When using a negation prefix in NAT66 source rule user will receive an error
Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/nat66.py", line 127, in <module> generate(c) File "/usr/libexec/vyos/conf_mode/nat66.py", line 101, in generate render(nftables_nat66_config, 'firewall/nftables-nat66.j2', nat, permission=0o755) File "/usr/lib/python3/dist-packages/vyos/template.py", line 142, in render rendered = render_to_string(template, content, formater, location) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/template.py", line 111, in render_to_string rendered = template.render(content) ^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 1301, in render self.environment.handle_exception() File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 936, in handle_exception raise rewrite_traceback_stack(source=source) File "/usr/share/vyos/templates/firewall/nftables-nat66.j2", line 28, in top-level template code {{ config | nat_rule(rule, 'source', ipv6=True) }} ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/template.py", line 660, in nat_rule return parse_nat_rule(rule_conf, rule_id, nat_type, ipv6) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/nat.py", line 153, in parse_nat_rule addr_prefix = addr[1:] ~~~~^^^^ TypeError: 'NoneType' object is not subscriptable
This is because the code on 153 was likely copy/pasted from the IPv4 code above, which works because a NAT44 rule AND a NAT66 destination rule uses address instead of prefix. Whereas ONLY a NAT66 source rule uses prefix
Intended configuration
set nat66 source rule 10 description 'NAT exclude loopbacks' set nat66 source rule 10 destination prefix '!fd12:3456:789a:ffff::/64' set nat66 source rule 10 outbound-interface 'eth0' set nat66 source rule 10 source prefix 'fd12:3456:c0de:1::/64' nat66 { source { rule 10 { description "NAT exclude loopbacks" destination { prefix !fd12:3456:789a:ffff::/64 } outbound-interface eth0 source { prefix fd12:3456:c0de:1::/64 } translation { address masquerade } } }
Solution is simply to change Ln 153 to addr_prefix = addr_prefix[1:]
Presumably this exists in all versions, so backport would be good as well.