Modifying firewall groups does not update dependent NAT66 nft rules
In progress, LowPublic
Actions

Assigned To

Authored By

	bilde2910
	Thu, Jan 1, 9:06 PM

Description

T6679 added support for destination groups in NAT66, but forgot to add the NAT66 subsystem as a dependency of firewall groups. As a result, committing a change to a firewall group that is used as a destination group in NAT66, does not cause the corresponding nft ruleset to be properly rebuilt.

Configuration:

set firewall group ipv6-address-group nat66-test address 2001:db8::1
set nat66 destination rule 10 destination group address-group nat66-test
set nat66 destination rule 10 translation address 2001:db8:1::/64
commit
set firewall group ipv6-address-group nat66-test address 2001:db8::2
commit

NFT result (sudo nft list table ip6 vyos_nat) - note 2001:db8::2 is missing from A6_nat66-test:

table ip6 vyos_nat {
	set A6_nat66-test {
		type ipv6_addr
		flags interval
		auto-merge
		elements = { 2001:db8::1 }
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 3 bytes 272 jump VYOS_DNPT_HOOK
		ip6 daddr @A6_nat66-test counter packets 0 bytes 0 dnat prefix to 2001:db8:1::/64 comment "DST-NAT66-10"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 3 bytes 272 jump VYOS_SNPT_HOOK
	}

	chain VYOS_DNPT_HOOK {
		return
	}

	chain VYOS_SNPT_HOOK {
		return
	}
}