Destination NAT translation port without address fails to commit

kav · September 16, 2022, 10:07am

Tried to commit these commands on latest rolling:

set nat destination rule 10 destination port '443'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation port '3000'

Gives error “Destination NAT configuration error in rule 10: translation address not specified”

Came across this: ⚓ T2709 Destination NAT translation port without address fails to commit

Previous issue thats re-appeared?

n.fort · September 16, 2022, 10:27am

Yes, needs to be fixed.
T2709 was for 1.3 version, and it was fixed.
This bug only present un 1.4

kav · September 18, 2022, 6:53am

Do you want me to submit on phabricator?

Netboy3 · September 18, 2022, 1:56pm

This issue is even worse in NAT66 where VyOS submits wrong syntax to nft:

set nat66 destination rule 100 destination port 443
set nat66 destination rule 100 inbound-interface eth1
set nat66 destination rule 100 protocol tcp
set nat66 destination rule 100 translation port 3000
commit

That causes a crash in the UI:

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/nat66.py", line 175, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/nat66.py", line 157, in apply
    cmd(f'{nftables_nat66_config}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: /tmp/vyos-nat66-rules.nft
returned:
exit code: 1

noteworthy:
cmd '/tmp/vyos-nat66-rules.nft'
returned (out):

returned (err):
/tmp/vyos-nat66-rules.nft:15:69-69: Error: syntax error, unexpected colon, expecting end of file or newline or semicolon
add rule ip6 nat PREROUTING iifname "eth1" counter tcp dport { 443 }:3000 comment "DST-NAT66-100"
                                                                    ^

[[nat66]] failed
Commit failed

jack9603301 · September 19, 2022, 4:32pm

I’m suspicious, this seems to be a use case where the erroneous command output is thrown due to lack of requisite validation logic, when a formal bug report is created please let me know and I’ll take the time to fix it.

Try to add the following configuration:

set nat66 destination rule 100 translation address <address>

and tell me the result.

Netboy3 · September 19, 2022, 6:53pm

Once I add an address to the commit, it goes through well and is properly submitted into netfilter:

table ip6 nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                iifname "eth1" counter packets 0 bytes 0 tcp dport 443 dnat to 2555:555:555:55::55:3000 comment "DST-NAT66-100"
        }
...
}

Would you like me to open a bug report on phabricator?

jack9603301 · September 19, 2022, 6:57pm

You are welcome to open the official bug report if you like, it will assign a TASK ID to it and create an archive of the bug report so I might be able to fix it

n.fort · September 19, 2022, 7:22pm

https://phabricator.vyos.net/T4706