Page MenuHomeVyOS Platform
Create Task
Maniphest T3435

NAT rules show corruption
Closed, ResolvedPublicBUG
Actions

Description

vyos@vyos:~$ show nat source rules 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 43, in <module>
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
    comment = data['comment']
KeyError: 'comment'

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

jack9603301 created this task.Mar 26 2021, 10:51 AM
jack9603301 changed the task status from Open to In progress.
jack9603301 claimed this task.
jack9603301 triaged this task as High priority.
jack9603301 moved this task from Open to In Progress on the VyOS 1.4 Sagitta board.
jack9603301 added a comment.Mar 26 2021, 11:08 AM

PR: https://github.com/vyos/vyos-1x/pull/791

Restricted Repository Identity mentioned this in rVYOSONEX9056f329844c: Merge pull request #791 from jack9603301/T3435.Apr 9 2021, 11:44 AM
jack9603301 mentioned this in rVYOSONEXc0ace670de5f: nat: op-mode: T3435: Improved validation logic for the output of operational….Apr 9 2021, 11:44 AM
jack9603301 mentioned this in rVYOSONEX6dcdb233eae6: nat: op-mode: T3435: Filter extra rules that should not be processed.
pasik subscribed.Apr 9 2021, 1:35 PM
jack9603301 closed this task as Resolved.Apr 11 2021, 10:14 AM
jack9603301 moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.
Viacheslav reopened this task as Open.Sep 24 2021, 12:33 PM
n.fort subscribed.Sep 24 2021, 12:35 PM

Bug still present.

Version

vyos@vyos:~$ show ver

Version:          VyOS 1.4-rolling-202109240217
Release train:    sagitta

Command Output:

vyos@vyos:~$ show nat source rules 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 114, in <module>
    print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))
IndexError: list index out of range
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
ahovda subscribed.Oct 29 2021, 11:58 PM

To fix some of this issue I modified line 102-103 in show_nat_rules.py:

if 'port' in tran_addr_json:
    tran_addr += 'port ' + str(tran_addr_json['port'])

I think using

isinstance(tran_addr_json['port'],int)

to check for nodes in the loaded json structure is not the best way to do it, you need to check if the key exists before you access its value in the isinstance() function.

There are still things that don't show correctly, e.g. I have some rules with a translation address range:

rule 380 {
    description "web proxy cluster"
    destination {
        address 123.123.123.123
        port https
    }
    inbound-interface any
    protocol tcp
    translation {
        address 192.168.4.81-192.168.4.83
        port 8443
    }
}

which simply now shows as

Rule       Destination                                        Translation                                        Inbound Interface
----       -----------                                        -----------                                        -----------------
380        port 443                                           port 8443                                          123.123.123.123

Here's some details and errors.

Version:          VyOS 1.4-rolling-202110292022
Release train:    sagitta
user@firewall:~$ show nat destination rules
Traceback (most recent call last):
Rule       Destination                                        Translation                                        Inbound Interface
----       -----------                                        -----------                                        -----------------
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 102, in <module>
    if isinstance(tran_addr_json['port'],int):
KeyError: 'port'
user@firewall:~$ show nat source rules
Traceback (most recent call last):
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
102        10.102.0.0/16                                      masquerade                                         eth2
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 102, in <module>
    if isinstance(tran_addr_json['port'],int):
KeyError: 'port'
SrividyaA subscribed.EditedDec 19 2021, 11:18 AM

It gives a different error when the translation port option is configured for both the source and destination nat:

vyos@vyos# run sh conf comm | grep nat
set nat destination rule 100 description 'Regular destination NAT from external'
set nat destination rule 100 destination port '3389'
set nat destination rule 100 inbound-interface 'eth0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address '192.0.2.40'
set nat destination rule 100 translation port '80'
vyos@vyos# run sh nat destination rules
Rule       Destination                                        Translation                                        Inbound Interface
----       -----------                                        -----------                                        -----------------
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 103, in <module>
    tran_addr += 'port ' + tran_addr_json['port']
TypeError: can only concatenate str (not "int") to str

For SNAT, if the translation address is configured to "masquerade" then the error is not seen.

vyos@vyos# run sh nat source rules

Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
110        192.0.2.0/24                                       masquerade                                         eth1
Viacheslav subscribed.Dec 21 2021, 8:52 AM

PR https://github.com/vyos/vyos-1x/pull/1114

vyos@r11-roll:~$ show nat destination rules 
Rule       Destination                                        Translation                                        Inbound Interface
----       -----------                                        -----------                                        -----------------
100        port 3389                                          192.0.2.40 port 80                                 eth0      
vyos@r11-roll:~$
Viacheslav lowered the priority of this task from High to Normal.Dec 21 2021, 8:52 AM
Viacheslav set Issue type to Unspecified (please specify).
Viacheslav edited a custom field.
Viacheslav changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
Restricted Repository Identity mentioned this in rVYOSONEX9275fd942cef: Merge pull request #1114 from sever-sever/T3435-nat.Dec 21 2021, 9:05 AM
Viacheslav mentioned this in rVYOSONEX458e0c5c6172: nat: T3435: Fix for op-mode concatenate str.Dec 21 2021, 9:05 AM
Viacheslav closed this task as Resolved.Dec 21 2021, 9:16 AM
Viacheslav reopened this task as Needs testing.Dec 21 2021, 9:56 AM
Viacheslav moved this task from Finished to In Progress on the VyOS 1.4 Sagitta board.Dec 21 2021, 9:58 AM

