conntrack: T7482: Fix custom timeouts

[ryanzuwala]

Fix custom conntrack timeout rules and add smoketests

Change summary

Custom timeout rules were previously not working at all.

The problem is that the firewall rules were originally configured to jump directly to the VYOS_CT_TIMEOUT chain from the PREROUTING and OUTPUT base chains. But those two base chains have a priority of raw (-300), and conntrack hooks at priority -200, therefore any rules that modify conntrack entries must have a priority above -200.

So I removed the VYOS_CT_TIMEOUT jumps from PREROUTING and OUTPUT, and created my own prerouting and output base chains with priority -199 to perform the jump to VYOS_CT_TIMEOUT. The two timeout jumping base chains are only created if custom timeout rules have been configured by an administrator.

To tidy up the nftables config, it also removes the empty VYOS_CT_TIMEOUT chain if there are no custom timeout rules created, since nothing else uses it.

I also added much more extensive smoke testing for this to ensure it doesn't accidentally break in the future. Custom timeout rules are very important to have for VoIP, and I'm sure there are plenty of other use cases for it as well.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

https://vyos.dev/T7482

Related PR(s)

How to test / Smoketest result

Experiment with creating custom conntrack timeout rules and verifying the records are being updated in conntrack.

Here is an IPv4 example using DNS traffic from a server with IP address 172.16.99.2:

configure

# UDP rule using DNS as an example
set system conntrack timeout custom ipv4 rule 1 destination port '53'
set system conntrack timeout custom ipv4 rule 1 protocol udp replied '700'
set system conntrack timeout custom ipv4 rule 1 protocol udp unreplied '700'
set system conntrack timeout custom ipv4 rule 1 source address '172.16.99.2'

commit ; save

Using this DNS example rule, you'll need to generate some DNS queries from your 172.16.99.2 server. You can just use dig google.com or ping a domain name.

After querying DNS records, run conntrack -E or show conntrack table ipv4 | grep "172.16.99.2", and you should see your new timeouts of 700 seconds instead of the default of 30 for unreplied and 180 for stream.

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[github-actions]

👍
No issues in PR Title / Commit Title

[ryanzuwala]

I have read the CLA Document and I hereby sign the CLA

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests (no interfaces) 👍 passed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed

[dmbaturin]

@alexk37's testing shows that the basics work and I see no issues with the implementation.