Page MenuHomeVyOS Platform
Create Task
Maniphest T7696

"show nat source/destination rules" proto column is inaccurate
Closed, ResolvedPublicBUG
Actions

Description

I've noticed that the output from "show nat source rules" or "show nat destination rules" is incorrect.

For example:

tim@ferrari:~$ show nat source rules
Rule    Source          Destination                      Proto    Out-Int            Translation
------  --------------  -------------------------------  -------  -----------------  -------------
200     192.168.0.0/16  192.168.0.7                      IP       eth1               masquerade
        sport any       dport 8123
210     192.168.0.0/16  192.168.0.5                      TCP      eth1               masquerade
        sport any       dport 8920,8920
220     192.168.0.0/16  192.168.0.3                      IP       eth1               masquerade
        sport any       dport 8443
230     192.168.0.0/16  192.168.0.5                      IP       eth1               masquerade
        sport any       dport {'range': [60000, 60010]}
500     192.168.0.0/16  192.168.0.5                      IP       eth1               masquerade
        sport any       dport 53
1000    192.168.0.0/16  0.0.0.0/0                        IP       @I_wan-interfaces  masquerade
        sport any       dport any

But:

set nat source rule 230 description 'Hairpin NAT for Mosh Shell on Micro'
set nat source rule 230 destination address '192.168.0.5'
set nat source rule 230 destination port '60000-60010'
set nat source rule 230 outbound-interface name 'eth1'
set nat source rule 230 protocol 'udp'
set nat source rule 230 source address '192.168.0.0/16'
set nat source rule 230 translation address 'masquerade'

So Proto should show "UDP" for rule 230

Another example:

tim@ferrari:~$ show nat destination rules
Rule    Source                                       Destination                      Proto    In-Int             Translation
------  -------------------------------------------  -------------------------------  -------  -----------------  -------------
50      0.0.0.0/0                                    0.0.0.0/0                        any      @I_wan-interfaces  192.168.0.5
        sport any                                    dport 49919

Shows Proto "any" but this isn't correct, it's only TCP/UDP.

set nat destination rule 50 description 'rTorrent on Micro'
set nat destination rule 50 destination port '49919'
set nat destination rule 50 inbound-interface group 'wan-interfaces'
set nat destination rule 50 protocol 'tcp_udp'
set nat destination rule 50 translation address '192.168.0.5'

This is a very very minor bug - but could potentially cause confusion if someone is looking/auditing rules based off the output.

Details

Version
1.4.3
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

tjh created this task.Aug 6 2025, 10:22 PM
pasik subscribed.Aug 7 2025, 8:07 AM
Viacheslav edited projects, added VyOS 1.4 Sagitta (1.4.4); removed VyOS 1.4 Sagitta.EditedAug 8 2025, 11:36 AM
Viacheslav subscribed.

For the latest rolling seems fixed in T6371

vyos@r14# run show nat source rules 
Rule    Source          Destination        Proto    Out-Int    Translation
------  --------------  -----------------  -------  ---------  -------------
230     192.168.0.0/16  192.168.0.5        UDP      eth1       masquerade
        sport any       dport 60000-60010
[edit]
vyos@r14#
Viacheslav triaged this task as Normal priority.Aug 8 2025, 11:41 AM
Unknown Object (User) changed the task status from Open to Needs testing.Aug 20 2025, 5:23 PM
sarthurdev claimed this task.Sep 10 2025, 7:31 AM
sarthurdev added projects: VyOS Rolling, VyOS 1.5 Circinus (1.5-stream-2025-Q3).
sarthurdev subscribed.

PR: https://github.com/vyos/vyos-1x/pull/4707

sarthurdev mentioned this in rVYOSONEX177b65c006db: nat: T7696: Fix NAT op-mode output for protocol and interface groups.Sep 11 2025, 2:12 PM
Restricted Repository Identity mentioned this in rVYOSONEX7a1f2e22c246: Merge pull request #4707 from sarthurdev/T7696.Sep 11 2025, 2:12 PM
sarthurdev closed this task as Resolved.Sep 17 2025, 7:29 PM
sarthurdev moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.4) board.
sarthurdev moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
sarthurdev moved this task from Need Triage to Completed on the VyOS Rolling board.
dmbaturin renamed this task from "show nat source/destination rules" Proto column inaccurate to "show nat source/destination rules" proto column is inaccurate.Thu, Nov 13, 12:36 AM
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS Rolling, VyOS 1.4 Sagitta (1.4.4).
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.