Page MenuHomeVyOS Platform

Broken address/subnet validation on NAT configuration
Closed, ResolvedPublicBUG


Reproducing steps:

set nat source rule 10 outbound-interface eth1
set nat source rule 10 translation address
set nat source rule 10 source address

Output on commit

[email protected]# commit
[ nat ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
- Consult the forum to see how to handle this issue
- Join our community on slack where our users exchange help and advice

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your 
  business policy requires it)
- and include all the information presented below

Report Time:      2020-11-06 07:15:25
Image Version:    VyOS 1.3-rolling-202011060217
Release Train:    equuleus

Built by:         [email protected]
Built on:         Fri 06 Nov 2020 02:17 UTC
Build UUID:       4ccaf17b-c3b8-47af-84f1-0e94869e692c
Build Commit ID:  7662f6fac19d23

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:     
Hardware UUID:    3fc6b6fe-8c8d-4bda-a4cd-be9465fea031

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/", line 287, in <module>
  File "/usr/libexec/vyos/conf_mode/", line 275, in apply
  File "/usr/lib/python3/dist-packages/vyos/", line 179, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: /tmp/vyos-nat-rules.nft
exit code: 1

cmd '/tmp/vyos-nat-rules.nft'
returned (out):

returned (err):
/tmp/vyos-nat-rules.nft:33:68-74: Error: syntax error, unexpected counter
add rule ip nat POSTROUTING oifname "eth1" ip saddr counter snat to comment "SRC-NAT-10"


Difficulty level
Easy (less than an hour)
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Stricter validation
Issue type
Bug (incorrect behavior)

Event Timeline

Problem is the constraint statement in where ipv4-range returns 0 instead of 1.

$ /usr/libexec/vyos/validators/ipv4-address ; echo $?
$ /usr/libexec/vyos/validators/ipv4-prefix ; echo $?
$ /usr/libexec/vyos/validators/ipv4-range ; echo $?
$ /usr/libexec/vyos/validators/ipv4-address-exclude ; echo $?
$ /usr/libexec/vyos/validators/ipv4-prefix-exclude ; echo $?
$ /usr/libexec/vyos/validators/ipv4-range-exclude ; echo $?
c-po changed the task status from Open to Needs testing.Nov 6 2020, 6:22 PM
c-po claimed this task.
c-po triaged this task as High priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Stricter validation.
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 12:19 PM
erkin removed a subscriber: Active contributors.