1.4-rolling-202210090955 (sagitta) cannot set nat masquerading commit errors

This appears to be regressed on the latest build.

Same as this bug, I couldn’t open the original and hence created a new one.

Just tested works on vyos-1.4-rolling-202210082011 its the last build that’s broken it.

tested on 1.4-rolling-202210090955 and no nat masquerading issues currently (in committing the config )

I can’t reproduce it

vyos@r14# set nat source rule 100 outbound-interface eth0
vyos@r14# set nat source rule 100 source address
vyos@r14# set nat source rule 100 translation address masquerade 
vyos@r14# commit
vyos@r14# run show version 
Version:          VyOS 1.4-rolling-202210090955
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Sun 09 Oct 2022 09:55 UTC
Build UUID:       e1dc468d-552c-49ba-a072-3f0ca1bf1dde
Build commit ID:  4f7f3ee8142bf6

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    4d6f4d29-1ae8-446f-8d2b-3decd9da64c7

Copyright:        VyOS maintainers and contributors

I just tested again with a clean install and it is working fine. I might have messed up a config as I’m using VYOS for the first time. Thank you all for your quick response.

1 Like

I get that error on a clean install of 1.4-rolling-202210150526, testing the new “domain-group” feature. If I add a domain group to a Policy Rule Destination Group as below, the configuration commit fails.

These are the only commands I configured the server with, besides my WAN and internal net interfaces.

set firewall group address-group sansvpn2 address ‘’
set firewall group domain-group sansvpn address ‘harristeeter.com
set policy route vpn-policy rule 100 set table ‘main’

I seem to only get the error if I try to only add the domain group to the rule. If I add an ‘address-group’ first, then a domain-group, it successfully configures.

vyos@vyos# set policy route vpn-policy rule 100 destination group domain-group sansvpn


vyos@vyos# commit

[ policy route vpn-policy ]

Failed to apply policy based routing

[[policy route vpn-policy]] failed

Commit failed


I do see this in the cfg-stderr.log:

recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: “/opt/vyatta/config/tmp/tmp_5337/work/policy/route/vpn-policy/rule/100/destination/group/domain-group/node.val”, “/opt/vyatta/config/tmp/new_config_5337/policy/route/vpn-policy/rule/100/destination/group/domain-group/node.val” in copy_file. Falling back to internal stream_file

Does that help?

Apparently, domain group is not written.
Let me investigate further, and raise a bug report in phabricator if needed.

Bug report created:

So far, I would suggest to avoid the usage of domain-group in policy

Thanks! I was seeing other weirdness in 1.4-rolling-202210150526, like a address-group policy to use my ‘main’ table working as though “negated.” I switched back to a previous image of 1.4-rolling-202110020217. I’ll try a clean install and see if it still happens to me.

The domain-group feature was only finding 1 IP address for the site I was testing with, and Akamai seems to use at least 4-5. I’ll start a new thread to talk about the PowerDNS Lua script I’m testing to look up IPs “on demand.” :slight_smile: