Page MenuHomeVyOS Platform
Create Task
Maniphest T4713

vyos@vyos:~$ show nat destination rules | doesn't work
Closed, ResolvedPublicBUG
Actions

Description

vyos@vyos:~$ show nat destination rules
Traceback (most recent call last):

File "/usr/libexec/vyos/op_mode/nat.py", line 302, in <module>
  res = vyos.opmode.run(sys.modules[__name__])
File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 147, in run
  res = func(**args)
File "/usr/libexec/vyos/op_mode/nat.py", line 276, in show_rules
  nat_rules = _get_raw_data_rules(direction, family)
File "/usr/libexec/vyos/op_mode/nat.py", line 70, in _get_raw_data_rules
  data = _get_json_data(direction, family)
File "/usr/libexec/vyos/op_mode/nat.py", line 63, in _get_json_data
  return cmd(f'sudo nft --json list chain {family} nat {chain}')
File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd
  raise OSError(code, feedback)

PermissionError: [Errno 1] failed to run command: sudo nft --json list chain ip nat PREROUTING

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.4-rolling-202209220743-amd64.iso
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

icyfire0573 created this task.Sep 27 2022, 9:28 AM
Viacheslav added a subscriber: Viacheslav.EditedSep 27 2022, 9:34 AM

Should be fixed in the commit https://github.com/vyos/vyos-1x/pull/1552/files#diff-9e98077e1229d7a89e26efdc517896728265a8669e8824aaf92611b113fa3516L47
T4605
Try the latest rolling

icyfire0573 added a comment.Sep 27 2022, 8:52 PM

still no good
vyos@vyos:~$ show nat destination rules
Traceback (most recent call last):

File "/usr/libexec/vyos/op_mode/nat.py", line 302, in <module>
  res = vyos.opmode.run(sys.modules[__name__])
File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 147, in run
  res = func(**args)
File "/usr/libexec/vyos/op_mode/nat.py", line 280, in show_rules
  return _get_formatted_output_rules(nat_rules, direction, family)
File "/usr/libexec/vyos/op_mode/nat.py", line 112, in _get_formatted_output_rules
  if 'prefix' in match['right'] or 'set' in match['right']:

TypeError: argument of type 'int' is not iterable
vyos@vyos:~$ show version
Version: VyOS 1.4-rolling-202209260217
Release train: sagitta

Built by: [email protected]
Built on: Mon 26 Sep 2022 02:17 UTC
Build UUID: f9a4d640-3944-423f-b6e4-1a9366f3f275
Build commit ID: d1902bd7cc15d3

Architecture: x86_64
Boot via: installed image
System type: bare metal

Hardware vendor: LENOVO
Hardware model: 10KH0034US
Hardware S/N: MJ07G68S
Hardware UUID: 6aea4a08-b8f6-11e8-92af-967bb9910500

sarthurdev added a subscriber: sarthurdev.Sep 27 2022, 8:56 PM

Can we see example destination NAT config with the issue?

icyfire0573 added a comment.Sep 27 2022, 10:46 PM

vyos@vyos:~$ show configuration
firewall {

interface eth2 {
    in {
        name OUTSIDE-IN
    }
    local {
        name OUTSIDE-LOCAL
    }
}
name OUTSIDE-IN {
    default-action drop
    rule 10 {
        action accept
        state {
            established enable
            related enable
        }
    }
    rule 20 {
        action accept
        destination {
            address 172.16.135.35
            port 8123
        }
        protocol tcp
        source {
        }
        state {
            new enable
        }
    }
    rule 21 {
        action accept
        destination {
            address 172.16.135.35
            port 443
        }
        protocol tcp
        state {
            new enable
        }
    }
    rule 30 {
        action accept
        destination {
            address 172.16.136.16
            port 22
        }
        protocol tcp
        source {
            address 13.90.97.251
        }
        state {
            new enable
        }
    }
    rule 40 {
        action accept
        destination {
            address 172.16.136.96
            port 1935,3478,3479,3480
        }
        protocol tcp
        state {
            new enable
        }
    }
    rule 41 {
        action accept
        destination {
            address 172.16.136.96
            port 3074,3478,3479
        }
        protocol udp
        state {
            new enable
        }
    }
}
name OUTSIDE-LOCAL {
    default-action drop
    rule 10 {
        action accept
        state {
            established enable
            related enable
        }
    }
    rule 20 {
        action accept
        icmp {
            type-name echo-request
        }
        protocol icmp
        state {
            new enable
        }
    }
    rule 30 {
        action drop
        destination {
            port 22
        }
        protocol tcp
        recent {
            count 4
            time minute
        }
        state {
            new enable
        }
    }
    rule 31 {
        action accept
        destination {
            port 22
        }
        protocol tcp
        state {
            new enable
        }
    }
    rule 40 {
        action accept
        destination {
            address 172.16.136.35
            port 8123
        }
        protocol tcp
        state {
            new enable
        }
    }
}

}
interfaces {

ethernet eth0 {
    address 172.16.136.1/24
    description INSIDE
    hw-id 6c:4b:90:52:32:75
}
ethernet eth2 {
    address dhcp
    description OUTSIDE
    hw-id 7c:c2:c6:42:43:e1
}
loopback lo {
}
wireless wlan0 {
    hw-id 50:5b:c2:ca:e1:03
    physical-device phy0
}

