How do I view what prevented commit?

senseivita · October 30, 2023, 12:54pm

While setting NAT rules, I’d get errors during commit. I keep reading compare’s output but see nothing that stands out.

I’m only editing NAT, in the output there’s:

[ nat ]
Configuration file errors encountered!

[[nat]] failed
Commit failed

So, I take it the system knows exactly what up, so… How can I get it to um, share it?

I even tried setting the scrolling log side by side hoping maybe it’d show up there but all I’m getting is random attacks attempts. =/

Fuller CLI output

slot@dkornr# compare
+ nat {
+     destination {
+         rule 11 {
+             destination {
+                 port "4491"
+             }
+             exclude
+             inbound-interface "eth0"
+             protocol "udp"
+         }
+         rule 12 {
+             destination {
+                 port "22"
+             }
+             exclude
+             inbound-interface "any"
+             protocol "tcp"
+         }
+         rule 13 {
+             exclude
+             inbound-interface "any"
+             protocol "icmp"
+         }
+     }
+     source {
+         rule 100 {
+             exclude
+             outbound-interface "eth0"
+             source {
+                 address "127.0.0.0/8"
+             }
+         }
+         rule 101 {
+             outbound-interface "eth0"
+             translation {
+                 address "masquerade"
+                 options {
+                     port-mapping "none"
+                 }
+             }
+         }
+     }
+     static {
+         rule 101 {
+             inbound-interface "eth0"
+             translation {
+                 address "192.168.91.2"
+             }
+         }
+     }
+ }
set mark: ...skipping...
+ nat {
+     destination {
+         rule 11 {
+             destination {
+                 port "4491"
+             }
+             exclude
+             inbound-interface "eth0"
+             protocol "udp"
+         }
+         rule 12 {
+             destination {
+                 port "22"
+             }
+             exclude
+             inbound-interface "any"
+             protocol "tcp"
+         }
+         rule 13 {
+             exclude
+             inbound-interface "any"
+             protocol "icmp"
+         }
+     }
+     source {
+         rule 100 {
+             exclude
+             outbound-interface "eth0"
+             source {
+                 address "127.0.0.0/8"
+             }
+         }
+         rule 101 {
+             outbound-interface "eth0"
+             translation {
+                 address "masquerade"
+                 options {
+                     port-mapping "none"
+                 }
+             }
+         }
+     }
+     static {
+         rule 101 {
+             inbound-interface "eth0"
+             translation {
+                 address "192.168.91.2"
+             }
+         }
+     }
+ }
[edit]
slot@dkornr# commit
[ nat ]
Configuration file errors encountered!

[[nat]] failed
Commit failed
[edit]
slot@dkornr#

tjh · October 30, 2023, 2:58pm

A couple of things

a) You haven’t been doing anything as root have you? Sometimes it’s possible to run scripts as root without realising and when you do this you can’t commit anymore until you reboot.
b) What version are you running?

n.fort · October 30, 2023, 3:33pm

Vyos version?
After error, please share content of file /run/nftables_nat.conf and /run/nftables_static-nat-rules.nft

senseivita · October 30, 2023, 4:46pm

Oh, shoot, my bad, I forgot the version!

It’s ~~1.5 late September…~~ VyOS 1.5-rolling-202309280022.

I wasn’t even sure (still ain’t) the prompt was bash or other interpreter, I just assumed it was a VyOS’ own stripped down version of these because I only could run a handful of commands outside of ⇥-completion thaaat one time I tried… Case in point; I tried cat /run/nftables_nat.conf, there’s no cat.

Thanks to both for answering BTW. I’ll get to the docs to figure out how to run that and be back. =)

Korikaze · October 30, 2023, 4:49pm

You can just type bash to get into a regular bash shell.

n.fort · October 31, 2023, 9:59am

Can you share output? cat command should be there!
For example:

vyos@latest:~$ cat /run/nftables_nat.conf 
#!/usr/sbin/nft -f


delete table ip vyos_nat
table ip vyos_nat {
    #
    # Destination NAT rules build up here
    #
    chain PREROUTING {
        type nat hook prerouting priority -100; policy accept;
        counter jump VYOS_PRE_DNAT_HOOK
        iifname "eth2" counter dnat to 203.0.113.1 comment "DST-NAT-10"
    }

    #
    # Source NAT rules build up here
    #
    chain POSTROUTING {
        type nat hook postrouting priority 100; policy accept;
        counter jump VYOS_PRE_SNAT_HOOK
        oifname "eth3" ip saddr  198.51.100.0/24 counter masquerade comment "SRC-NAT-10"
    }

    chain VYOS_PRE_DNAT_HOOK {
        return
    }

    chain VYOS_PRE_SNAT_HOOK {
        return
    }

    set I_IG {
        type ifname
        flags interval
        auto-merge
        elements = { eth6,bond99 }
    }

}
vyos@latest:~$ show version | grep Version
Version:          VyOS 1.5-rolling-202310240118
vyos@latest:~$

marvin · November 1, 2023, 3:49pm

FWIW, @senseivita you can also do run-time debugging of the commit system: VyOS Docs: Debugging: Live System

For example if at your shell you enter:

export VYOS_COMMAND_DEBUG=""

– that will set a temporary run-time flag to print out verbose commit data to the shell when you call commit

Note (as mentioned in the docs at the end of that section) that you may need to first call sudo systemctl stop vyos-configd to enable the debug output.

senseivita · November 2, 2023, 12:08am

Thanks everyone for answering,

Unfortunately I’m afraid it was only some bug; I updated VyOS (now it’s build 20231022 0123) and now the first half of the commands weren’t failing anymore.

As for the second part, the part that actually translates traffic, it did fail but because the address wasn’t reachable, I think that was it, at least, it said so but I’m not sure if it should’ve had failed just because of that, i.e; the target address could’ve been made available after the rule was created, on demand, IDK.

I’ve been trying to set it back up but it’s a Wireguard tunnel that stops responding it seems every time the keep alive check is done. Lowering the MTU helped for a while but not anymore. Then I got another public IP address I was waiting for, but it messed up the routing and now the firewall is reachable only in one address at a time. I’ve been having a hard time for one not to have higher preference but I haven’t managed kinda getting further away from having the destination reachable, hence MIA. =/

Thanks @Korikaze for teaching me how to get to bash, that will be invaluable, and @marvin for what it seems — I have not tested yet — the specific answer to my question; what prevents or prevented commit.

Thanks again ! =)