Page MenuHomeVyOS Platform

kernel 5.1+ : NAT : module `nft_chain_nat_ipv4` renamed
Closed, ResolvedPublic

Description

The current NAT code looks for the kernel module nft_chain_nat_ipv4, in linux kernel 5.1, this module is merged into nft_chain_nat.

This was changed in 5.1-rc1, with this commit: https://github.com/torvalds/linux/commit/3bf195ae6037e310d693ff3313401cfaf1261b71

This change makes the nat module fail when trying to compile vyos on a 5.1+ kernel.

as a "hotfix" this can be manually changed by:

diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index dd34dfd6..cffb91ba 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -33,7 +33,7 @@ from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
-k_mod = ['nft_nat', 'nft_chain_nat_ipv4']
+k_mod = ['nft_nat', 'nft_chain_nat']
 default_config_data = {
     'deleted': False,

But i would not consider this a good solution,

another alternative is to use something like:

from distutils.version import LooseVersion
import platform
if LooseVersion(platform.release()) > LooseVersion("5.1"):
    k_mod = ['nft_nat', 'nft_chain_nat']
else:
    k_mod = ['nft_nat', 'nft_chain_nat_ipv4']

But this code is by no means verified

Details

Difficulty level
Unknown (require assessment)
Version
1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

runar created this task.Aug 19 2020, 6:44 PM
runar created this object in space S1 VyOS Public.
runar changed Version from - to 1.3.
runar updated the task description. (Show Details)Aug 19 2020, 7:05 PM
pasik added a subscriber: pasik.Aug 19 2020, 7:16 PM
jack9603301 added a subscriber: jack9603301.EditedAug 20 2020, 2:01 AM

Hello, here is a request beyond the outline. Please help me check whether the NAT kernel module of IPv6 has also changed? It turned out to be nft_chain_nat_ipv6

Although nat66 (NPT) is not currently incorporated into the mainline, I may need to modify my implementation if it is also modified

runar added a comment.Aug 20 2020, 4:29 AM

Yes, nft_chain_nat_ipv6 is also affected by this, and needs the same adjustments as the nat module

c-po changed the task status from Open to In progress.Aug 30 2020, 5:28 PM
c-po claimed this task.
c-po closed this task as Resolved.Aug 30 2020, 6:09 PM