Page MenuHomeVyOS Platform

Warn when a nat rule evicts a set of other active rules
Open, WishlistPublicFEATURE REQUEST

Description

[This issue is elaborated based on a destination nat44 example, while it may apply to other classes of translation as well. Also a warning mechanism is suggested here while it might be more desired to prioritize rule-processing by some sort of strictest-criteria-matching-notion instead]

It appears that the processing of the destination nat rules are prioritized based on their rule id. So It is easy to add a new destination nat rule with an ID that is lower than the current maximum id number among a set of active rules and rendering the rules with ids higher than the new one ineffective. This may happen when you inadvertently fail to specify the destination port number while creating a new rule. (in the example code, rule 8443 was existing and working but rule 443 was added at a later time)

rule 443 {
    destination {
    }
    inbound-interface eth0
    protocol tcp_udp
    translation {
        address 192.168.1.10
        port 443
    }
}
rule 8443 {
    destination {
        port 8443
    }
    inbound-interface eth0
    protocol tcp
    translation {
        address 192.168.1.20
    }
}

To cover the issue, some procedure like this might be suggested:
Analyze the set nat destination configuration data by the following criteria: (list items create different depth-levels [top to down] of the tree while the set members grow its breadth [left to right] respectively):

  1. inbound-interface {individual-interface-1, individual-interface-2, ... , any}
  2. destination address {prefix1/30, prefix2/24, ... , any}
  3. destination port number {1,2, ... , any}
  4. protocol {tcp-or-udp, tcp-and-udp, ... , any}

Where any could be actually the any configuration token or a non-present configuration token implying any.

Now we may analyze the tree in a breadth-first manner and produce warning if farther nodes (relatively right ones) have lower rule id in comparison with the nearer nodes (relatively left ones).

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Alfa80 created this object in space S1 VyOS Public.
Alfa80 changed Issue type from Unspecified (please specify) to Feature (new functionality).Feb 6 2023, 8:35 PM
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Feb 7 2023, 9:13 AM
Viacheslav triaged this task as Wishlist priority.Jan 20 2024, 11:42 AM
Viacheslav added a project: VyOS 1.5 Circinus.