Possible bug with NAT in 1.4 RC1

Bugs
1

I updated from an older rolling release of 1.4 to 1.4.0-RC1 and had to make some corrections to the firewall after the migration. It now appears to be working fine.

On the other hand, I am seeing problems with NAT. In spite of this simple configuration,

$ sh nat source rules
Rule    Source          Destination    Proto    Out-Int    Translation
------  --------------  -------------  -------  ---------  -------------
5000    192.168.0.0/16  0.0.0.0/0      IP       eth0       masquerade
        sport any       dport any
5010    192.168.0.0/16  0.0.0.0/0      IP       eth3       masquerade
        sport any       dport any

hosts with non-matching IPs going out tunnel interfaces (wg, gre) were also having NAT applied.

Eventually I found iptables had applied rules, but I don’t use iptables.

$ sudo iptables -L -t nat
# Table `nat' contains incompatible base-chains, use 'nft' tool to list them.
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
NETAVARK-HOSTPORT-DNAT  all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NETAVARK-HOSTPORT-DNAT  all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
NETAVARK-HOSTPORT-MASQ  all  --  anywhere             anywhere            

Chain NETAVARK-HOSTPORT-DNAT (2 references)
target     prot opt source               destination         

Chain NETAVARK-HOSTPORT-MASQ (1 references)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere             /* netavark portfw masq mark */ mark match 0x2000/0x2000

Chain NETAVARK-HOSTPORT-SETMARK (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x2000

Where is this coming from? I removed these rules with iptables -F -t nat and now NAT is working correctly according to config.

I did not see this in my old rolling release of 1.4, but that was before the major firewall updates.

2

Netavark is from containers

Dont use iptables, use nftables to check NAT rules

sudo nft list ruleset
3

Thank you, that is what led me to iptables in the first place, is this note when I run nft

$ sudo nft list ruleset
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
	chain VYOS_PRE_SNAT_HOOK {
		type nat hook postrouting priority srcnat - 1; policy accept;
		return
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 384054 bytes 19207827 jump NETAVARK-HOSTPORT-MASQ
	}

	chain NETAVARK-HOSTPORT-SETMARK {
		counter packets 0 bytes 0 meta mark set mark or 0x2000
	}

	chain NETAVARK-HOSTPORT-MASQ {
		 meta mark & 0x00002000 == 0x00002000 counter packets 12536 bytes 1300712 masquerade
	}

	chain NETAVARK-HOSTPORT-DNAT {
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		fib daddr type local counter packets 94152 bytes 6090499 jump NETAVARK-HOSTPORT-DNAT
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
		fib daddr type local counter packets 2158 bytes 129480 jump NETAVARK-HOSTPORT-DNAT
	}
}
table inet mangle {
...

I am running a container, but it is using the host network, so I do not expect NAT to be needed there.

4

after rebooting the router, since I am now not using container networks, the problematic NAT rules are gone. Thank you for pointing me the right direction.

I think there is some issue here where the NAT rule applied by the container service is too broad. It should not affect non-container traffic.