Page MenuHomeVyOS Platform
Create Task
Maniphest T4138

NAT configuration allows to set incorrect port range and invalid port
Closed, ResolvedPublicBUG
Actions

Description

To reproduce, set nat configuration with incorrect port-range

set nat destination rule 120 destination address '203.0.113.1'
set nat destination rule 120 destination port 21-18
set nat destination rule 120 inbound-interface 'eth0'
set nat destination rule 120 protocol 'tcp'
set nat destination rule 120 translation address '192.0.2.40'

Commit:

vyos@r11-roll# commit
[ nat ]
VyOS had an issue completing a command.

Report time:      2022-01-04 14:04:08
Image version:    VyOS 1.4-rolling-202201020317
Release train:    sagitta

Built by:         [email protected]
Built on:         Sun 02 Jan 2022 03:17 UTC
Build UUID:       4ede964a-6099-4799-b36e-a22a6b9a1914
Build commit ID:  e933c7e50fd4f0

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    8e21d64e-e498-475c-9866-290cd53a3b86

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/nat.py", line 199, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/nat.py", line 187, in apply
    cmd(f'{nftables_nat_config}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: /tmp/vyos-nat-rules.nft
returned: 
exit code: 1

noteworthy:
cmd '/tmp/vyos-nat-rules.nft'
returned (out):

returned (err):
/tmp/vyos-nat-rules.nft:11:92-96: Error: Range has zero or negative size
add rule ip nat PREROUTING iifname "eth0" ip protocol tcp ip daddr 203.0.113.1 tcp dport { 21-18 } counter dnat to 192.0.2.40 comment "DST-NAT-120"
                                                                                           ^^^^^

[[nat]] failed
Commit failed
[edit]
vyos@r11-roll#

Also, it allows to set port out of the port-range:

vyos@r11-roll# set nat destination rule 120 destination port 70000

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202201020317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

Viacheslav created this task.Jan 4 2022, 12:05 PM
Viacheslav renamed this task from NAT configuration allows to set incorrect port range to NAT configuration allows to set incorrect port range and invalid port.Jan 4 2022, 12:14 PM
Viacheslav updated the task description. (Show Details)
pasik added a subscriber: pasik.Jan 4 2022, 1:41 PM
n.fort added a subscriber: n.fort.Jan 22 2022, 2:37 PM

Error still present on VyOS 1.4-rolling-202201180317

Viacheslav changed the task status from Open to In progress.Jan 25 2022, 7:06 PM
Viacheslav claimed this task.
Viacheslav added a comment.Jan 25 2022, 7:16 PM

PR https://github.com/vyos/vyos-1x/pull/1191

Viacheslav mentioned this in T4210: NAT source/destination negated ports throws an error.Jan 25 2022, 8:43 PM
Viacheslav changed the task status from In progress to Needs testing.Jan 27 2022, 2:00 PM
Viacheslav closed this task as Resolved.Feb 1 2022, 9:31 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.