuration - only effective after reboot, but
# a valid config file is sufficient
- tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf')
+ tmp = sysctl_read('net.netfilter.nf_conntrack_buckets')
self.assertIn(hash_size_default, tmp)
def test_conntrack_ignore(self):
diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py
index f25ed8d10..8909d9cba 100755
--- a/src/conf_mode/system_conntrack.py
+++ b/src/conf_mode/system_conntrack.py
@@ -32,7 +32,6 @@ from vyos import ConfigError
from vyos import airbag
airbag.enable()
-conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf'
sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf'
nftables_ct_file = r'/run/nftables-ct.conf'
vyos_conntrack_logger_config = r'/run/vyos-conntrack-logger.conf'
@@ -204,7 +203,6 @@ def generate(conntrack):
elif path[0] == 'ipv6':
conntrack['ipv6_firewall_action'] = 'accept'
- render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack)
render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack)
render(nftables_ct_file, 'conntrack/nftables-ct.j2', conntrack)
diff --git a/src/migration-scripts/conntrack/5-to-6 b/src/migration-scripts/conntrack/5-to-6
new file mode 100644
index 000000000..1db2e78b4
--- /dev/null
+++ b/src/migration-scripts/conntrack/5-to-6
@@ -0,0 +1,30 @@
+# Copyright 2025 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+# T7202: fix lower limit of supported conntrack hash-size to match Kernel
+# lower limit.
+
+from vyos.configtree import ConfigTree
+
+base = ['system', 'conntrack']
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
+
+ if config.exists(base + ['hash-size']):
+ tmp = config.return_value(base + ['hash-size'])
+ if int(tmp) < 1024:
+ config.set(base + ['hash-size'], value=1024)