NAT Regression in 1.3
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	xrobau
	Jul 11 2020, 10:37 PM

Description

In 1.2 this was the only way to 'Do not nat traffic destined to RFC1918 addresses'

set nat source rule 1 destination address '192.168.0.0/16'
set nat source rule 1 exclude
set nat source rule 1 outbound-interface 'any'
set nat source rule 2 destination address '10.0.0.0/8'
set nat source rule 2 exclude
set nat source rule 2 outbound-interface 'any'
set nat source rule 3 destination address '172.16.0.0/12'
set nat source rule 3 exclude
set nat source rule 3 outbound-interface 'any'
set nat source rule 4 outbound-interface 'eth0.115'
set nat source rule 4 source address '10.40.0.0/24'
set nat source rule 4 translation address '99.99.99.99'

However, with recent changes in nat, there are two problems:

'outbound-interface any' no longer exists, and it generates a warning "NAT configuration warning: interface any does not exist on this system"
An rule with 'exclude' now requires a translation address "Source NAT configuration error in rule 1: translation address not specified"

This means that this rule in 1.3 does not work:

set nat source rule 1 destination address '192.168.0.0/16'
set nat source rule 1 exclude
set nat source rule 1 outbound-interface 'any'
set nat source rule 1 translation address 'masquerade'

It generates an iptables rule of "-A POSTROUTING -d 192.168.0.0/16 -o any -m comment --comment DST-NAT-1 -j RETURN" - and I also notice that it's called 'DST-NAT-1' instead of SRC-NAT-1, too.

The complete rules generated by 1.2 are:

*nat
:PREROUTING ACCEPT [3217:945646]
:INPUT ACCEPT [307:21920]
:OUTPUT ACCEPT [227:15740]
:POSTROUTING ACCEPT [229:15847]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A POSTROUTING -d 192.168.0.0/16 -m comment --comment SRC-NAT-1 -j RETURN
-A POSTROUTING -d 10.0.0.0/8 -m comment --comment SRC-NAT-2 -j RETURN
-A POSTROUTING -d 172.16.0.0/12 -m comment --comment SRC-NAT-3 -j RETURN
-A POSTROUTING -s 10.40.0.0/24 -o eth0.115 -m comment --comment SRC-NAT-4 -j SNAT --to-source 99.99.99.99
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
COMMIT

Details

Difficulty level: Unknown (require assessment)
Version: VyOS 1.3-rolling-202007110117
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Behavior change

Event Timeline

xrobau created this task.Jul 11 2020, 10:37 PM

Error when upgrading to 1.3

After upgrading, the entire NAT section is gone

set high-availability vrrp group 10.40.0.0 interface 'eth0.30'
set high-availability vrrp group 10.40.0.0 priority '150'
set high-availability vrrp group 10.40.0.0 virtual-address '10.40.0.1/24'
set high-availability vrrp group 10.40.0.0 vrid '3'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:50:56:a7:c9:02'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth0 vif 30 address '10.64.1.30/32'
set interfaces ethernet eth0 vif 115 address '99.99.99.99/24'
set interfaces ethernet eth0 vif 115 ip ospf authentication md5 key-id 1 md5-key '_changed_'
set interfaces ethernet eth0 vif 115 ip ospf dead-interval '60'
set interfaces ethernet eth0 vif 115 ip ospf hello-interval '10'
set interfaces ethernet eth0 vif 115 ip ospf priority '1'
set interfaces ethernet eth0 vif 115 ip ospf retransmit-interval '5'
set interfaces ethernet eth0 vif 115 ip ospf transmit-delay '1'
set interfaces loopback lo
set protocols ospf area 99.99.99.0 authentication 'md5'
set protocols ospf area 99.99.99.0 network '99.99.99.0/24'
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id '99.99.99.99'
set service ssh
set system config-management commit-revisions '100'
set system console
set system host-name 'vyos'
set system name-server '1.1.1.1'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'

trae32566 awarded a token.Jul 12 2020, 12:21 AM

Your above ruleset should be tralnsated into thie NFT syntax:

$ iptables-restore-translate
# Translated by iptables-restore-translate v1.8.2 on Sun Jul 12 10:14:22 2020
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add chain ip nat VYATTA_PRE_DNAT_HOOK
add chain ip nat VYATTA_PRE_SNAT_HOOK
add rule ip nat PREROUTING counter jump VYATTA_PRE_DNAT_HOOK
add rule ip nat POSTROUTING counter jump VYATTA_PRE_SNAT_HOOK
add rule ip nat POSTROUTING ip daddr 192.168.0.0/16 counter return comment "SRC-NAT-1"
add rule ip nat POSTROUTING ip daddr 10.0.0.0/8 counter return comment "SRC-NAT-2"
add rule ip nat POSTROUTING ip daddr 172.16.0.0/12 counter return comment "SRC-NAT-3"
add rule ip nat POSTROUTING oifname "eth0.115" ip saddr 10.40.0.0/24 counter snat to 99.99.99.99 comment "SRC-NAT-4"
add rule ip nat VYATTA_PRE_DNAT_HOOK counter return
add rule ip nat VYATTA_PRE_SNAT_HOOK counter return
# Completed on Sun Jul 12 10:14:22 2020

the outbound interface any case is not handled yet

The following rules are now installed after the fix:

add rule ip nat POSTROUTING ip daddr 192.168.0.0/16 counter return comment "DST-NAT-1"
add rule ip nat POSTROUTING ip daddr 10.0.0.0/8 counter return comment "DST-NAT-2"
add rule ip nat POSTROUTING ip daddr 172.16.0.0/12 counter return comment "DST-NAT-3"
add rule ip nat POSTROUTING oifname "eth0.115" ip saddr 10.40.0.0/24 counter snat to 99.99.99.99 comment "DST-NAT-4"

c-po closed this task as Resolved.Jul 12 2020, 9:54 AM

c-po claimed this task.

	F650920: image.png
	Jul 11 2020, 11:45 PM

NAT Regression in 1.3Closed, ResolvedPublicBUGActions

Description

Details

Event Timeline

NAT Regression in 1.3
Closed, ResolvedPublicBUG
Actions