}
nat {

destination {
    rule 10 {
        description "Port Forward: SSH to 172.16.136.16"
        destination {
            port 22
        }
        inbound-interface eth2
        protocol tcp
        source {
            address 13.90.97.251
        }
        translation {
            address 172.16.136.16
        }
    }
    rule 100 {
        description "HomeAssistant WAN"
        destination {
            port 8123
        }
        inbound-interface eth2
        protocol tcp
        translation {
            address 172.16.136.35
        }
    }
    rule 110 {
        description "HomeAssistant Reflection To"
        destination {
            port 8123
        }
        inbound-interface eth0
        protocol tcp
        translation {
            address 172.16.136.35
        }
    }
    rule 120 {
        description "Playstation - 172.16.136.96"
        destination {
            port 1935,3074,3478,3479,3480
        }
        inbound-interface eth2
        protocol tcp
        translation {
            address 172.16.136.96
        }
    }
}
source {
    rule 100 {
        outbound-interface eth2
        source {
            address 172.16.136.0/24
        }
        translation {
            address masquerade
        }
    }
    rule 110 {
        description "HomeAssistant Reflection From"
        destination {
            address 172.16.136.0/24
        }
        outbound-interface eth0
        protocol tcp
        source {
            address 172.16.136.0/24
        }
        translation {
            address masquerade
        }
    }
}

}
service {

dhcp-server {
    shared-network-name LAN {
        domain-search drutherford.com
        subnet 172.16.136.0/24 {
            default-router 172.16.136.1
            domain-name drutherford.com
            lease 86400
            name-server 8.8.8.8
            name-server 1.1.1.1
            name-server 9.9.9.9
            range 0 {
                start 172.16.136.50
                stop 172.16.136.90
            }
            static-mapping Backyard-Camera-Wireless {
                ip-address 172.16.136.101
                mac-address 78:66:9D:7F:D7:73
            }
            static-mapping Garage-Camera-Wireless {
                ip-address 172.16.136.99
                mac-address 5C:C3:36:4C:D3:20
            }
            static-mapping Green {
                ip-address 172.16.136.16
                mac-address DC:A6:32:6D:20:54
            }
            static-mapping HomeAssistant {
                ip-address 172.16.136.35
                mac-address B8:27:EB:81:ED:01
            }
            static-mapping Playstation4 {
                ip-address 172.16.136.96
                mac-address 00:D9:D1:FD:E3:C8
            }
            static-mapping Pool-Camera-Wireless {
                ip-address 172.16.136.100
                mac-address 78:66:9D:5B:F8:9C
            }
            static-mapping RasPBX {
                ip-address 172.16.136.102
                mac-address B8:27:EB:BA:9C:BD
            }
            static-mapping Roku-3 {
                ip-address 172.16.136.98
                mac-address B8:3E:59:B3:DF:DB
            }
            static-mapping Roku-Ultra {
                ip-address 172.16.136.97
                mac-address 88:DE:A9:C1:C0:41
            }
            static-mapping client1 {
                ip-address 172.16.136.102
                mac-address B8:27:EB:BA:9C:BD
            }
        }
    }
}
ssh {
    port 22
}

}
system {

config-management {
    commit-revisions 100
}
conntrack {
    modules {
        ftp
        h323
        nfs
        pptp
        sip
        sqlnet
        tftp
    }
}
console {
    device ttyS0 {
        speed 115200
    }
}
host-name vyos
login {
    user vyos {
        authentication {
            encrypted-password ****************
        }
    }
}
ntp {
    server time1.vyos.net {
    }
    server time2.vyos.net {
    }
    server time3.vyos.net {
    }
}
syslog {
    global {
        facility all {
            level info
        }
        facility protocols {
            level debug
        }
    }
}

}

sarthurdev changed the task status from Open to Confirmed.Sep 28 2022, 9:57 AM
Viacheslav added a comment.EditedSep 28 2022, 10:54 AM

Maybe incorrect parsing of port ranges (comma-separated)

rule 120 {
    description "Playstation - 172.16.136.96"
    destination {
        port 1935,3074,3478,3479,3480
    }
sarthurdev changed the task status from Confirmed to Needs testing.Sep 28 2022, 11:13 AM
sarthurdev claimed this task.

PR: https://github.com/vyos/vyos-1x/pull/1564

pasik added a subscriber: pasik.Sep 28 2022, 1:14 PM
Viacheslav added a comment.Sep 29 2022, 10:17 AM

@icyfire0573 Could you re-check it?
Should be fixed in vyos-1.4-rolling-202209290218-amd64.iso

icyfire0573 added a comment.Sep 30 2022, 12:41 AM

I installed the latest release and its not working for me. Whenever I boot I lose eth0 and eth2 interfaces.
I end up with an eth1 (previously eth2) interface and startup errors that seem to indicate that migrate failed.
I would reconfigure everything to help test this, but I do need two network interfaces.

Sep 30 00:13:16 vyos systemd[1]: opt-vyatta-config-tmp-new_config_1064.mount: Succeeded.
Sep 30 00:13:18 vyos systemd[1]: opt-vyatta-config-tmp-new_config_1064.mount: Succeeded.
Sep 30 00:13:18 vyos vyos-router[796]: Starting VyOS router: migrate configure
Sep 30 00:13:18 vyos vyos-router[2017]: failed!
Sep 30 00:13:18 vyos systemd[1]: Reloading.
Sep 30 00:13:18 vyos vyos-config[803]: Configuration error

Rebooting back to the previous version gets me back up and running fine.

n.fort added a subscriber: n.fort.Jul 11 2023, 2:40 PM

@icyfire0573 Can you re-check if nat op-mode commands works for you?

icyfire0573 added a comment.Jul 12 2023, 11:19 PM

I can't test this at this time. I stopped using the platform

Viacheslav closed this task as Resolved.Jul 13 2023, 7:58 AM