Page MenuHomeVyOS Platform

NAT config migration error in 1.4.0-epa1 if invalid address/network defined in 1.3.6 version
Closed, ResolvedPublicBUG


This issue was reported by customer while upgrading the device from 1.3.6 to 1.4.0-epa1 and lost his entire NAT definition.

How to reproduce the issue:

  • NAT definition in 1.3.6:
set nat destination rule 2058 destination port '8080'
set nat destination rule 2058 inbound-interface 'eth4'
set nat destination rule 2058 protocol 'tcp'
set nat destination rule 2058 translation address ''
set nat destination rule 2058 translation port '80'
set nat destination rule 2059 destination port '8999'
set nat destination rule 2059 inbound-interface 'eth4'
set nat destination rule 2059 protocol 'tcp_udp'
set nat destination rule 2059 translation address ''
set nat destination rule 2059 translation port '8999'
set nat destination rule 2060 destination port '5060,10000-20000'
set nat destination rule 2060 inbound-interface 'eth4'
set nat destination rule 2060 protocol 'udp'
set nat destination rule 2060 source address ''
set nat destination rule 2060 translation address ''
set nat destination rule 2061 destination port '10000-20000'
set nat destination rule 2061 inbound-interface 'eth4'
set nat destination rule 2061 protocol 'udp'
set nat destination rule 2061 source address ''
set nat destination rule 2061 translation address ''
set nat source rule 1000 outbound-interface 'eth4'
set nat source rule 1000 source address ''
set nat source rule 1000 translation address 'masquerade'
set nat source rule 1002 outbound-interface 'eth4'
set nat source rule 1002 source address ''
set nat source rule 1002 translation address 'masquerade'
set nat source rule 1250 outbound-interface 'eth4'
set nat source rule 1250 source address ''
set nat source rule 1250 translation address 'masquerade'

Then upgrade the device to 1.4.0-epa1, then you receive configuration migration failed error:
'' and '' are not valid networks.

vyos@vyos:~$ conf
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config

If you try to configure, directly the rules in 1.4.0-epa1, you receive validation error:

vyos@vyos# set nat destination rule 2060 source address ''

  Error: is not a valid IPv4 address range

  Error: is not a valid IPv4 prefix

  Error: is not a valid IPv4 address

  Invalid value
  Value validation failed
  Set failed

In 1.4.0-epa1 seems more strict validation being added. As this configuration was working fine in 1.3.6, there should either be error messages on conversion, OR only the failing nat rules should fail - not ALL rules


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

a.apostoliuk moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.
a.apostoliuk moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).