Page MenuHomeVyOS Platform
Create Task
Maniphest T2951

Cannot enable logging for monitor nat
Closed, ResolvedPublicBUG
Actions

Description

Unable to enable logging for a nat destination rule, so we're unable to find out why a portmap isn't working.

set nat destination rule 1 log enable

  Configuration path: nat destination rule 1 log [enable] is not valid
  Set failed
$ monitor nat destination rule 1
Warning: logging is not enabled for rule 1
For proper monitor operation enable logging before issuing this command:
set nat destination rule 1 log enable

nat rule:

# show nat destination rule 1
 description "DNAT for X"
 destination {
     port X
 }
 inbound-interface pppoe0
 log
 protocol tcp
 translation {
     address X.X.0.2
     port X
 }

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3-rolling-202009271030
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

christophedc0 created this task.Oct 2 2020, 9:34 AM
c-po claimed this task.EditedOct 4 2020, 6:32 PM

This was infact only a warning - but for whatever reason nftables is not logging to kernel log :/

Warning fixed in https://github.com/vyos/vyatta-op/commit/a60663132d9d067a7a1b5cbc95ab8ddf34877bb0

Viacheslav added a subscriber: Viacheslav.EditedOct 5 2020, 10:50 AM

Works with Ethernet ports fine

set nat destination rule 10 destination address '192.168.122.16'
set nat destination rule 10 destination port '2222'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 log
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.3.2'
set nat destination rule 10 translation port '22'
set nat source rule 10 outbound-interface 'br0'
set nat source rule 10 translation address 'masquerade'

Monitor

vyos@r6-roll:~$ monitor nat destination rule 10
  NAT-DEST-RULE-10: [ 332.786510] [NAT-DST-10]IN=eth0 OUT= MAC=52:54:00:6c:17:c6:52:54:00:f5:e8:14:08:00 SRC=192.168.122.1 DST=192.168.122.16 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20687 DF PROTO=TCP SPT=47814 DPT=2222 WINDOW=64240 RES=0x00 SYN URGP=0 
  NAT-DEST-RULE-10: [ 340.891482] [NAT-DST-10]IN=eth0 OUT= MAC=52:54:00:6c:17:c6:52:54:00:f5:e8:14:08:00 SRC=192.168.122.1 DST=192.168.122.16 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14664 DF PROTO=TCP SPT=47826 DPT=2222 WINDOW=64240 RES=0x00 SYN URGP=0 
^C
vyos@r6-roll:~$ 
vyos@r6-roll:~$ show ver

Version:          VyOS 1.3-rolling-202010050117
root@r6-roll:/home/vyos#  cat /proc/net/netfilter/nf_log 
 0 NONE ()
 1 NONE ()
 2 nf_log_ipv4 (nf_log_ipv4)
 3 NONE ()
 4 NONE ()
 5 NONE ()
 6 NONE ()
 7 NONE ()
 8 NONE ()
 9 NONE ()
10 NONE ()
11 NONE ()
12 NONE ()
pasik added a subscriber: pasik.Oct 5 2020, 12:34 PM
c-po changed the task status from Open to Needs testing.Oct 5 2020, 4:43 PM

@christophedc0 please check out any rolling release which is newer then vyos-1.3-rolling-202010050117-amd64.iso as I have found two bugs in the implementation (one for source nat logging) and the other for the warning you have posted.

christophedc0 added a comment.EditedOct 5 2020, 8:55 PM

@c-po
The error message is gone now,so that's ok.
When accessing the nat rule, nothing shows up in the monitor.

$ monitor nat destination rule 10
^C
$ cat /proc/net/netfilter/nf_log 
 0 NONE ()
 1 NONE ()
 2 nf_log_ipv4 (nf_log_ipv4)
 3 NONE ()
 4 NONE ()
 5 NONE ()
 6 NONE ()
 7 NONE ()
 8 NONE ()
 9 NONE ()
10 nf_log_ipv6 (nf_log_ipv6)
11 NONE ()
12 NONE ()

the nat rule has been bound to interface pppoe0

running on

Version:          VyOS 1.3-rolling-202010051738
c-po added a comment.EditedOct 10 2020, 6:30 PM

@christophedc0 Have you enabled NAT rule logging?

Given the following configuration and version it works for me as expected:

VyOS 1.3-rolling-202010041845

[email protected]# show nat destination rule 100
 description HTTP(S)
 destination {
     port 80,443
 }
 inbound-interface pppoe0
 log
 protocol tcp
 translation {
     address 172.16.36.10
 }
[email protected]:~$ monitor nat destination rule 100
  NAT-DEST-RULE-100: [491280.735438] [NAT-DST-100]IN=pppoe0 OUT= MAC= SRC=151.80.237.96 DST=xxx.xxx.xxx.175 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=21983 DF PROTO=TCP SPT=44376 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
  NAT-DEST-RULE-100: [491281.019950] [NAT-DST-100]IN=pppoe0 OUT= MAC= SRC=151.80.237.96 DST=xxx.xxx.xxx.175 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=57347 DF PROTO=TCP SPT=36112 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
[email protected]# cat /proc/net/netfilter/nf_log
 0 NONE ()
 1 NONE ()
 2 nf_log_ipv4 (nf_log_ipv4)
 3 NONE ()
 4 NONE ()
 5 NONE ()
 6 NONE ()
 7 NONE ()
 8 NONE ()
 9 NONE ()
10 nf_log_ipv6 (nf_log_ipv6)
11 NONE ()
12 NONE ()
christophedc0 closed this task as Resolved.Oct 12 2020, 6:23 PM

It seems to be working now, for some reason it didn't work when I first tried, but now it seems OK.

I'm changing the status to "resolved".

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 23 2020, 3:26 PM
erkin renamed this task from monitor nat not working to Cannot enable logging for monitor nat.Aug 29 2021, 12:46 PM
erkin set Issue type to Bug (incorrect behavior).
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:12 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.