On systems that do not support SecureBoot, mokutil will exit with code 255. This causes show version to break as the cmd() that launches it raises an error. The mokutil execution through cmd() should catch that return code as normal:

In T5144#147124, @indrajitr wrote:

PR for the fix: https://github.com/vyos/vyos-1x/pull/1962

Tested on latest "current" source tree build. Works fine and solves the "old syntax" cache file issue. Thank you for the quick and responsive fix.

@jack9603301 I've tested your updated PR and it seems to work well now. Thank you for the quick response.
@sdev I've tested your PR and it seems to also fix both issues. I did not test anything beyond DNAT port only in both ip and ip6 families.

@jack9603301, your PR solves the NAT66 issue - thank you. However, the change you made to nat.py to try to solve the NAT44 issue is not complete and seem to also require a template change. I'll post additional details in the PR.

Why would you enforce an address? It is perfectly OK to have port-only DNAT66 without any destination address such as:
nft add rule ip6 nat PREROUTING iifname eth1 counter tcp dport 443 dnat to :3000
Problem is that the test logic breaks on this and spits out a wrong statement to NFT that barfs on it.