Page MenuHomeVyOS Platform
Create Task
Maniphest T2813

NAT: possible to commit illegal source nat without translation
Closed, ResolvedPublicBUG
Actions

Description

It is possible to commit an illegal nat configuration, in this example the translation address is not specified on commit and it renders an exception.

This example is from a newly installed iso.

Welcome to VyOS - vyos ttyS0

vyos login: vyos
Password:
Linux vyos 4.19.139-amd64-vyos #1 SMP Sat Aug 15 09:30:29 UTC 2020 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
vyos@vyos:~$ conf
[edit]
vyos@vyos# set nat source rule 100 outbound-interface eth0
[edit]
vyos@vyos# commit
[ nat ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
  https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
  https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report Time:      2020-08-19 16:58:25
Image Version:    VyOS 1.3-rolling-202008190118
Release Train:    equuleus

Built by:         autobuild@vyos.net
Built on:         Wed 19 Aug 2020 01:18 UTC
Build UUID:       bb4ab508-0e69-48c4-ba73-f559c811a083
Build Commit ID:  9cb142f438773c

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    Unknown

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/nat.py", line 271, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/nat.py", line 259, in apply
    cmd(f'{iptables_nat_config}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 179, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: /tmp/vyos-nat-rules.nft
returned:
exit code: 1

noteworthy:
cmd '/tmp/vyos-nat-rules.nft'
returned (out):

returned (err):
/tmp/vyos-nat-rules.nft:41:61-67: Error: syntax error, unexpected comment
add rule ip nat POSTROUTING oifname "eth0" counter snat to  comment "DST-NAT-100"
                                                            ^^^^^^^

[[nat]] failed
Commit failed
[edit]
vyos@vyos#

Details

Version
VyOS 1.3-rolling-202008190118
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

runar created this task.Aug 19 2020, 6:31 PM
runar renamed this task from NAT: possible to commit illegal source nat without destination to NAT: possible to commit illegal source nat without translation .
pasik subscribed.Aug 19 2020, 7:16 PM
c-po claimed this task.Aug 25 2020, 6:16 AM
c-po edited a custom field.
c-po edited a custom field.
c-po mentioned this in rVYOSONEX0831c6668915: nat: T2813: translation address is mandatory if rule is not excluded.Aug 28 2020, 7:15 PM
c-po closed this task as Resolved.Aug 28 2020, 7:17 PM
c-po triaged this task as Normal priority.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 23 2020, 5:24 PM
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:21 PM
erkin removed a subscriber: Global Notifications.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:26 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.