Page MenuHomeVyOS Platform

Rewrite show nat source rules
Closed, ResolvedPublicFEATURE REQUEST

Description

Due to a large number of bugs in nat statistics, it is easier to rewrite show nat source rules, which was written in T3435 then fix all bugs

VyOS example configuration:

set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 destination address '192.0.2.0/24'
set nat source rule 20 exclude
set nat source rule 20 outbound-interface 'any'
set nat source rule 20 protocol 'all'
set nat source rule 30 destination address '192.0.2.0/24'
set nat source rule 30 outbound-interface 'any'
set nat source rule 30 protocol 'tcp'
set nat source rule 30 source address '203.0.113.0/24'
set nat source rule 30 translation address '100.64.0.5'
set nat source rule 40 destination address '192.0.2.85/32'
set nat source rule 40 destination port '22001-22005'
set nat source rule 40 outbound-interface 'eth0'
set nat source rule 40 protocol 'tcp_udp'
set nat source rule 40 source port '65001-65005'
set nat source rule 40 translation address 'masquerade'
set nat source rule 50 destination port '8080'
set nat source rule 50 outbound-interface 'any'
set nat source rule 50 protocol 'tcp'
set nat source rule 50 source address '100.64.0.0/24'
set nat source rule 50 source port '9999'
set nat source rule 50 translation address 'masquerade'
set nat source rule 50 translation port '8888'
set nat source rule 60 destination port '2222-2225'
set nat source rule 60 outbound-interface 'any'
set nat source rule 60 protocol 'tcp'
set nat source rule 60 source address '100.64.0.0/24'
set nat source rule 60 source port '4442-4445'
set nat source rule 60 translation address 'masquerade'
set nat source rule 60 translation port '8882-8885'
set nat source rule 70 destination address '192.0.2.5'
set nat source rule 70 destination port '2222'
set nat source rule 70 outbound-interface 'eth1'
set nat source rule 70 protocol 'tcp'
set nat source rule 70 translation address 'masquerade'
set nat source rule 70 translation port '22'
set nat source rule 80 destination port '22,80,443'
set nat source rule 80 outbound-interface 'eth1'
set nat source rule 80 protocol 'tcp'
set nat source rule 80 translation address '192.0.2.99'

Show output:

vyos@r14:~$ show nat source rules 
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
10         any                                                masquerade                                         eth0      
20         any                                                                                                   any       
30         192.0.2.0/24                                       100.64.0.5                                         tcp       
40         port 65001-65005                                   masquerade                                         eth0      
           192.0.2.85 port 22001-22005                                                                                     
40         port 65001-65005                                   masquerade                                         eth0      
           192.0.2.85 port 22001-22005                                                                                     
50         port 9999 port 8080                                masquerade                                         any       
60         port 4442-4445 port 2222-2225                      masquerade                                         any       
70         192.0.2.5 port 2222                                masquerade                                         eth1      
80         port 22                                            192.0.2.99                                         eth1      
vyos@r14:~$

Bugs:

  • rule 20, exclude not indicates
  • rule 30, Outbound interface tcp, source address incorrect it shows 192.0.2.0/24 but expected 203.0.113.0/24
  • rule 40, it is not clear where source ports, and destination ports, source address incorrect, expected 0.0.0.0/0
  • rule 50 shows destination port in source
  • rule 60 doesn't show source address
  • rule 70, shows destination address in source
  • rule 80, shows only one port 22, but it is destionation port but we se it in source and only one, expected columns destination with 3 ports

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

PR https://github.com/vyos/vyos-1x/pull/1420

vyos@r14:~$ show nat source rules 
Rule    Source             Destination        Proto    Out-Int    Translation
------  -----------------  -----------------  -------  ---------  --------------
10      0.0.0.0/0          0.0.0.0/0          any      eth0       masquerade
        sport any          dport any
20      0.0.0.0/0          192.0.2.0/24       IP       any        exclude
        sport any          dport any
30      203.0.113.0/24     192.0.2.0/24       TCP      any        100.64.0.5
        sport any          dport any
40      0.0.0.0/0          192.0.2.85         TCP      eth0       masquerade
        sport 65001-65005  dport 22001-22005
40      0.0.0.0/0          192.0.2.85         UDP      eth0       masquerade
        sport 65001-65005  dport 22001-22005
50      100.64.0.0/24      192.0.2.85         TCP      any        masquerade
        sport 9999         dport 8080                             port 8888
60      100.64.0.0/24      192.0.2.85         TCP      any        masquerade
        sport 4442-4445    dport 2222-2225                        port 8882-8885
70      0.0.0.0/0          192.0.2.5          TCP      eth1       masquerade
        sport any          dport 2222                             port 22
80      0.0.0.0/0          0.0.0.0/0          TCP      eth1       192.0.2.99
        sport any          dport 22,80,443
vyos@r14:~$

PR https://github.com/vyos/vyos-1x/pull/1426
An example with only one rule 10 raw output

vyos@r14:~$ /usr/libexec/vyos/op_mode/nat.py show_rules --direction source --raw
[
    {
        "rule": {
            "family": "ip",
            "table": "nat",
            "chain": "POSTROUTING",
            "handle": 114,
            "comment": "SRC-NAT-10",
            "expr": [
                {
                    "match": {
                        "op": "==",
                        "left": {
                            "meta": {
                                "key": "oifname"
                            }
                        },
                        "right": "eth0"
                    }
                },
                {
                    "counter": {
                        "packets": 0,
                        "bytes": 0
                    }
                },
                {
                    "masquerade": null
                }
            ]
        }
    }
]
vyos@r14:~$
Viacheslav changed the task status from Open to Needs testing.Jul 26 2022, 7:35 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.