From nobody Sat May 14 15:38:17 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 06C221AD296C for ; Sat, 14 May 2022 15:38:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L0qRF3Jtmz3CfD for ; Sat, 14 May 2022 15:38:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4E9B719C69 for ; Sat, 14 May 2022 15:38:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24EFcH7M075932 for ; Sat, 14 May 2022 15:38:17 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24EFcHHH075931 for bugs@FreeBSD.org; Sat, 14 May 2022 15:38:17 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 263974] ipfw_nat64lsn reply destination mac address error Date: Sat, 14 May 2022 15:38:17 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jpb@jimby.name X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1652542697; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kESIzISwUxXp4yBv+c3PJXNmqXe17YlI3pVsIkyN2tg=; b=u2qU70xpzE4Lz5TAArVP5kFdGwxCGYjrt8ZrynAXebhCubA83ziMaEgnpN7YziYXR3v6e8 jT2ZMgrAcuy/8MMQnmIPeSuiNJrCYvnBMEWx6kmbF/Xcp4ZCMjycS6SinEl2vITngWeGi6 X/fXbuImva9rBVJ6ZI1q8kIJo3RPJzruUo8I2LO7fiwU+Z3zEXjs831B5Nv0Ky0WkZ+5rr 9E16CzwYxXMGLxnDWVujtsOV73NrcthNIJ+2a26OC8/PN479Ul1V4qYKft/mTmTo0PfQq7 XvGq4OeGc1fIBSuJ44xVMEWhm66ZbsQp2L4EptmtO8dr0hptrhJkANL4cgeabQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1652542697; a=rsa-sha256; cv=none; b=aE46nyeNshvMmUDFGgsU+G+tS1na0Y9mritLPv5BRqowYG7lKuMkqqos+ESHG3CHsXj9N6 Dk6cOaq3+bdUsg+JB1rN/fbgImTImkNEYxIhwL8tT/1vlUquY05AL3Lv1luDzMsplmPDD9 38Vx3+aIE/wct1CRs5Mz6U2qJ3ZGn5DhaCosoaketU+lvS3rssQSJAde5kOsfeA0x9eUuF q8H8tvZf7oMnDM6CUtt2aN7hUg3WvxbBAoXyQMV8+A6JohgAYjgV9x7eNPYCoWlorr/SPN +32T0zwHzQorSDhpX7z7xg7psMqs16pVgbkkZE8F9is3zZULBMZTQvTkH9lyMg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263974 Bug ID: 263974 Summary: ipfw_nat64lsn reply destination mac address error Product: Base System Version: 13.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: jpb@jimby.name Created attachment 233913 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D233913&action= =3Dedit nat64lsn and dns64 test bed - 4 VMs on FreeBSD host See the attached figure (nat64_issue.png) for address layout. The FreeBSD host (my laptop), v6only VM, firewall VM, and the DNShost VM are all 13.0-RELEASE-p11. The external1 host (IPV4 only host) is 13.0-RELEASE-= p8. This nat64lsn (stateful NAT64) example follows the BSD Router Project addre= ss layout and ruleset. However, these are stock FreeBSD 13.0 VMs (qemu-system-x86_64 version 6.2.0), not BSDRP images. TCP session request from IPv6 only host to IPv4 only host *almost* works. = The initial SYN packet is NAT64ed correctly and reaches the destination IPv4 ho= st who sends a SYN/ACK back. The ipfw instance on the router moves the SYN/ACK packet back through the ruleset and writes it out the proper interface (em1= ). But - the packet sent back to the IPV6 host on that interface has a malform= ed destination MAC address. ipfw_nat64 duplicated the em1 interface MAC address (the source) in the destination field: Wireshark trace shows SYN/ACK reply packet has duplicated source and destination MAC addresses: Ethernet II, Src: 02:49:50:46:57:42 (02:49:50:46:57:42), Dst: 02:49:50:46:5= 7:42 (02:49:50:46:57:42) Destination: 02:49:50:46:57:42 (02:49:50:46:57:42) Address: 02:49:50:46:57:42 (02:49:50:46:57:42) .... ..1. .... .... .... .... =3D LG bit: Locally administered addr= ess (this is NOT the factory default) .... ...0 .... .... .... .... =3D IG bit: Individual address (unica= st) Source: 02:49:50:46:57:42 (02:49:50:46:57:42) Address: 02:49:50:46:57:42 (02:49:50:46:57:42) .... ..1. .... .... .... .... =3D LG bit: Locally administered addr= ess (this is NOT the factory default) .... ...0 .... .... .... .... =3D IG bit: Individual address (unica= st) Type: IPv6 (0x86dd) IPV6 host config: oot@v6only:~ # ifconfig em0 em0: flags=3D8863 metric 0 mtu 1500 =20=20=20=20=20=20=20 options=3D481209b ether 02:49:de:ad:be:ef inet6 2001:db8:12::1 prefixlen 64 inet6 fe80::49:deff:fead:beef%em0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (1000baseT ) status: active nd6 options=3D21 ipfw router config: root@firewall:~ # ifconfig -a em0: flags=3D8963 metric 0 = mtu 1500 =20=20=20=20=20=20=20 options=3D481209b ether 02:49:50:46:57:41 inet 2.2.2.2 netmask 0xffffff00 broadcast 2.2.2.255 media: Ethernet autoselect (1000baseT ) status: active nd6 options=3D29 em1: flags=3D8863 metric 0 mtu 1500 =20=20=20=20=20=20=20 options=3D481209b ether 02:49:50:46:57:42 inet6 2001:db8:12::2 prefixlen 64 inet6 fe80::49:50ff:fe46:5742%em1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (1000baseT ) status: active nd6 options=3D21 lo0: flags=3D8049 metric 0 mtu 16384 options=3D680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21 root@firewall:~ #=20 root@firewall:~ # ndp -a Neighbor Linklayer Address Netif Expire S F= lags v6only.example.com 02:49:de:ad:be:ef em1 23h8m28s S=20 2001:db8:12::2 02:49:50:46:57:42 em1 permanent R=20 fe80::49:50ff:fe46:5742%em1 02:49:50:46:57:42 em1 permanent R=20 dnshost.example.com 02:49:53:53:54:54 em1 22h49m2s S=20 root@firewall:~ #=20 ipfw setup: root@firewall:~ # ipfw nat64lsn NAT64 show config nat64lsn NAT64 prefix4 2.2.1.0/24 prefix6 64:ff9b::/96 log root@firewall:~ #=20 root@firewall:~ # ipfw show 00100 12 816 allow log ipv6-icmp from any to any icmp6types 135,136 00200 7 512 nat64lsn NAT64 log ip from 2001:db8:12::/64 to 64:ff9b::/96 in 00300 16 912 nat64lsn NAT64 log ip from any to 2.2.1.0/24 in 00400 58 5920 allow log ip from any to any 00500 0 0 allow log ip6 from any to any 65535 0 0 deny ip from any to any startup script: root@firewall:~ # cat bsdrp.sh=20 #!/bin/sh set -x kldunload ipfw_nat64 kldunload ipfw sleep 1 kldload ipfw kldload ipfw_nat64 # Logging: 0 interfaces, 1 syslog sysctl net.inet.ip.fw.verbose=3D1=20 # Debug nat64 sysctl net.inet.ip.fw.nat64_debug=3D1 fwcmd=3D"/sbin/ipfw" ${fwcmd} -f flush ${fwcmd} nat64lsn NAT64 create log prefix4 2.2.1.0/24 ${fwcmd} add allow log icmp6 from any to any icmp6types 135,136 ${fwcmd} add nat64lsn NAT64 log ip from 2001:db8:12::/64 to 64:ff9b::/96 in ${fwcmd} add nat64lsn NAT64 log ip from any to 2.2.1.0/24 in ${fwcmd} add allow log ip from any to any ${fwcmd} add allow log ip6 from any to any # Direct output: 1 enable, 0 disable (packet goes back into ruleset) sysctl net.inet.ip.fw.nat64_direct_output=3D1 Note that I've been running two dozen or more different ipfw tests using th= is same testbed and I have not encountered a similar issue with MAC addresses. I will double check all this when 13.1 lands. --=20 You are receiving this mail because: You are the assignee for the bug.=