Reported via forum
https://forum.vyos.io/t/config-lost-on-upgrade-cant-use-negating/5460/4
Reported via forum
https://forum.vyos.io/t/config-lost-on-upgrade-cant-use-negating/5460/4
Just adding in here that it is also affecting ip addresses too, not just ports
I am on 1.3-rolling-202006101523
Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/nat.py", line 268, in <module> apply(c) File "/usr/libexec/vyos/conf_mode/nat.py", line 256, in apply cmd(f'{iptables_nat_config}') File "/usr/lib/python3/dist-packages/vyos/util.py", line 178, in cmd raise OSError(code, feedback) PermissionError: [Errno 1] failed to run command: /tmp/vyos-nat-rules.nft returned: exit code: 1 noteworthy: cmd '/tmp/vyos-nat-rules.nft' returned (out): returned (err): /tmp/vyos-nat-rules.nft:61:74-74: Error: syntax error, unexpected ! add rule ip nat PREROUTING iifname "eth1.11v11" ip protocol tcp ip daddr !192.168.67.243-192.168.67.244 tcp dport { 53 } counter log prefix "[NAT-DST-399]" comment "DST-NAT-399 tcp_udp" ^ /tmp/vyos-nat-rules.nft:62:74-74: Error: syntax error, unexpected ! add rule ip nat PREROUTING iifname "eth1.11v11" ip protocol tcp ip daddr !192.168.67.243-192.168.67.244 tcp dport { 53 } counter dnat to 192.168.67.243:53 comment "DST-NAT-399 tcp_udp" ^ /tmp/vyos-nat-rules.nft:64:74-74: Error: syntax error, unexpected ! add rule ip nat PREROUTING iifname "eth1.11v11" ip protocol udp ip daddr !192.168.67.243-192.168.67.244 udp dport { 53 } counter log prefix "[NAT-DST-399]" comment "DST-NAT-399 tcp_udp" ^ /tmp/vyos-nat-rules.nft:65:74-74: Error: syntax error, unexpected ! add rule ip nat PREROUTING iifname "eth1.11v11" ip protocol udp ip daddr !192.168.67.243-192.168.67.244 udp dport { 53 } counter dnat to 192.168.67.243:53 comment "DST-NAT-399 tcp_udp" ^ [[nat]] failed Commit failed
Here is my config commands that are having the "!" issue on the adddress, 3 separate NAT rules where I am using NAT to catch sneaky DNS bypass and redirect through my infrastructure
set nat destination rule 399 description 'Redirect DNS iot VLAN' set nat destination rule 399 destination address '!192.168.67.243-192.168.67.244' set nat destination rule 399 destination port '53' set nat destination rule 399 inbound-interface 'eth1.11v11' set nat destination rule 399 log 'enable' set nat destination rule 399 protocol 'tcp_udp' set nat destination rule 399 translation address '192.168.67.243' set nat destination rule 399 translation port '53' set nat destination rule 400 description 'Redirect DNS lan VLAN' set nat destination rule 400 destination address '!192.168.67.243-192.168.67.244' set nat destination rule 400 destination port '53' set nat destination rule 400 inbound-interface 'eth1.13v13' set nat destination rule 400 log 'enable' set nat destination rule 400 protocol 'tcp_udp' set nat destination rule 400 translation address '192.168.67.243' set nat destination rule 400 translation port '53' set nat destination rule 401 description 'Redirect DNS guest VLAN' set nat destination rule 401 destination address '!192.168.67.243-192.168.67.244' set nat destination rule 401 destination port '53' set nat destination rule 401 inbound-interface 'eth1.131v131' set nat destination rule 401 log 'enable' set nat destination rule 401 protocol 'tcp_udp' set nat destination rule 401 translation address '192.168.67.243' set nat destination rule 401 translation port '53'
This fixed now introduced a bug with comma separated ports
set nat destination rule 100 description 'HTTP(S): proxy' set nat destination rule 100 destination port '80,443' set nat destination rule 100 inbound-interface 'eth0.7' set nat destination rule 100 protocol 'tcp' set nat destination rule 100 translation address '10.20.20.192'