Page MenuHomeVyOS Platform
Create Task
Maniphest T6100

NAT config migration error in 1.4.0-epa1 if invalid address/network defined in 1.3.6 version
Closed, ResolvedPublicBUG
Actions

Description

This issue was reported by customer while upgrading the device from 1.3.6 to 1.4.0-epa1 and lost his entire NAT definition.

How to reproduce the issue:

  • NAT definition in 1.3.6:
set nat destination rule 2058 destination port '8080'
set nat destination rule 2058 inbound-interface 'eth4'
set nat destination rule 2058 protocol 'tcp'
set nat destination rule 2058 translation address '10.250.1.156'
set nat destination rule 2058 translation port '80'
set nat destination rule 2059 destination port '8999'
set nat destination rule 2059 inbound-interface 'eth4'
set nat destination rule 2059 protocol 'tcp_udp'
set nat destination rule 2059 translation address '10.250.1.2'
set nat destination rule 2059 translation port '8999'
set nat destination rule 2060 destination port '5060,10000-20000'
set nat destination rule 2060 inbound-interface 'eth4'
set nat destination rule 2060 protocol 'udp'
set nat destination rule 2060 source address '192.0.2.226/27'
set nat destination rule 2060 translation address '10.250.1.3'
set nat destination rule 2061 destination port '10000-20000'
set nat destination rule 2061 inbound-interface 'eth4'
set nat destination rule 2061 protocol 'udp'
set nat destination rule 2061 source address '192.0.2.226/27'
set nat destination rule 2061 translation address '10.250.1.3'
set nat source rule 1000 outbound-interface 'eth4'
set nat source rule 1000 source address '10.250.1.0/24'
set nat source rule 1000 translation address 'masquerade'
set nat source rule 1002 outbound-interface 'eth4'
set nat source rule 1002 source address '10.250.2.0/14'
set nat source rule 1002 translation address 'masquerade'
set nat source rule 1250 outbound-interface 'eth4'
set nat source rule 1250 source address '10.250.250.0/24'
set nat source rule 1250 translation address 'masquerade'

Then upgrade the device to 1.4.0-epa1, then you receive configuration migration failed error:
'192.0.2.226/27' and '10.250.2.0/14' are not valid networks.

vyos@vyos:~$ conf
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config

If you try to configure, directly the rules in 1.4.0-epa1, you receive validation error:

vyos@vyos# set nat destination rule 2060 source address '192.0.2.226/27'




  Error: 192.0.2.226/27 is not a valid IPv4 address range

  Error: 192.0.2.226/27 is not a valid IPv4 prefix

  Error: 192.0.2.226/27 is not a valid IPv4 address



  Invalid value
  Value validation failed
  Set failed

In 1.4.0-epa1 seems more strict validation being added. As this configuration was working fine in 1.3.6, there should either be error messages on conversion, OR only the failing nat rules should fail - not ALL rules

Details

Difficulty level
Unknown (require assessment)
Version
1.4.0-epa1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects
Search...