Page MenuHomeVyOS Platform

NAT: possible to commit illegal source nat without translation
Closed, ResolvedPublicBUG

Description

It is possible to commit an illegal nat configuration, in this example the translation address is not specified on commit and it renders an exception.

This example is from a newly installed iso.

Welcome to VyOS - vyos ttyS0

vyos login: vyos
Password:
Linux vyos 4.19.139-amd64-vyos #1 SMP Sat Aug 15 09:30:29 UTC 2020 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
vyos@vyos:~$ conf
[edit]
vyos@vyos# set nat source rule 100 outbound-interface eth0
[edit]
vyos@vyos# commit
[ nat ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
  https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
  https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report Time:      2020-08-19 16:58:25
Image Version:    VyOS 1.3-rolling-202008190118
Release Train:    equuleus

Built by:         [email protected]
Built on:         Wed 19 Aug 2020 01:18 UTC
Build UUID:       bb4ab508-0e69-48c4-ba73-f559c811a083
Build Commit ID:  9cb142f438773c

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    Unknown

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/nat.py", line 271, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/nat.py", line 259, in apply
    cmd(f'{iptables_nat_config}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 179, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: /tmp/vyos-nat-rules.nft
returned:
exit code: 1

noteworthy:
cmd '/tmp/vyos-nat-rules.nft'
returned (out):

returned (err):
/tmp/vyos-nat-rules.nft:41:61-67: Error: syntax error, unexpected comment
add rule ip nat POSTROUTING oifname "eth0" counter snat to  comment "DST-NAT-100"
                                                            ^^^^^^^

[[nat]] failed
Commit failed
[edit]
vyos@vyos#

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.3-rolling-202008190118
Why the issue appeared?
Design mistake
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

runar renamed this task from NAT: possible to commit illegal source nat without destination to NAT: possible to commit illegal source nat without translation .Aug 19 2020, 6:31 PM
runar created this task.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Design mistake.
c-po triaged this task as Normal priority.
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:21 PM
erkin removed a subscriber: Active contributors.