[Bug 255928] ipfw: nat64 not working on 13.0-RELEASE
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 19 May 2021 16:57:59 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255928
--- Comment #4 from PaulC <paul.chakravarti@gmail.com> ---
Thanks for having a look at this. Additional information below.
# sysctl net.inet.ip | egrep "forward|redir"
net.inet.ip.forwarding: 1
net.inet.ip.redirect: 1
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGS vtnet0
127.0.0.1 link#2 UH lo0
192.168.1.0/24 link#1 U vtnet0
192.168.1.55 link#1 UHS lo0
Internet6:
Destination Gateway Flags Netif
Expire
::/96 ::1 UGRS lo0
default fe80::1%vtnet0 UGS vtnet0
::1 link#2 UHS lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
64:ff9b::/96 ::1 UGS lo0
2001:470:1d41:1::/64 link#1 U vtnet0
2001:470:1d41:1::55 link#1 UHS lo0
2001:470:1d41:55::/64 link#3 U bridge0
2001:470:1d41:55::1 link#3 UHS lo0
fe80::/10 ::1 UGRS lo0
fe80::%vtnet0/64 link#1 U vtnet0
fe80::5a9c:fcff:fe08:4fd0%vtnet0 link#1 UHS lo0
fe80::%lo0/64 link#2 U lo0
fe80::1%lo0 link#2 UHS lo0
fe80::%bridge0/64 link#3 U bridge0
fe80::1%bridge0 link#3 UHS lo0
fe80::5a9c:fcff:fe10:ff96%bridge0 link#3 UHS lo0
ff02::/16 ::1 UGRS lo0
# tcpdump -nqi ipfw0 icmp or 'icmp6[icmp6type]=icmp6-echo'
16:39:35.351581 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo
request, seq 0, length 16
16:39:35.351603 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo
request, seq 0, length 16
16:39:35.351629 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq 0,
length 16
16:39:35.351632 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq 0,
length 16
16:39:35.351692 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host
0.0.0.0, length 44
16:39:35.351696 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host
0.0.0.0, length 44
16:39:35.369844 IP 1.1.1.1 > 192.168.1.55: ICMP echo reply, id 1025, seq 0,
length 16
# tcpdump -nqei ipfwlog0
16:39:35.351611 rule 3232235831..67174657/0(match) [uid 0]: nat in on NAT64LSN:
2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16
16:39:35.351619 rule 3232235831..67174657/0(match) [uid 0]: nat out on
NAT64LSN: 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq 0, length 16
The same configuration definitely worked on 12.2-RELEASE (systems are
configured from the same build script). The difference seems to be the way the
the translated ICMP request is handled. In 13.0 it seems to go back through the
ipfw rules (generating the ICMP redirect and the IPFW state that prevents the
packet getting back to the NAT64 rule) whereas on 12.2 this doesn't seem to
happen.
From an equivalent a 12.2-RELEASE system:
# uname -a
FreeBSD v6jail.pchak.net 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC amd64
# ping6 -c1 64:ff9b::1.1.1.1
PING6(56=40+8+8 bytes) 2001:470:1d41:1::50 --> 64:ff9b::101:101
16 bytes from 64:ff9b::101:101, icmp_seq=0 hlim=57 time=30.070 ms
--- 64:ff9b::1.1.1.1 ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 30.070/30.070/30.070/0.000 ms
# tcpdump -nqi ipfw0 icmp or 'icmp6[icmp6type]=icmp6-echo'
16:45:03.534468 IP6 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo
request, seq 0, length 16
16:45:03.534483 IP6 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo
request, seq 0, length 16
16:45:03.564421 IP 1.1.1.1 > 192.168.1.50: ICMP echo reply, id 1024, seq 0,
length 16
# tcpdump -nqei ipfwlog0
16:45:03.537560 rule 3232235826..67109121/0(match) [uid 0]: nat in on NAT64LSN:
2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16
16:45:03.537563 rule 3232235826..67109121/0(match) [uid 0]: nat out on
NAT64LSN: 192.168.1.50 > 1.1.1.1: ICMP echo request, id 1024, seq 0, length 16
16:45:03.564423 rule 3232235826..67109121/0(match) [uid 0]: nat in on NAT64LSN:
1.1.1.1 > 192.168.1.50: ICMP echo reply, id 1024, seq 0, length 16
16:45:03.564425 rule 3232235826..67109121/0(match) [uid 0]: nat out on
NAT64LSN: 64:ff9b::101:101 > 2001:470:1d41:1::50: ICMP6, echo reply, seq 0,
length 16
# ipfw show
00100 0 0 check-state :default
00200 0 0 allow log ipv6-icmp from any to any icmp6types 135,136
00300 0 0 allow log icmp from any to 192.168.1.50 icmptypes 8 keep-state
:default
00400 0 0 allow log ip4 from any to 192.168.1.50 22
00500 0 0 allow log ip4 from any to 192.168.1.50 53
00600 0 0 nat64lsn NAT64 log ip6 from ::1 to 64:ff9b::/96 in
00700 0 0 nat64lsn NAT64 log ip6 from 2001:470:1d41:1::50 to 64:ff9b::/96
in
00800 0 0 nat64lsn NAT64 log ip6 from 2001:470:1d41:50::/64 to 64:ff9b::/96
in
00900 0 0 nat64lsn NAT64 log ip4 from any to 192.168.1.50 in
01000 0 0 allow log ip4 from 192.168.1.50 to any keep-state :default
01100 19 1936 allow log ip from any to any
65535 0 0 allow ip from any to any
# ifconfig -a
vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
ether 58:9c:fc:01:71:9d
inet 192.168.1.50 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::5a9c:fcff:fe01:719d%vtnet0 prefixlen 64 scopeid 0x1
inet6 2001:470:1d41:1::50 prefixlen 64
media: Ethernet 10Gbase-T <full-duplex>
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:dd:a6:3d:7b:00
inet6 fe80::dd:a6ff:fe3d:7b00%bridge0 prefixlen 64 scopeid 0x3
inet6 2001:470:1d41:50::1 prefixlen 64
inet6 fe80::1%bridge0 prefixlen 64 scopeid 0x3
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
groups: bridge
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
groups: ipfw
ipfwlog0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
groups: ipfwlog
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGS vtnet0
127.0.0.1 link#2 UH lo0
192.168.1.0/24 link#1 U vtnet0
192.168.1.50 link#1 UHS lo0
Internet6:
Destination Gateway Flags Netif
Expire
::/96 ::1 UGRS lo0
default fe80::1%vtnet0 UGS vtnet0
::1 link#2 UH lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
64:ff9b::/96 fe80::1%lo0 UGS lo0
2001:470:1d41:1::/64 link#1 U vtnet0
2001:470:1d41:1::50 link#1 UHS lo0
2001:470:1d41:50::/64 link#3 U bridge0
2001:470:1d41:50::1 link#3 UHS lo0
fe80::/10 ::1 UGRS lo0
fe80::%vtnet0/64 link#1 U vtnet0
fe80::5a9c:fcff:fe01:719d%vtnet0 link#1 UHS lo0
fe80::%lo0/64 link#2 U lo0
fe80::1%lo0 link#2 UHS lo0
fe80::%bridge0/64 link#3 U bridge0
fe80::1%bridge0 link#3 UHS lo0
fe80::dd:a6ff:fe3d:7b00%bridge0 link#3 UHS lo0
ff02::/16 ::1 UGRS lo0
--
You are receiving this mail because:
You are the assignee for the bug.