There is still another bug:

set nat destination rule 120 destination address '203.0.113.1'
set nat destination rule 120 inbound-interface 'eth0'
set nat destination rule 120 protocol 'tcp'
set nat destination rule 120 translation address '192.0.2.40'

Show:

vyos@r11-roll:~$ show nat destination rules 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 102, in <module>
    if isinstance(tran_addr_json['port'],int):
Rule       Destination                                        Translation                                        Inbound Interface
----       -----------                                        -----------                                        -----------------
KeyError: 'port'
vyos@r11-roll:~$
n.fort added a comment.Jan 3 2022, 6:57 PM

Error still present on VyOS 1.4-rolling-202201020317

vyos@vyos:~$ show nat source rules 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 114, in <module>
    print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))
IndexError: list index out of range
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
vyos@vyos:~$ show ver

Version:          VyOS 1.4-rolling-202201020317
Release train:    sagitta

Nat config in this example:

vyos@vyos:~$ show config comm | grep nat
set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'
jack9603301 added a comment.Jun 3 2022, 12:19 PM
In T3435#115394, @n.fort wrote:

Error still present on VyOS 1.4-rolling-202201020317

vyos@vyos:~$ show nat source rules 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 114, in <module>
    print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))
IndexError: list index out of range
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
vyos@vyos:~$ show ver

Version:          VyOS 1.4-rolling-202201020317
Release train:    sagitta

Nat config in this example:

vyos@vyos:~$ show config comm | grep nat
set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'

Hello, sorry I haven't come up for a long time, I even changed the main system to gentoo in the process, can I still encounter this problem now

diekos subscribed.Jul 16 2022, 11:47 AM
In T3435#115394, @n.fort wrote:

Error still present on VyOS 1.4-rolling-202201020317

vyos@vyos:~$ show nat source rules 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 114, in <module>
    print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))
IndexError: list index out of range
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
vyos@vyos:~$ show ver

Version:          VyOS 1.4-rolling-202201020317
Release train:    sagitta

Nat config in this example:

vyos@vyos:~$ show config comm | grep nat
set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'

Still present in VyOS 1.4-rolling-202207160217.
Seems to occur when no source address is given on the SNAT rule.

I get the error with the following config:

set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'
vyos@vyos:~$ show nat source rules 
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 114, in <module>
    print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))
IndexError: list index out of range

But get correct output with the following config:

set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.0.0/24'
set nat source rule 10 translation address 'masquerade'
vyos@vyos:~$ show nat source rules 
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
10         172.16.0.0/24                                      masquerade                                         eth0
Viacheslav added a comment.Jul 17 2022, 8:21 AM

PR https://github.com/vyos/vyos-1x/pull/1417

set nat destination rule 120 destination address '203.0.113.1'
set nat destination rule 120 inbound-interface 'eth0'
set nat destination rule 120 protocol 'tcp'
set nat destination rule 120 translation address '192.0.2.40'

set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'

Show nat:

vyos@r14# run show nat destination rules 
Rule       Destination                                        Translation                                        Inbound Interface
----       -----------                                        -----------                                        -----------------
120        tcp                                                192.0.2.40                                         eth0      
           203.0.113.1                                                                                                     
[edit]
vyos@r14# 
[edit]
vyos@r14# run show nat source  rules 
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
10         any                                                masquerade                                         eth0      
[edit]
vyos@r14#
Restricted Repository Identity mentioned this in rVYOSONEX3705f9164101: Merge pull request #1417 from sever-sever/T3435.Jul 17 2022, 8:24 AM
Viacheslav mentioned this in rVYOSONEX08b1cdd5b686: op-mode: T3435: Fix SNAT any address and DNAT port dict check.Jul 17 2022, 8:24 AM
Viacheslav closed this task as Resolved.Jul 17 2022, 8:28 AM
Viacheslav moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.
Viacheslav reopened this task as Needs testing.Jul 17 2022, 8:50 AM
Viacheslav moved this task from Finished to Open on the VyOS 1.4 Sagitta board.
diekos added a comment.Jul 18 2022, 11:09 AM

Confirmed to work correctly on version VyOS 1.4-rolling-202207180802.

set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'

Results in:

vyos@vyos:~$ show nat source rules
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
10         any                                                masquerade                                         eth0

And for destination NAT rule of @Viacheslav:

set nat destination rule 120 destination address '203.0.113.1'
set nat destination rule 120 inbound-interface 'eth0'
set nat destination rule 120 protocol 'tcp'
set nat destination rule 120 translation address '192.0.2.40'
vyos@vyos:~$ show nat destination rules
Rule       Destination                                        Translation                                        Inbound Interface
----       -----------                                        -----------                                        -----------------
120        tcp                                                192.0.2.40                                         eth0
           203.0.113.1
Viacheslav mentioned this in T4545: Rewrite show nat source rules.Jul 19 2022, 5:04 PM
masterit subscribed.Jul 26 2022, 7:48 PM
Viacheslav closed this task as Resolved.Jul 28 2022, 10:22 AM
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.