Page MenuHomeVyOS Platform

kernel 5.1+ : NAT : module `nft_chain_nat_ipv4` renamed
Closed, ResolvedPublic


The current NAT code looks for the kernel module nft_chain_nat_ipv4, in linux kernel 5.1, this module is merged into nft_chain_nat.

This was changed in 5.1-rc1, with this commit:

This change makes the nat module fail when trying to compile vyos on a 5.1+ kernel.

as a "hotfix" this can be manually changed by:

diff --git a/src/conf_mode/ b/src/conf_mode/
index dd34dfd6..cffb91ba 100755
--- a/src/conf_mode/
+++ b/src/conf_mode/
@@ -33,7 +33,7 @@ from vyos import ConfigError
 from vyos import airbag
-k_mod = ['nft_nat', 'nft_chain_nat_ipv4']
+k_mod = ['nft_nat', 'nft_chain_nat']
 default_config_data = {
     'deleted': False,

But i would not consider this a good solution,

another alternative is to use something like:

from distutils.version import LooseVersion
import platform
if LooseVersion(platform.release()) > LooseVersion("5.1"):
    k_mod = ['nft_nat', 'nft_chain_nat']
    k_mod = ['nft_nat', 'nft_chain_nat_ipv4']

But this code is by no means verified


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

runar created this object in space S1 VyOS Public.
runar changed Version from - to 1.3.

Hello, here is a request beyond the outline. Please help me check whether the NAT kernel module of IPv6 has also changed? It turned out to be nft_chain_nat_ipv6

Although nat66 (NPT) is not currently incorporated into the mainline, I may need to modify my implementation if it is also modified

Yes, nft_chain_nat_ipv6 is also affected by this, and needs the same adjustments as the nat module

c-po changed the task status from Open to In progress.Aug 30 2020, 5:28 PM
c-po claimed this task.
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:21 PM
erkin removed a subscriber: Active contributors.