Page MenuHomeVyOS Platform

connection-status nat destination firewall filter not working in 1.4.0-epa1
Closed, ResolvedPublicBUG

Description

Hi

It seems like

connection-status {
    nat destination
}

has been broken somewhere between 1.4.x-rolling-202312290303 and epa1.

We are seeing multiple reports:

that explicitly defining the protocol, ports and destination address works, but using the nat destination filter does not.

Copy of my post on the forum:

Hi

I just want to add that I am also seeing issues with DNAT after moving from 1.4.x-rolling-202312290303 to 1.4.0-epa1

Some testing seem to indicate that

connection-status {
    nat destination
}

is not working correctly.

If I add explicit rules to the firewall instead, then the traffic starts passing correctly.

In the example below rule 10 and 20 are the old rules while 30 and 40 are new rules that covers part of my DNAT.

default-action return
rule 10 {
    action accept
    connection-status {
        nat destination
    }
    source {
        geoip {
            country-code xxx
        }
    }
    state new
}
rule 20 {
    action accept
    connection-status {
        nat destination
    }
    source {
        group {
            address-group XXXX
        }
    }
    state new
}
rule 30 {
    action accept
    destination {
        address xxx.xxx.xxx.xxx
        port 80
    }
    protocol tcp_udp
    state new
}
rule 40 {
    action accept
    destination {
        address xxx.xxx.xxx.xxx
        port 443
    }
    protocol tcp_udp
    state new
}

Details

Version
1.4.0-epa1, 1.5-rolling-202403050022
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

cnrd renamed this task from connection-status nat destination firewall filter not working in epa1 to connection-status nat destination firewall filter not working in 1.4.0-epa1.
Viacheslav triaged this task as Normal priority.Feb 24 2024, 1:06 PM
Viacheslav subscribed.

@cnrd Provide please the "set" of the commands to reproduce.
This will make life much easier for developers.

This example only contains the commands related to the bug, not for general setup.

Note that I have removed the translation address and inbound-interface name.

set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 20 action 'jump'
set firewall ipv4 forward filter rule 20 jump-target 'NAT_DEST'

set firewall ipv4 name NAT_DEST default-action 'return'
set firewall ipv4 name NAT_DEST rule 10 action 'accept'
set firewall ipv4 name NAT_DEST rule 10 connection-status nat destination
set firewall ipv4 name NAT_DEST rule 10 state 'new'

set nat destination rule 100 description 'HTTP'
set nat destination rule 100 destination port '80'
set nat destination rule 100 inbound-interface name 'y'
set nat destination rule 100 protocol 'tcp_udp'
set nat destination rule 100 translation address 'xxx.xxx.xxx.xxx'
set nat destination rule 110 description 'HTTPS'
set nat destination rule 110 destination port '443'
set nat destination rule 110 inbound-interface name 'y'
set nat destination rule 110 protocol 'tcp_udp'
set nat destination rule 110 translation address 'xxx.xxx.xxx.xxx'
n.fort raised the priority of this task from Normal to High.Mar 5 2024, 11:03 AM
n.fort added a project: VyOS 1.5 Circinus.
n.fort changed Version from 1.4.0-epa1 to 1.4.0-epa1, 1.5-rolling-202403050022.
n.fort changed the task status from In progress to Needs testing.Mar 6 2024, 1:24 PM

Just wanted to follow up: I have now tested this and can confirm that everything is working as expected.