Page MenuHomeVyOS Platform

source NAT translation port can not be set when translation address is set to masquerade
Closed, ResolvedPublicBUG

Description

When the NAT translation address is set to masquerade it is not possible to specify a translation port

set nat source rule 10 description 'rtp'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 protocol 'udp'
set nat source rule 10 source address '10.0.7.114'
set nat source rule 10 source port '5060'
set nat source rule 10 translation address 'masquerade'
set nat source rule 10 translation port '5060'
set nat source rule 11 description 'media'
set nat source rule 11 outbound-interface 'eth1'
set nat source rule 11 protocol 'udp'
set nat source rule 11 source address '10.0.7.114'
set nat source rule 11 source port '9000-10999'
set nat source rule 11 translation address 'masquerade'
set nat source rule 11 translation port '9000-10999'
set nat source rule 100 description 'Default Outbound NAT'
set nat source rule 100 outbound-interface 'eth1'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '10.0.0.0/8'
set nat source rule 100 translation address 'masquerade'
VyOS had an issue completing a command.
We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
  https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
  https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com
When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below
Report Time:      2020-06-12 14:57:47
Image Version:    VyOS 1.3-rolling-202006120643
Release Train:    equuleus
Built by:         autobuild@vyos.net
Built on:         Fri 12 Jun 2020 06:43 UTC
Build UUID:       d0f3a48d-a9ba-4aa8-89fc-f7e6ef826ea3
Build Commit ID:  411d48353967f2
Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest
Hardware vendor:  Bochs
Hardware model:   Bochs
Hardware S/N:
Hardware UUID:    5944f7ed-4b4c-4bb8-9362-cb2779bbc60e
Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/nat.py", line 280, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/nat.py", line 268, in apply
    cmd(f'{iptables_nat_config}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 178, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: /tmp/vyos-nat-rules.nft
returned:
exit code: 1
noteworthy:
cmd '/tmp/vyos-nat-rules.nft'
returned (out):
returned (err):
/tmp/vyos-nat-rules.nft:119:117-117: Error: syntax error, unexpected colon, expecting end of file or newline or semicolon
add rule ip nat POSTROUTING oifname "eth1" ip protocol udp ip saddr 10.0.7.114 udp sport { 5060 } counter masquerade:5060 comment "DST-NAT-10"
                                                                                                                    ^
/tmp/vyos-nat-rules.nft:140:123-123: Error: syntax error, unexpected colon, expecting end of file or newline or semicolon
add rule ip nat POSTROUTING oifname "eth1" ip protocol udp ip saddr 10.0.7.114 udp sport { 9000-10999 } counter masquerade:9000-10999 comment "DST-NAT-11"
                                                                                                                          ^
[[nat]] failed

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.3-rolling-202006120643
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

c-po changed the task status from Open to In progress.Jun 14 2020, 9:36 AM
c-po claimed this task.
c-po triaged this task as High priority.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.

The mentioned configuration results into this snippet on VyOS 1.2.5

vyos@vyos:~$ sudo iptables-save -t nat
# Generated by iptables-save v1.4.21 on Sun Jun 14 11:35:24 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A POSTROUTING -s 10.0.7.114/32 -o eth1 -p udp -m udp --sport 5060 -m comment --comment SRC-NAT-10 -j MASQUERADE --to-ports 5060
-A POSTROUTING -s 10.0.7.114/32 -o eth1 -p udp -m multiport --sports 9000:10999 -m comment --comment SRC-NAT-11 -j MASQUERADE --to-ports 9000-10999
-A POSTROUTING -s 10.0.0.0/8 -o eth1 -m comment --comment SRC-NAT-100 -j MASQUERADE
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
COMMIT
# Completed on Sun Jun 14 11:35:24 2020

It now renders to:

chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "eth1" ip saddr 10.0.7.114 udp sport { 5060 } counter packets 0 bytes 0 masquerade to :5060 comment "DST-NAT-10"
        oifname "eth1" ip saddr 10.0.7.114 udp sport { 9000-10999 } counter packets 0 bytes 0 masquerade to :9000-10999 comment "DST-NAT-11"
        oifname "eth1" ip saddr 10.0.0.0/8 counter packets 0 bytes 0 masquerade comment "DST-NAT-100"
}

Any rolling ISO generated after vyos-1.3-rolling-202006140117-amd64.iso will have the fix.

erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 5:31 AM
erkin removed a subscriber: Active contributors.