Page MenuHomeVyOS Platform

Broken address/subnet validation on NAT configuration
Closed, ResolvedPublicBUG

Description

Reproducing steps:

set nat source rule 10 outbound-interface eth1
set nat source rule 10 translation address 192.168.255.125
set nat source rule 10 source address 100.64.0.0./24

Output on commit

vyos@vyos# commit
[ nat ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
  https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
  https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your 
  business policy requires it)
- and include all the information presented below

Report Time:      2020-11-06 07:15:25
Image Version:    VyOS 1.3-rolling-202011060217
Release Train:    equuleus

Built by:         autobuild@vyos.net
Built on:         Fri 06 Nov 2020 02:17 UTC
Build UUID:       4ccaf17b-c3b8-47af-84f1-0e94869e692c
Build Commit ID:  7662f6fac19d23

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:     
Hardware UUID:    3fc6b6fe-8c8d-4bda-a4cd-be9465fea031

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/nat.py", line 287, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/nat.py", line 275, in apply
    cmd(f'{iptables_nat_config}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 179, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: /tmp/vyos-nat-rules.nft
returned: 
exit code: 1

noteworthy:
cmd '/tmp/vyos-nat-rules.nft'
returned (out):

returned (err):
/tmp/vyos-nat-rules.nft:33:68-74: Error: syntax error, unexpected counter
add rule ip nat POSTROUTING oifname "eth1" ip saddr 100.64.0.0./24 counter snat to 192.168.255.125 comment "SRC-NAT-10"

Details

Difficulty level
Easy (less than an hour)
Version
1.3-rolling-202011060217
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Stricter validation
Issue type
Bug (incorrect behavior)

Event Timeline

Problem is the constraint statement in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/include/nat-address.xml.i where ipv4-range returns 0 instead of 1.

$ /usr/libexec/vyos/validators/ipv4-address 10.64.0.0./10 ; echo $?
1
$ /usr/libexec/vyos/validators/ipv4-prefix 10.64.0.0./10 ; echo $?
1
$ /usr/libexec/vyos/validators/ipv4-range 10.64.0.0./10 ; echo $?
0
$ /usr/libexec/vyos/validators/ipv4-address-exclude 10.64.0.0./10 ; echo $?
1
$ /usr/libexec/vyos/validators/ipv4-prefix-exclude 10.64.0.0./10 ; echo $?
1
$ /usr/libexec/vyos/validators/ipv4-range-exclude 10.64.0.0./10 ; echo $?
1
c-po changed the task status from Open to Needs testing.Nov 6 2020, 6:22 PM
c-po claimed this task.
c-po triaged this task as High priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Stricter validation.
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 12:19 PM
erkin removed a subscriber: Active contributors.