Page MenuHomeVyOS Platform

nat66 - Error in port translation rules
Needs testing, Requires assessmentPublicBUG

Description

While port nat is done, ipv6 + port translation is written in a wrong way, that it's acceptable to netfilter, so no error is found while commit, but translation does not occur.

Example:

[email protected]# run show config comm | grep nat66
set nat66 destination rule 10 destination address '2307:e4c0:3::85'
set nat66 destination rule 10 destination port '1522'
set nat66 destination rule 10 inbound-interface 'eth0'
set nat66 destination rule 10 protocol 'tcp'
set nat66 destination rule 10 translation address 'fc01::2'
set nat66 destination rule 10 translation port '2222'

NFT rule in nat generated with this config:

[email protected]# sudo nft list ruleset | grep DST-NAT66-1
                iifname "eth0" ip6 daddr 2307:e4c0:3::85 tcp dport 1522 counter packets 2 bytes 160 dnat to fc01::2:2222 comment "DST-NAT66-10"
[edit]
[email protected]#

Error --> fc01::2:2222 is an ipv6 address, and not ipv6+port

Manual fix: write full ipv6 address, without ::
Example:

## Config

set nat66 destination rule 20 destination address '2307:e4c0:3::85'
set nat66 destination rule 20 destination port '1522'
set nat66 destination rule 20 inbound-interface 'eth0'
set nat66 destination rule 20 protocol 'tcp'
set nat66 destination rule 20 translation address 'fc01:0:0:0:0:0:0:2'
set nat66 destination rule 20 translation port '2222

## Correct rule
[email protected]# sudo nft list ruleset | grep DST-NAT66-20
 iifname "eth0" ip6 daddr 2307:e4c0:3::85 tcp dport 1522 counter packets 0 bytes 0 dnat to [fc01::2]:2222 comment "DST-NAT66-20"
[edit]
[email protected]#

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.4-rolling-202211190627
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)