Change Details

On latest 1.4 releases, after a fresh install, this is the content of NAT table: ``` # pre-nat vyos@vyos:~$ sudo nft list table ip nat table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; counter packets 0 bytes 0 jump VYOS_PRE_DNAT_HOOK } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; counter packets 30 bytes 1800 jump VYOS_PRE_SNAT_HOOK } chain VYOS_PRE_DNAT_HOOK { return } chain VYOS_PRE_SNAT_HOOK { return } } ``` There we can see both jumps from PREROUTING and POSTROUTING to VYOS_PRE_XNAT_HOOK. Also, return action present at chains VYOS_PRE_XNAT_HOOK But, after adding, for example a simple nat source rule, we get: ``` table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname "eth0" ip saddr 192.168.99.0/24 counter packets 0 bytes 0 masquerade comment "SRC-NAT-10" } chain VYOS_PRE_DNAT_HOOK { } chain VYOS_PRE_SNAT_HOOK { } } ``` And no jumps to VYOS_PRE_XNAT_HOOK present on PRE and POST routing chains. This lead to misbehavior of other components, such as WAN Load Balance. Some entries on the forum: - https://forum.vyos.io/t/wan-load-balancing-fails-to-work-properly-for-pppoe-clients/8782 - https://forum.vyos.io/t/multi-wan-load-balancing-configurations-have-no-effect/8738/5 Bugs related to this main cause: - https://phabricator.vyos.net/T4352

On latest 1.4 releases, after a fresh install, this is the content of NAT table: ``` # pre-nat vyos@vyos:~$ sudo nft list table ip nat table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; counter packets 0 bytes 0 jump VYOS_PRE_DNAT_HOOK } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; counter packets 30 bytes 1800 jump VYOS_PRE_SNAT_HOOK } chain VYOS_PRE_DNAT_HOOK { return } chain VYOS_PRE_SNAT_HOOK { return } } ``` There we can see both jumps from PREROUTING and POSTROUTING to VYOS_PRE_XNAT_HOOK. Also, return action present at chains VYOS_PRE_XNAT_HOOK But, after adding, for example a simple nat source rule, we get: ``` table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname "eth0" ip saddr 192.168.99.0/24 counter packets 0 bytes 0 masquerade comment "SRC-NAT-10" } chain VYOS_PRE_DNAT_HOOK { } chain VYOS_PRE_SNAT_HOOK { } } ``` No jumps to VYOS_PRE_XNAT_HOOK present on PRE and POST routing chains. Also, no return action on VYOS_PRE_XNAT_HOOKs This leads to misbehavior of other components, such as WAN Load Balance. Some entries on the forum: - https://forum.vyos.io/t/wan-load-balancing-fails-to-work-properly-for-pppoe-clients/8782 - https://forum.vyos.io/t/multi-wan-load-balancing-configurations-have-no-effect/8738/5 Bugs related to this main cause: - https://phabricator.vyos.net/T4352

On latest 1.4 releases, after a fresh install, this is the content of NAT table: ``` # pre-nat vyos@vyos:~$ sudo nft list table ip nat table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; counter packets 0 bytes 0 jump VYOS_PRE_DNAT_HOOK } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; counter packets 30 bytes 1800 jump VYOS_PRE_SNAT_HOOK } chain VYOS_PRE_DNAT_HOOK { return } chain VYOS_PRE_SNAT_HOOK { return } } ``` There we can see both jumps from PREROUTING and POSTROUTING to VYOS_PRE_XNAT_HOOK. Also, return action present at chains VYOS_PRE_XNAT_HOOK But, after adding, for example a simple nat source rule, we get: ``` table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname "eth0" ip saddr 192.168.99.0/24 counter packets 0 bytes 0 masquerade comment "SRC-NAT-10" } chain VYOS_PRE_DNAT_HOOK { } chain VYOS_PRE_SNAT_HOOK { } } ``` And noNo jumps to VYOS_PRE_XNAT_HOOK present on PRE and POST routing chains. Also, no return action on VYOS_PRE_XNAT_HOOKs This leads to misbehavior of other components, such as WAN Load Balance. Some entries on the forum: - https://forum.vyos.io/t/wan-load-balancing-fails-to-work-properly-for-pppoe-clients/8782 - https://forum.vyos.io/t/multi-wan-load-balancing-configurations-have-no-effect/8738/5 Bugs related to this main cause: - https://phabricator.vyos.net/T4352