Page MenuHomeVyOS Platform
Create Task
Maniphest T3307

address prefix destination NAT fails to render nftables rules / commit
Resolved (N/A)Public
Actions

Description

vyos@vyos:~$ configure 
WARNING: You are currently configuring a live-ISO environment, changes will not persist until installed
[edit]
vyos@vyos# edit nat destination rule 1
[edit nat destination rule 1]
vyos@vyos# set inbound-interface eth0
[edit nat destination rule 1]
vyos@vyos# set destination address 1.0.0.0/24
[edit nat destination rule 1]
vyos@vyos# set translation address 2.0.0.0/24
[edit nat destination rule 1]
vyos@vyos# commit
[ nat ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
  https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
  https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your 
  business policy requires it)
- and include all the information presented below

Report Time:      2021-02-12 21:29:18
Image Version:    VyOS 1.4-rolling-202102121338
Release Train:    sagitta

Built by:         [email protected]
Built on:         Fri 12 Feb 2021 13:38 UTC
Build UUID:       bc737bd6-a1da-4443-876d-33c52dfefbdd
Build Commit ID:  aec60effa4e36e

Architecture:     x86_64
Boot via:         livecd
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    c57f3fa4-9552-406b-b205-6f5ee80eafbd

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/nat.py", line 201, in <module>
    generate(c)
  File "/usr/libexec/vyos/conf_mode/nat.py", line 186, in generate
    permission=0o755)
  File "/usr/lib/python3/dist-packages/vyos/template.py", line 112, in render
    rendered = render_to_string(template, content, formater)
  File "/usr/lib/python3/dist-packages/vyos/template.py", line 82, in render_to_string
    rendered = template.render(content)
  File "/usr/lib/python3/dist-packages/jinja2/asyncsupport.py", line 76, in render
    return original_render(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 1008, in render
    return self.environment.handle_exception(exc_info, True)
  File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 780, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/lib/python3/dist-packages/jinja2/_compat.py", line 37, in reraise
    raise value.with_traceback(tb)
  File "/usr/share/vyos/templates/firewall/nftables-nat.tmpl", line 148, in top-level template code
    {{ nat_rule(rule, config, 'PREROUTING') }}
  File "/usr/lib/python3/dist-packages/jinja2/runtime.py", line 579, in _invoke
    rv = self._func(*arguments)
  File "/usr/share/vyos/templates/firewall/nftables-nat.tmpl", line 27, in template
    {%         set trns_addr = 'dnat ip prefix to ip daddr map { ' + config.source.address + ' : ' + config.translation.address + ' }' %}
  File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 430, in getattr
    return getattr(obj, attribute)
jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'source'



[[nat]] failed
Commit failed
[edit nat destination rule 1]

It seems that the jinja2 template calls for source.address where it should call for destination.address

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202102121338-amd64
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

varesa created this task.Feb 12 2021, 9:31 PM
varesa created this object in space S1 VyOS Public.
varesa added a comment.Feb 12 2021, 9:45 PM

Possible fix, pending testing: https://github.com/varesa/vyos-1x/commit/4a0504a96cf0f3078e964ed201f196fb55172e00

varesa added a comment.Feb 12 2021, 10:01 PM

Tested with:

curl https://raw.githubusercontent.com/varesa/vyos-1x/4a0504a96cf0f3078e964ed201f196fb55172e00/data/templates/firewall/nftables-nat.tmpl | sudo tee /usr/share/vyos/templates/firewall/nftables-nat.tmpl

Commit goes through without errors:

vyos@vyos# edit nat destination rule 1
[edit nat destination rule 1]
vyos@vyos# set destination address 10.0.0.0/24
[edit nat destination rule 1]
vyos@vyos# set translation address 10.1.0.0/24
[edit nat destination rule 1]
vyos@vyos# set inbound-interface eth0
[edit nat destination rule 1]
vyos@vyos# commit
[edit nat destination rule 1]
vyos@vyos#

NAT works (incoming ping towards 10.0.0.123, gets translated to 10.1.0.123):

vyos@vyos# sudo tcpdump -i any icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:57:49.087615 IP 192.168.122.181 > 10.0.0.123: ICMP echo request, id 5237, seq 10, length 64
21:57:49.087645 IP 192.168.122.181 > 10.1.0.123: ICMP echo request, id 5237, seq 10, length 64
21:57:50.111609 IP 192.168.122.181 > 10.0.0.123: ICMP echo request, id 5237, seq 11, length 64
21:57:50.111672 IP 192.168.122.181 > 10.1.0.123: ICMP echo request, id 5237, seq 11, length 64

Generated nftables rule:

table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "eth0" counter packets 201 bytes 14192 dnat ip prefix to ip daddr map { 10.0.0.0/24 : 10.1.0.0/24 } comment "DST-NAT-1"
	}
varesa added a comment.Feb 12 2021, 10:15 PM

Created PR: https://github.com/vyos/vyos-1x/pull/731

Unknown Object (User) changed the task status from Open to Needs testing.Feb 12 2021, 11:22 PM
Unknown Object (User) triaged this task as Normal priority.
c-po assigned this task to varesa.Feb 13 2021, 8:31 PM
c-po added a project: VyOS 1.3 Equuleus.
pasik added a subscriber: pasik.Feb 13 2021, 10:22 PM
SrividyaA added a subscriber: SrividyaA.Feb 16 2021, 10:58 AM

The translation is working properly now but it is not showing in the command output:

vyos@vyos# run sh nat destination translations
Pre-NAT              Post-NAT             Prot  Timeout
[edit]
vyos@vyos# run sh nat source translations
Pre-NAT              Post-NAT             Prot  Timeout

Packet capture showing translations:

vyos@vyos:~$ sudo tcpdump -nvvi eth3
tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 262144 bys
07:31:21.531551 IP (tos 0x0, ttl 64, id 51207, offset 0, flags [DF], proto ICMP)
    10.2.2.3 > 11.60.1.4: ICMP echo request, id 32127, seq 78, length 64
07:31:21.537888 IP (tos 0x0, ttl 62, id 51207, offset 0, flags [DF], proto ICMP)
    11.60.1.4 > 10.2.2.3: ICMP echo reply, id 32127, seq 78, length 64

vyos@vyos:~$ sudo tcpdump -nvvi vti0
tcpdump: listening on vti0, link-type RAW (Raw IP), capture size 262144 bytes
07:31:05.516317 IP (tos 0x0, ttl 63, id 49181, offset 0, flags [DF], proto ICMP)
    192.168.13.3 > 10.1.1.4: ICMP echo request, id 32127, seq 62, length 64
07:31:05.523200 IP (tos 0x0, ttl 63, id 49181, offset 0, flags [DF], proto ICMP)
    10.1.1.4 > 192.168.13.3: ICMP echo reply, id 32127, seq 62, length 64
07:31:06.516654 IP (tos 0x0, ttl 63, id 49210, offset 0, flags [DF], proto ICMP)
    192.168.13.3 > 10.1.1.4: ICMP echo request, id 32127, seq 63, length 64
Viacheslav closed this task as Resolved.Mar 24 2021, 7:16 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.May 24 2021, 7:40 PM
SrividyaA changed the task status from Resolved to Resolved N/A.Aug 31 2021, 11:51 AM
SrividyaA set Issue type to Unspecified (please specify).
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 6 2021, 11:43 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:16 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.