Maybe we should add check to NAT66 to enforce the given address

The NAT issue is discussed later

Why would you enforce an address? It is perfectly OK to have port-only DNAT66 without any destination address such as:
nft add rule ip6 nat PREROUTING iifname eth1 counter tcp dport 443 dnat to :3000
Problem is that the test logic breaks on this and spits out a wrong statement to NFT that barfs on it.

@Netboy3 Let me modify the template to support

PR: https://github.com/vyos/vyos-1x/pull/1550

@jack9603301, your PR solves the NAT66 issue - thank you. However, the change you made to nat.py to try to solve the NAT44 issue is not complete and seem to also require a template change. I'll post additional details in the PR.

Included a fix for this in NAT refactor: https://github.com/vyos/vyos-1x/pull/1552

@jack9603301 I've tested your updated PR and it seems to work well now. Thank you for the quick response.
@sdev I've tested your PR and it seems to also fix both issues. I did not test anything beyond DNAT port only in both ip and ip6 families.

I suppose it's now up to the maintainers to verify and decide whether to use jack's fix, or the full refactor from sdev (or maybe apply the fix 1st and and after thorough testing use a rebased full refactor).

Again, thank you both for the hard work!

@sdev @Netboy3 I'll test if the new implementation is done and if the bug is fixed I'll close this PR, thanks