Page MenuHomeVyOS Platform
Create Task
Maniphest T2571

NAT destination port with ! results in error
Closed, ResolvedPublicBUG
Actions

Description

Reported via forum

https://forum.vyos.io/t/config-lost-on-upgrade-cant-use-negating/5460/4

Details

Difficulty level
Easy (less than an hour)
Version
1.3-rolling-202006080117
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

c-po created this task.Jun 8 2020, 5:50 PM
pasik added a subscriber: pasik.Jun 9 2020, 8:58 AM
blackhole added a subscriber: blackhole.EditedJun 11 2020, 12:04 AM

Just adding in here that it is also affecting ip addresses too, not just ports
I am on 1.3-rolling-202006101523

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/nat.py", line 268, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/nat.py", line 256, in apply
    cmd(f'{iptables_nat_config}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 178, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: /tmp/vyos-nat-rules.nft
returned:
exit code: 1

noteworthy:
cmd '/tmp/vyos-nat-rules.nft'
returned (out):

returned (err):
/tmp/vyos-nat-rules.nft:61:74-74: Error: syntax error, unexpected !
add rule ip nat PREROUTING iifname "eth1.11v11" ip protocol tcp ip daddr !192.168.67.243-192.168.67.244 tcp dport { 53 } counter log prefix "[NAT-DST-399]" comment "DST-NAT-399 tcp_udp"
                                                                         ^
/tmp/vyos-nat-rules.nft:62:74-74: Error: syntax error, unexpected !
add rule ip nat PREROUTING iifname "eth1.11v11" ip protocol tcp ip daddr !192.168.67.243-192.168.67.244 tcp dport { 53 } counter dnat to 192.168.67.243:53 comment "DST-NAT-399 tcp_udp"
                                                                         ^
/tmp/vyos-nat-rules.nft:64:74-74: Error: syntax error, unexpected !
add rule ip nat PREROUTING iifname "eth1.11v11" ip protocol udp ip daddr !192.168.67.243-192.168.67.244 udp dport { 53 } counter log prefix "[NAT-DST-399]" comment "DST-NAT-399 tcp_udp"
                                                                         ^
/tmp/vyos-nat-rules.nft:65:74-74: Error: syntax error, unexpected !
add rule ip nat PREROUTING iifname "eth1.11v11" ip protocol udp ip daddr !192.168.67.243-192.168.67.244 udp dport { 53 } counter dnat to 192.168.67.243:53 comment "DST-NAT-399 tcp_udp"
                                                                         ^

[[nat]] failed
Commit failed
blackhole added a comment.Jun 11 2020, 1:14 AM

Here is my config commands that are having the "!" issue on the adddress, 3 separate NAT rules where I am using NAT to catch sneaky DNS bypass and redirect through my infrastructure

set nat destination rule 399 description 'Redirect DNS iot VLAN'
set nat destination rule 399 destination address '!192.168.67.243-192.168.67.244'
set nat destination rule 399 destination port '53'
set nat destination rule 399 inbound-interface 'eth1.11v11'
set nat destination rule 399 log 'enable'
set nat destination rule 399 protocol 'tcp_udp'
set nat destination rule 399 translation address '192.168.67.243'
set nat destination rule 399 translation port '53'
set nat destination rule 400 description 'Redirect DNS lan VLAN'
set nat destination rule 400 destination address '!192.168.67.243-192.168.67.244'
set nat destination rule 400 destination port '53'
set nat destination rule 400 inbound-interface 'eth1.13v13'
set nat destination rule 400 log 'enable'
set nat destination rule 400 protocol 'tcp_udp'
set nat destination rule 400 translation address '192.168.67.243'
set nat destination rule 400 translation port '53'
set nat destination rule 401 description 'Redirect DNS guest VLAN'
set nat destination rule 401 destination address '!192.168.67.243-192.168.67.244'
set nat destination rule 401 destination port '53'
set nat destination rule 401 inbound-interface 'eth1.131v131'
set nat destination rule 401 log 'enable'
set nat destination rule 401 protocol 'tcp_udp'
set nat destination rule 401 translation address '192.168.67.243'
set nat destination rule 401 translation port '53'
c-po changed the task status from Open to In progress.Jun 11 2020, 2:07 PM
c-po claimed this task.
c-po changed the task status from In progress to Needs testing.Jun 11 2020, 2:35 PM
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
c-po added a comment.Jun 11 2020, 2:45 PM

The != port issue is yet to be fixed ...

c-po added a comment.Jun 11 2020, 3:24 PM

Latest rolling release has all the fixes

c-po added a comment.Jun 11 2020, 4:18 PM

This fixed now introduced a bug with comma separated ports

set nat destination rule 100 description 'HTTP(S): proxy'
set nat destination rule 100 destination port '80,443'
set nat destination rule 100 inbound-interface 'eth0.7'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address '10.20.20.192'
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Jun 11 2020, 10:51 PM
c-po closed this task as Resolved.Jun 11 2020, 10:55 PM
erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 5:41 AM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 30 2022, 2:03 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.