vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname

[c-po]

Change Summary

When any of the following features NAT, NAT66 or Firewall is enabled, for every VRF on the CLI we install one rule into nftables for conntrack:

chain vrf_zones_ct_in {
        type filter hook prerouting priority raw; policy accept;
        counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map
        counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map
        counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map
}

This is superfluous.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T6603

Related PR(s)

Component(s) name

VRF, nftables

Smoketest result

[email protected]:~$ /usr/libexec/vyos/tests/smoke/cli/test_vrf.py
test_vrf_assign_interface (__main__.VRFTest.test_vrf_assign_interface) ... ok
test_vrf_bind_all (__main__.VRFTest.test_vrf_bind_all) ... ok
test_vrf_conntrack (__main__.VRFTest.test_vrf_conntrack) ... ok <- EXTENDED SMOKETEST
test_vrf_disable_forwarding (__main__.VRFTest.test_vrf_disable_forwarding) ... ok
test_vrf_ip_ipv6_nht (__main__.VRFTest.test_vrf_ip_ipv6_nht) ... ok
test_vrf_ip_ipv6_protocol_non_existing_route_map (__main__.VRFTest.test_vrf_ip_ipv6_protocol_non_existing_route_map) ... ok
test_vrf_ip_protocol_route_map (__main__.VRFTest.test_vrf_ip_protocol_route_map) ... ok
test_vrf_ipv6_protocol_route_map (__main__.VRFTest.test_vrf_ipv6_protocol_route_map) ... ok
test_vrf_link_local_ip_addresses (__main__.VRFTest.test_vrf_link_local_ip_addresses) ... ok
test_vrf_loopbacks_ips (__main__.VRFTest.test_vrf_loopbacks_ips) ... ok
test_vrf_static_route (__main__.VRFTest.test_vrf_static_route) ... ok
test_vrf_table_id_is_unalterable (__main__.VRFTest.test_vrf_table_id_is_unalterable) ... ok
test_vrf_vni_add_change_remove (__main__.VRFTest.test_vrf_vni_add_change_remove) ... ok
test_vrf_vni_and_table_id (__main__.VRFTest.test_vrf_vni_and_table_id) ... ok
test_vrf_vni_duplicates (__main__.VRFTest.test_vrf_vni_duplicates) ... ok

----------------------------------------------------------------------
Ran 15 tests in 141.490s

OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[c-po]

@Mergifyio backport circinus sagitta

[github-actions]

👍
No issues in PR Title / Commit Title

[mergify]

backport circinus sagitta

✅ Backports have been created

• #3904 vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname (backport #3883) has been created for branch circinus
• #3905 vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname (backport #3883) has been created for branch sagitta

[github-actions]

❌
warning: Unused import os in smoketest/scripts/cli/test_interfaces_l2tpv3.py:17.

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests 👍 passed
• Config tests 👍 passed
• RAID1 tests 👍 passed